Bugtraq mailing list archives
Re: - Cisco IOS HTTP Server code injection/execution vulnerability-
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 28 Nov 2005 22:55:25 +0100
It has been identified a vulnerability in the Cisco IOS Web Server. An attacker can inject arbitrary code in some of the dynamically generated web pages. To succesfully exploit the vulnerability the attacker only needs to know the IP of the Cisco. THERE'S NO NEED TO HAVE ACCESS TO THE WEB SERVER! Once the code has been inyected, attacker must wait until the admin browses some of the affected web pages.
Isn't your exploit somewhat complicated? Just put <img src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/> on a web page, and trick the victim to visit it while he or she is logged into the Cisco router at 192.0.2.1 over HTTP. This has been dubbed "Cross-Site Request Forgery" a couple of years ago, but the authors of RFC 2109 were already aware of it in 1997. At that time, browser-side countermeasures were proposed (such as users examining the HTML source code *cough*), but current practice basically mandates that browsers transmit authentication information when following cross-site links. Such attacks are probably more problematic on low-end NAT routers whose internal address defaults to 192.168.1.1 and which generally offer HTTP access, which makes shotgun exploitation easier. So much for the "put your Windows box behind a NAT router" advice you often read.
Current thread:
- - Cisco IOS HTTP Server code injection/execution vulnerability- picardos (Nov 28)
- Re: - Cisco IOS HTTP Server code injection/execution vulnerability- Florian Weimer (Nov 28)
- <Possible follow-ups>
- Re: Re: - Cisco IOS HTTP Server code injection/execution vulnerability- limfung (Nov 29)
- RE: - Cisco IOS HTTP Server code injection/execution vulnerability- Evans, Arian (Nov 29)
- Re: Re: - Cisco IOS HTTP Server code injection/execution vulnerability- picardos (Nov 29)