Cisco Security Agent Management Center Code Execution

Added: 03/17/2011
CVE: CVE-2011-0364
BID: 65436
OSVDB: 70884


Cisco Security Agent Management Center is the server component of Cisco's Security Agent endpoint IPS solution. It is responsible for collecting event log information from endpoints and distributing rules updates.


The Management Center web interface fails to validate parameters when handeling 'st_upload' requests. An attacker may upload arbitrary executable files and place them such that they will be executed.


Upgrade to Cisco Security Agent version or later as instructed in Cisco advisory cisco-sa-20110216-csa.



Exploit works against Cisco Systems Security Agent Management Center on Windows Server 2003 SP2 English (DEP OptOut). The 'IO::Socket::SSL' PERL module is required.

A valid HOST_UID of the target Security Agent Management Center must be provided to the exploit script. The HOST_UID can be retrieved from the target Security Agent Management Center without credentials. The following steps illustrate how to retrieve the HOST_UID:

1. Download the Agent Kit from URL: https:///csamc60/kits is the host address of the Security Agent Management Center.

2. Install the Agent Kit on a host running Windows Server 2003: Install the Agent Kit and reboot the machine. Open Cisco Security Agent panel by double-clicking on the Cisco Security Agent icon in Windows status bar. On the Status screen, make sure the host name in the "Management Center" field matches the target server running Security Agent Management Center, and the "Registration date" has a valid date.

3. Open the following text file to retrieve the HOST_UID: c:\Program Files\Cisco\CSAgent\cfg\agent.state

An example of HOST_UID looks as below: HOST_UID={1AE3136C-142D-40F9-9C88-8FCB76D648F7}



Back to exploit index