Penetration Testing mailing list archives

Re: Cisco HTTP IOS Vuln Clarification

From: Jim Duncan <jnduncan () cisco com>
Date: Tue, 13 Nov 2001 17:12:26 -0500

Josha Bronson writes:

Little question regarding the Cisco IOS HTTP Admin vuln that was
released a while ago. 

As most of you probably know the vuln I won't discuss it. See
<http://securityfocus.com/bid/2936>.

Can anyone clarify whether or not a server may be vulnerable only to a
subset of the numbers in the range? Meaning that "/level/17/exec/" may
work to access the system but "/level/99/exec/" may not. Or is it the
nature of this vulnerability that if a system is accessible via one URL
than it would be accessible via all?


In theory, yes.  This was a difficult vulnerability to resolve because 
it was so difficult to reproduce initially.

The problem occurs because of an improper branch when the unexpected
levels are employed.  The results are highly dependent on the IOS
release, the particular feature sets, and the hardware on the system.
With certain combinations, none of the values result in a useful
exploit.  With other configurations, _every_ value might work.  With
most configurations, only a certain subset of those integers will result
in an exploit, but they are usually consistently reproducible once a
combination is found.

Once we tracked down the actual problem in the source code, we were able
to identify platforms and releases that were vulnerable even though no
one had successfully executed the exploit against them.  So in theory,
yes, "If the system is accessible via one URL then it would be
accessible via all," but one's ability to successfully exploit the
vulnerability will vary widely depending on the hardware and software on
the target system.

On the systems I've tested they all work.


Interesting.  However, failure does not imply invulnerability.  It's
best to review the original advisory at http://www.cisco.com/go/psirt/
to determine if a particular release is vulnerable.

Thanks for your help, there is just way to many revisions of IOS
vulnerable to test them all, ;)


Tell me about it. :-)

I hope this helps answer your question.

        Jim



==
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan () cisco com>  Phone(Direct/FAX): +1 919 392 6209



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Cisco HTTP IOS Vuln Clarification Josha Bronson (Nov 12)
- Re: Cisco HTTP IOS Vuln Clarification Pawel Krawczyk (Nov 13)
- Re: Cisco HTTP IOS Vuln Clarification Jim Duncan (Nov 13)