Cisco Secure ACS UCP CSuserCGI.exe buffer overflow
Added: 04/07/2008CVE: CVE-2008-0532
BID: 28222
OSVDB: 42961
Background
Cisco Secure Access Control Server (ACS) is a centralized user access control framework which can be used with routers, switches, firewalls, VPNs, and other devices. User Changeable Passwords (UCP), a utility implemented by Cisco Secure ACS, allows users to change their ACS passwords using a web browser.Problem
A buffer overflow in the CSuserCGI.exe program allows remote attackers to execute arbitrary commands by sending a specially crafted HTTP request with a long Logout argument.Resolution
Upgrade to UCP 4.2.References
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtmlhttp://www.frsirt.com/english/advisories/2008/0868
Limitations
Exploit works on Cisco UCP 4.1.4.13.
On Windows Server 2003, Read and Execute privileges on the file
%windir%\system32\cmd.exe must be granted to the Internet Guest Account
"IUSR_Platforms
Windows 2000
Windows Server 2003
Back to exploit index