More Cisco, "more" vulnerability

Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.

Details

IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827


Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)

ServiceDesk security or rate penetration testing

In penetration testing, Positive Research experts meet enterprise web-based solutions located inside a corporate network or on its perimeter. Applications like ServiceDesk, ERP, billing systems, etc. are examples of similar systems. The tendency «all requests via port 80» usually leads to situations when applications created for internal networks are published in the Internet.

Today we pay special attention to ManageEngine ServiceDesk user support application, that was first noted by PT experts in November, 2010 in penetration testing in a big company. ManageEngine ServiceDesk is commercial software based on Java, and aims to automate technical support service functions according to ITIL/ITSM recommendations.

We identified the solution on the network front-end, and tried to find details about associated vulnerabilities in public resources. But we found nothing. To decrease impact to testing network, we used vendor’s evaluation version for further research.

We installed the system on our testing machine and detected several vulnerabilities via fazzing and manual analysis (http://www.ptsecurity.ru/advisory1.aspx):
- Arbitrary command execution in ManageEngine ServiceDesk Plus 8.0.0
- Information disclosure in ManageEngine ServiceDesk Plus 8.0.0
- Root path traversal in ManageEngine ServiceDesk Plus 8.0.0

Positive Research helps to improve Web Appliaction Firewall efficiency

Positive Research, the innovative department of Positive Technologies, deserves thanks from Trustwave, WAF ModSecurity developers for Web Application Firewall research.

On 23th of June, Trustwave, Web Application Firewall ModSecurity developer, held open competition in testing of web application protection means. SQL Injection Challenge competitors should bypass ModSecurity filter rules that block SQL Injection attacks.

The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.

ModSecurity SQL Injection Challenge attracted attention of a great number of researchers, including experts of Positive Technologies innovative department - Positive Research.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering (http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html) in 2009. New ModSecurity version design uses the ideas.

Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.

Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here: http://www.modsecurity.org/demo/challenge.html.

Asterisk DoS Vulnerabilities

One of the latest internal project included heavy use of Asterisk PBX, which is the most popular open source VOIP solution nowadays.
Positive Research decided to check Asterisk's implementation of SIP protocol from security perspective. First things first and we used PROTOS test suite specifically developed for SIP testing. Test base includes checks for overflows, format strings, utf processing and more - you can check the whole list at their website (https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip).
This resulted in two denial of service vulnerabilities being found. Both of them were on their way to the vendor when we discovered that while we were preparing the advisories they were already reported by internal staff of Digium. The vulnerabilities affected version of 1.8.x to 1.8.4.3.
Security fixed version 1.8.4.4 is already provided at the Asterisk website. Let's look at the details of both vulnerabilities to understand better the nature of software security flaws.