Vulnerabilities > CVE-2008-0532 - Buffer Errors vulnerability in Cisco products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple buffer overflows in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to execute arbitrary code via a long argument located immediately after the Logout argument, and possibly unspecified other vectors.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Cisco User-Changeable Password (UCP) 3.3.4.12.5 'CSuserCGI.exe' Multiple Remote Vulnerabilities. CVE-2008-0532 . Dos exploit for windows platform |
| id | EDB-ID:31394 |
| last seen | 2016-02-03 |
| modified | 2008-03-12 |
| published | 2008-03-12 |
| reporter | felix |
| source | https://www.exploit-db.com/download/31394/ |
| title | Cisco User-Changeable Password UCP 3.3.4.12.5 - 'CSuserCGI.exe' Multiple Remote Vulnerabilities |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/64534/RecurityLabs_Cisco_ACS_UCP_advisory.txt |
| id | PACKETSTORM:64534 |
| last seen | 2016-12-05 |
| published | 2008-03-13 |
| reporter | FX |
| source | https://packetstormsecurity.com/files/64534/RecurityLabs_Cisco_ACS_UCP_advisory.txt.html |
| title | RecurityLabs_Cisco_ACS_UCP_advisory.txt |
Saint
| bid | 28222 |
| description | Cisco Secure ACS UCP CSuserCGI.exe buffer overflow |
| id | web_tool_acsucp |
| osvdb | 42961 |
| title | cisco_acs_ucp_csusercgi |
| type | remote |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28222 CVE(CAN) ID: CVE-2008-0532,CVE-2008-0533 UCP应用允许终端用户使用基于Web的工具更改Cisco Secure Access Control Server(ACS)的口令。 /securecgi-bin/CSUserCGI.exe CGI存在多个缓冲区溢出和跨站脚本漏洞,远程攻击者可能利用此漏洞控制服务器。 CSuserCGI.exe的main()函数将使用strcmp()传送给程序的第一个命令行参数与所支持的参数列表做比较,如Logout、Main、ChangePass等。对于大多数参数,函数只是解析参数并以类似于Action=%s&Username=%s&OldPass=%s&NetPass=%s格式串的形式传送给wsprintf()调用。这些调用的目标缓冲区位于位于应用的.data段。 如果是Logout参数的情况,main()会传送第二个参数,通常其形式为1234.xyzab.c.username.,以及栈上的char[]缓冲区。main()将这些内容传送给一个函数,该函数使用strtok获得字符串直到第一个“.”字符,然后字符串被拷贝到了96字节大小的char[]缓冲区。如果第一个句号字符前的字符串超过了这个长度,就会覆盖缓冲区和返回地址。 .text:00401065 mov eax, [ebx+8] ; get argv[2] .text:00401068 test eax, eax .text:0040106A jz loc_401520 .text:00401070 push eax ; char * .text:00401071 call sub_402870 ... .text:00402870 sub esp, 60h .text:00402873 mov ecx, 17h .text:00402878 xor eax, eax .text:0040287A push edi .text:0040287B lea edi, [esp+64h+var_60] .text:0040287F rep stosd .text:00402881 mov ecx, [esp+64h+arg_0] .text:00402885 stosw .text:00402887 stosb .text:00402888 lea eax, [esp+64h+var_60] .text:0040288C push eax ; int .text:0040288D push ecx ; char * .text:0040288E call sub_402940 ... .text:00402940 mov ecx, [esp+arg_0] .text:00402944 xor eax, eax .text:00402946 test ecx, ecx .text:00402948 jz locret_402A11 .text:0040294E push ebx .text:0040294F push esi .text:00402950 push edi .text:00402951 push offset a_ ; "." .text:00402956 push ecx ; char * .text:00402957 call _strtok .text:0040295C mov edi, eax .text:0040295E or ecx, 0FFFFFFFFh .text:00402961 xor eax, eax .text:00402963 mov ebx, [esp+14h+arg_4] .text:00402967 repne scasb .text:00402969 not ecx .text:0040296B sub edi, ecx .text:0040296D lea edx, [ebx+1] .text:00402970 mov eax, ecx .text:00402972 mov esi, edi .text:00402974 mov edi, edx .text:00402976 push offset a_ ; "." .text:0040297B shr ecx, 2 .text:0040297E rep movsd .text:00402980 mov ecx, eax .text:00402982 push 0 ; char * .text:00402984 and ecx, 3 .text:00402987 rep movsb 此外如果向CSUserCGI.exe提交了恶意URL请求的话,还可以执行跨站脚本攻击。 Cisco User-Changeable Password < 4.2 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080312-ucp)以及相应补丁: cisco-sa-20080312-ucp:Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities 链接:<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml</a> 补丁下载: <a href=http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/special/acs/macgyver/UCP_4.2.0.124-K9.zip&app=Tablebuild&status=showC2A target=_blank>http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/special/acs/macgyver/UCP_4.2.0.124-K9.zip&app=Tablebuild&status=showC2A</a> |
| id | SSV:3031 |
| last seen | 2017-11-19 |
| modified | 2008-03-15 |
| published | 2008-03-15 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-3031 |
| title | Cisco User-Changeable Password(UCP)CSuserCGI.exe缓冲区溢出及跨站脚本漏洞 |
References
- http://secunia.com/advisories/29351
- http://securityreason.com/securityalert/3743
- http://securitytracker.com/id?1019608
- http://www.cisco.com/en/US/products/products_security_advisory09186a008095f0c4.shtml
- http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt
- http://www.securityfocus.com/archive/1/489463/100/0/threaded
- http://www.securityfocus.com/bid/28222
- http://www.vupen.com/english/advisories/2008/0868
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41154