Cisco Security Agent Management Center Code Execution
Added: 03/17/2011CVE: CVE-2011-0364
BID: 65436
OSVDB: 70884
Background
Cisco Security Agent Management Center is the server component of Cisco's Security Agent endpoint IPS solution. It is responsible for collecting event log information from endpoints and distributing rules updates.Problem
The Management Center web interface fails to validate parameters when handeling 'st_upload' requests. An attacker may upload arbitrary executable files and place them such that they will be executed.Resolution
Upgrade to Cisco Security Agent version 6.0.2.145 or later as instructed in Cisco advisory cisco-sa-20110216-csa.References
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6cee6.shtmlhttp://www.zerodayinitiative.com/advisories/ZDI-11-088/
Limitations
Exploit works against Cisco Systems Security Agent Management Center 6.0.2.138 on Windows Server 2003 SP2 English (DEP OptOut). The 'IO::Socket::SSL' PERL module is required.A valid HOST_UID of the target Security Agent Management Center must be provided to the exploit script. The HOST_UID can be retrieved from the target Security Agent Management Center without credentials. The following steps illustrate how to retrieve the HOST_UID:
1. Download the Agent Kit from URL: https://
2. Install the Agent Kit on a host running Windows Server 2003: Install the Agent Kit and reboot the machine. Open Cisco Security Agent panel by double-clicking on the Cisco Security Agent icon in Windows status bar. On the Status screen, make sure the host name in the "Management Center" field matches the target server running Security Agent Management Center, and the "Registration date" has a valid date.
3. Open the following text file to retrieve the HOST_UID: c:\Program Files\Cisco\CSAgent\cfg\agent.state
An example of HOST_UID looks as below: HOST_UID={1AE3136C-142D-40F9-9C88-8FCB76D648F7}
Platforms
WindowsBack to exploit index