Full chain exploit ready for Prime time
A series of vulnerabilities in the web interface of Cisco Prime opened servers to remote code execution (RCE) attacks, two security researchers have found.
Cisco Prime is a network management service that provides tools for provisioning, monitoring, optimizing, and troubleshooting wired and wireless devices.
In their investigation of the service, researchers Andreas Finstad (@4nqr34z) and Arthur Donkers (@theart42) found several bugs that, when chained together, could lead to the full compromise of the Prime server and provide the attacker with a reverse shell.
Hacking through SNMP
Finstad had already found similar vulnerabilities in at least two other web-based network management tools, which led him and Donkers to wonder if other networking tools had similar vulnerabilities.
“The interesting part here is that a lot of vendors apparently don’t consider SNMP devices being a potential attack vector, so they don’t think of sanitizing input data from those potential malicious devices,” Finstad told The Daily Swig.
“With that in mind, we figured we should check out Cisco Prime too. I set up one in my lab and it turned out they did have a very similar SNMP-based XSS vector.”
Cisco Prime sends SNMP requests to gather information about devices present in the network. Among the information network devices provide is the address for an image file.
When the server’s admin navigated to Prime’s device discovery page, the malicious script was loaded and run in the browser, resulting in an XSS attack.
Through the XSS vector, the researchers were able to exploit a series of other vulnerabilities in sequence.
The first vulnerability was an unprotected session ID cookie stored in LocalStorage, which enabled them to hijack the active administrator session.
Using the stolen administrator token, they next tried to submit commands to Prime’s management interface.
Like most web applications, Prime’s management interface prevents such commands through anti-CSRF (cross-site request forgery) tokens. But by probing Prime’s development tools, Finstad and Donkers were able to discover a function that generated the tokens, making it possible to bypass the CSRF protections.
“Doing any security control like this on the client-side opens a lot of possibilities for attackers,” Finstad said. “They can read the code and run it, so effectively, you are giving them the tools to hack you.”
With the improved access, the researchers were able to create an additional administrator account for themselves, giving them persistence in the server. They were also able to clean their tracks by purging the logs and removing the device that gave them the initial foothold into the server.
“This gave control over every switch in the network. VLAN boundaries could be easy to traverse, change routing on devices, change network addresses and other network admin capabilities,” Finstad said.
Eventually, Finstad and Donkers used two other vulnerabilities to gain further access to the server. They uploaded a JSP-based reverse shell script on the server through a function that did not check file types and content.
A second vulnerability enabled them to do path traversal and place the script in a system directory of their choosing.
Finally, by executing the JSP file, they were able to open a reverse shell to one of their devices that was listening on the network.
“We went for the remote code execution because it was fun, but it also enables an attacker to use the compromised system for other purposes,” Finstad said.
“You can imagine if a management station is compromised, you may be able to gain access to a lot of other systems on the network, maybe steal locally stored passwords and other interesting information.”
The findings highlight some key gaps in securing web applications.
“Never rely on client-side security alone. From a security perspective, the client (browser) is not under your control so make sure you check your security at the server-side as well,” Finstad said.
The researchers also warned about the perils of underestimating minor vulnerabilities.
“What we often see is that hackers, bug bounty hunters, and organizations focus on fixing the high-priority vulnerabilities (bug bounty hunters call them ‘P1’s), and the medium ones are often forgotten,” Finstad said.
“But as we have seen several times now, a number of ‘small’ vulnerabilities easily make a ‘big’ one.”
YOU MIGHT ALSO LIKE European Commission launches new open source software bug bounty program