Monday, May 18, 2009

Cisco Black Dot



I'm unemployed since January, I started to look for a new position two months ago after fix some personal stuff here in Buenos Aires.

Meanwhile I'm doing minor consultancy works, writing in my blog and learning more about security and networking.

You can imagine, I have a lot of time !!, so I can see things than people don't see.
( well for this problem...in fact other people also could see )

Why this introduction ? To be clear, I'm not a hacker !!! Hackers are in sites like Core Systems or Cybesec

Ok ?, Let's go.

Two weeks ago looking for info about Cisco Games in Latin America I went to Cisco Systems Argentina site, there, I found a link to the site :

http://www.ciscoredaccionvirtual.com.

Because this is a Latin America site, you can found this site linked in others LA countries.

Ok, looking for info I started to navigate ciscoredaccionvirtual, big was my surprise when after click one link, the site you me this error :

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near '5'.

/redaccion/comunicados/comunicados.asp, line 38


I can't believe .... SqlInjection in Cisco ? Not..is not posible.

So, I check the link again:


http://www.ciscoredaccionvirtual.com/redaccion/comunicados/ver_comunicados.asp?Id=nnnn


I tried with a simple ' , the site works fine , I tried with '-- , fine ok last try with '5--

Bingo. Again the error :


Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near '5'.

/redaccion/comunicados/ver_comunicados.asp, line 103


So, now you can look for info that a typical sqlinjection can give you.

SO and SQL version :

BD Structure

Hostname


But problems not finished yet, when you try to register a new user in the application, and click the link :

The SSL certificate is expired since 01/20/2007 !!!

To be complete, another problem in the site is XSS injection



Two weeks ago I sent a email to Cisco Psirt (Cisco Systems Product Security Incident Response Team ) alerting about a security problem in this site.

One day later, they sent me a short response .

de xxxxxxxxxxxxxxxxxxxxx
para julio jaime
cc psirt@cisco.com,
infosec@cisco.com
fecha 3 de mayo de 2009 0:32
asunto Re: FYI Sqlinjection in cisco website
enviado por cisco.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Julio,

Thanks for bringing this into our attention. I have cc'ed our InfoSec
team. The will investigate your report and act upon it as necessary.

Best regards,

xxxxxxxxxxxx
Cisco PSIRT




Two weeks later, the site have the same problems.

No website or software is free of security bugs, but Cisco provide us software and hardware where "Network Security Is Built In".

This type of errors show me (for this site):

  • No Cisco Security Design Service in practice
  • No Secure Development Cycle in practice
  • No Cisco Safe in place or IPS not very well configured
  • Coordination between PSIRT and Production management slow to react
  • No Security Assessment practices

Looking in Google for news about this vulnerability in forums or groups I found one site where one guy found the same problem "four months ago !!!"

Old problem : Ciscoredaccionvirtual

This guy also did a "update" in the databases of Cisco Redaccion Virtual site.....

And Now ?

In my last work, one of my duties was to do Flash Pentest in websites, in case of problems a more experienced team made a deep intrusion, after found problems in websites we wrote a standard report, something like :


Introduction

The aim of this penetration test is to help the administrator of the company to secure the network. Although this report contains technical terms, it has been written so that a non-initiated reader with a basic knowledge of computing would understand it.

The goal of this document is to describe the results of the penetration test performed on XXXX web applications.


Scope
It has been decided to focus the penetration test on the following
application:

http:/xxxxxxxxxxxxx

Methodology
This penetration test has been done in “Black box” mode, that is to say, without any knowledge of how the application is working and how the system architecture was designed. The benefit of this approach is to enumerate vulnerabilities with the only knowledge of what is visible or predictable from the outside.

Tools used

  • Iceweasel web browser
  • Paros proxy


Findings

The penetration test uncovered a number of serious vulnerabilities. Most of them are located at the application level. Following is a short summary of major vulnerabilities




  • Webserver Security
Information disclosure

Detailed error messages within the Web server enable
the user to gather reconnaissance and internal
information the infrastructural technology behind the
(database, OS, hardware, etc).

SSL certificate expired

SSL certificate expired open the possibility to hackers create rogue websites and easily divert the innocent and un-expecting users to a malicious site.
Users will then be tempted to accept the certificate although it is clearly either expired or (what's even worse) from un-trusted CA (one that the hacker himself can easily set up by using Cisco like domain names )

  • SQLInjection
An attacker can alter the address of some of the application web pages in
such a way that enables him to query the internal database for all its
information. As a result, the attacker can modify the entire collection of
information within the database, this information will be replicated in every Cisco Site in LA.

  • XSS Injection

An attacker can take advantage of numerous input fields in the application
in order to mislead an innocent customer into giving away information
upon entering the site, or to include false news. Input fields include the busqueda and sugerencias pages.

Detailed Results

This list shows all the vulnerabilities found during the intrusion test.

Every vulnerability will be presented as follow:

• Number : vulnerability id
• Authentication required : tell if the attacker needs to be authenticated on the application before exploiting this vulnerability
• Vulnerability type : terminology associated with this vulnerability
• Severity level :
o Low: there is no immediate risk for the system with this vulnerability. If that vulnerability might seem unimportant by itself, combined with another one or several others it could lead to compromise the whole system.
o Important: the vulnerability is not dangerous by itself but gives a way to exploit other vulnerabilities.
o Critical: a part or a functionality of the system is compromised.
o Highly critical: the whole application, database, system or networkis under control of the attacker.
• Impact : the business impact if the vulnerability is exploited
• Recommendations : one or more recommendations to fix the vulnerability

( just a couple of examples)

Conclusion

The vulnerabilities I found on xxxxxxxxxx site may have impacts for Cisco System reputation.
The vulnerabilities presented in these report are all the vulnerabilities founded during normal navigation, the only exception is XSS flaw , but it is probably not an exhaustive list of weaknesses.
I suggest a global code review to find all the vulnerability occurrences and fix there with the dedicated recommendations and best practices. (Secure Development Cycle, Security Assessments )


Cisco is not the only IT company with this type of problem, McAfee also have a lot the problems, and McAfee business is only in security.


Good places to see for References

Informe Seguridad en America Latina
Cisco Safe
OWASP
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)