Cisco SA500 multiple vulnerabilities
About Cisco Appliance
Cisco SA500 is a small business pro security appliance which offers such features as: Firewall, IPS, VPN, email, and web security capabilities. The appliance can be managed via web management console.
The vulnerabilities were tested on firmware: V2.1.18 and are confirmed to work on the following devices:
- SA 520
- SA 520W
- SA 540
Image from Cisco.com
1. Remote, unauthenticated access on any user on the device - including admin account
Due to blind SQL injection in the login form of web management (port 443, https,login field, embedded sqlite DB), there is possible to obtain:
- all logins
- all passwords (which are kept in the DB in plaintext)
- other data from embedded DB (configuration parts, which possibly include passwords, etc).
Authentication mechanisms seem to query the DB multiple times (different queries), so it may be not so easy to bypass it using single SQLi. Still, of course, plaintext passwords retrieval is possible. To exploit the issue remote access to web administration (login form) is required. PoC is presented below.
2. Privilege escalation to OS root level.
Having access to any user on the target system (including guest user), it is possible to get full OS root access by injection in ping/traceroute/dns lookup functionalities (see also similar vulnerabilities in WAG54G2 and RVS4000)
Injection characters include:
- & (encoded in url hex notation)
- %0a (new line)
User interface prohibits such injections, but viewing / modifying http requests in raw form allows to bypass the restriction.
Vendor's reaction / issue history
- 01.06.2011 - full disclosure sent to the vendor
- 07.06.2011 - vulnerabilities confirmed
- 20.06.2011 - patch issued by the vendor, Cisco public announcement
- 25.06.2011 - public disclosure by Securitum
Thanks to Gaweł Mikołajczyk for providing test hardware.
Research / contact
- We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ firstname.lastname@example.org
- All the information is provided for educational use only.
- We strongly discourage to use the information for cracking / illegal purposes.
- We are not responsible for damages made to your router - play with your router carefully.