Cisco User-Changeable Password(UCP)'CSuserCGI.exe'多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114758 漏洞类型 缓冲区溢出
发布时间 2008-03-12 更新时间 2008-09-05
CVE编号 CVE-2008-0532 CNNVD-ID CNNVD-200803-226
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/31394
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200803-226
|漏洞详情
UCP应用允许终端用户使用基于Web的工具更改CiscoSecureAccessControlServer(ACS)的口令。/securecgi-bin/CSUserCGI.exeCGI存在多个缓冲区溢出和跨站脚本漏洞,远程攻击者可能利用此漏洞控制服务器。如果是Logout参数的情况,main()会传送第二个参数,通常其形式为1234.xyzab.c.username.,以及栈上的char[]缓冲区。main()将这些内容传送给一个函数,该函数使用strtok获得字符串直到第一个"."字符,然后字符串被拷贝到了96字节大小的char[]缓冲区。如果第一个句号字符前的字符串超过了这个长度,就会覆盖缓冲区和返回地址。
|漏洞EXP
source: http://www.securityfocus.com/bid/28222/info

Cisco User-Changeable Password (UCP) is prone to multiple remote vulnerabilities, including cross-site scripting and buffer-overflow vulnerabilities.

Exploiting the cross-site scripting issues may help the attacker steal cookie-based authentication credentials and launch other attacks. Exploiting the buffer-overflow vulnerabilities allows attackers to execute code in the context of the affected application, facilitating the remote compromise of affected computers.

The buffer-overflow issues are tracked by Cisco Bug ID CSCsl49180. The cross-site scripting issues are tracked by Cisco Bug ID CSCsl49205.

These issues affect versions prior to UCP 4.2 when running on Microsoft Windows. 

http://www.example.com/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.
|参考资料

来源:BID
名称:28222
链接:http://www.securityfocus.com/bid/28222
来源:CISCO
名称:20080312CiscoSecureAccessControlServerforWindowsUser-ChangeablePasswordVulnerabilities
链接:http://www.cisco.com/en/US/products/products_security_advisory09186a008095f0c4.shtml
来源:SECUNIA
名称:29351;PatchInformation
链接:http://secunia.com/advisories/29351
来源:XF
名称:cisco-acs-ucp-csusercgi-bo(41154)
链接:http://xforce.iss.net/xforce/xfdb/41154
来源:BUGTRAQ
名称:20080312CiscoACSUCPRemotePre-AuthenticationBufferOverflows
链接:http://www.securityfocus.com/archive/1/archive/1/489463/100/0/threaded
来源:MISC
名称:http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt
链接:http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt
来源:VUPEN
名称:ADV-2008-0868
链接:http://www.frsirt.com/english/advisories/2008/0868
来源:SECTRACK
名称:1019608
链接:http://securitytracker.com/id?1019608
来源:SREASON
名称:3743
链接:http://securityreason.com/securityalert/3743