Vulnerability Details
A vulnerability in CPI (Cisco Prime Infrastructure) allows unauthenticated attackers to cause the product to preform deserialization of untrusted data which in turn can be used to cause it to execute arbitrary code (Java code).
The web application “xmp_data_handler_service” is defined in “/opt/CSCOlumos/apache-tomcat-7.0.56/webapps/xmp_data_handler_service/WEBINF/web.xml”.
The vulnerable servlet that is defined there can be reached under the URL: https://[prime-ip]/xmp_data_handler_service/xmpDataOperationRequestServlet
Looking at the code we can find in servlet class “com.cisco.xmp.data.handler.service.servlet.XmpDataOperationRequestServlet” a doPost-method.
In this method the body of the post request is read in an ObjectInputStream. From the ObjectInputStream the “actionName” is read as a UTF string. After that an object is deserialized from the stream using the readObject()-method. Since all data from the body of http request is user supplied, we can deserialize an object of our choice.
Exploitation
In order to exploit such a vulnerability an serialized object needs to be crafted that invokes logic in the readObject()/readResolve()-methods of the class.
In order to exploit the vulnerability two ways were found.
- Commons Collection
- Spring Framework
Commons Collection
The exploitation details can be found at “http://de.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles”. The authors also published a tool “ysoserial” to create serialized objects (https://github.com/frohoff/ysoserial).
The HTTP request looks like the following:
The request can be found in “commons.http”. In order to change the command to execute just edit the serialized object and change the command to execute. Please note that before command there is a length byte that needs to be adjusted.
Spring Framework
Details about the vulnerabilty can be found at “http://wouter.coekaerts.be/2011/springvulnerabilities”
The class to create the serialized object can be found at
“https://github.com/pwntester/SpringBreaker/blob/master/src/main/java/org/pwntester/springbreaker/FactoryProxySerializationExploit.java”
The request looks like the following:
The request can be found in file “spring.http”. Please change the command from “touch /tmp/spring.txt” to the command of choice and adjust the length byte before the string.
Proof of Concept
Files common.http and sprint.http can be obtained by sending an email to ssd[]beyondsecurity.com
Vulnerable Version
Cisco Prime Infrastructure version 2.2
Vendor Response
Cisco has released a patch and an advisory which can be viewed by going to: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160406-remcode
CVE
A single CVE entry has been provided for this vulnerability CVE-2016-1291