Full chain exploit ready for Prime time

Chain of vulnerabilities led to RCE on Cisco Prime servers

A series of vulnerabilities in the web interface of Cisco Prime opened servers to remote code execution (RCE) attacks, two security researchers have found.

Cisco Prime is a network management service that provides tools for provisioning, monitoring, optimizing, and troubleshooting wired and wireless devices.

In their investigation of the service, researchers Andreas Finstad (@4nqr34z) and Arthur Donkers (@theart42) found several bugs that, when chained together, could lead to the full compromise of the Prime server and provide the attacker with a reverse shell.

Hacking through SNMP

The main culprit in the Cisco Prime vulnerability is a cross-site scripting (XSS) vector that is exploited through SNMP, the protocol used to discover devices in a network.

Finstad had already found similar vulnerabilities in at least two other web-based network management tools, which led him and Donkers to wonder if other networking tools had similar vulnerabilities.

“The interesting part here is that a lot of vendors apparently don’t consider SNMP devices being a potential attack vector, so they don’t think of sanitizing input data from those potential malicious devices,” Finstad told The Daily Swig.

“With that in mind, we figured we should check out Cisco Prime too. I set up one in my lab and it turned out they did have a very similar SNMP-based XSS vector.”

RELATED Open debug mode in Cisco mobile networking software created critical security hole

Cisco Prime sends SNMP requests to gather information about devices present in the network. Among the information network devices provide is the address for an image file.

The researchers placed a Linux-based device on the network and in its SNMP configuration file, they set the address of the image to a JavaScript snippet that loaded a malicious script hosted on a server they controlled.

When the server’s admin navigated to Prime’s device discovery page, the malicious script was loaded and run in the browser, resulting in an XSS attack.

Chaining vulnerabilities

Through the XSS vector, the researchers were able to exploit a series of other vulnerabilities in sequence.

The first vulnerability was an unprotected session ID cookie stored in LocalStorage, which enabled them to hijack the active administrator session.

Using the stolen administrator token, they next tried to submit commands to Prime’s management interface.

Read more of the latest security research news

Like most web applications, Prime’s management interface prevents such commands through anti-CSRF (cross-site request forgery) tokens. But by probing Prime’s development tools, Finstad and Donkers were able to discover a function that generated the tokens, making it possible to bypass the CSRF protections.

“Doing any security control like this on the client-side opens a lot of possibilities for attackers,” Finstad said. “They can read the code and run it, so effectively, you are giving them the tools to hack you.”

With the improved access, the researchers were able to create an additional administrator account for themselves, giving them persistence in the server. They were also able to clean their tracks by purging the logs and removing the device that gave them the initial foothold into the server.

“This gave control over every switch in the network. VLAN boundaries could be easy to traverse, change routing on devices, change network addresses and other network admin capabilities,” Finstad said.

Reverse shell

Eventually, Finstad and Donkers used two other vulnerabilities to gain further access to the server. They uploaded a JSP-based reverse shell script on the server through a function that did not check file types and content.

A second vulnerability enabled them to do path traversal and place the script in a system directory of their choosing.

Finally, by executing the JSP file, they were able to open a reverse shell to one of their devices that was listening on the network.

“We went for the remote code execution because it was fun, but it also enables an attacker to use the compromised system for other purposes,” Finstad said.

“You can imagine if a management station is compromised, you may be able to gain access to a lot of other systems on the network, maybe steal locally stored passwords and other interesting information.”

CATCH UP BitLocker encryption: Clear text key storage prompts security debate online

The findings highlight some key gaps in securing web applications.

“Never rely on client-side security alone. From a security perspective, the client (browser) is not under your control so make sure you check your security at the server-side as well,” Finstad said.

The researchers also warned about the perils of underestimating minor vulnerabilities.

“What we often see is that hackers, bug bounty hunters, and organizations focus on fixing the high-priority vulnerabilities (bug bounty hunters call them ‘P1’s), and the medium ones are often forgotten,” Finstad said.

“But as we have seen several times now, a number of ‘small’ vulnerabilities easily make a ‘big’ one.”

YOU MIGHT ALSO LIKE European Commission launches new open source software bug bounty program