Anyone who has tested even a small number of web configuration interfaces on embedded devices, such as managed routers, VoIP gateways and wireless routers, knows that these devices are notorious for web application vulnerabilities. It is not uncommon for these devices to be vulnerable to Cross Site Scripting and similar attacks. Recently Cisco published a fix for an XSS vulnerability which affects the Cisco IOS HTTP server. The following would be the attack scenario:
- A network operator (the victim) who is logged (or has saved his credentials) into the Cisco IOS web interface visits a malicious site
- The malicious site redirects the victim to the “ping” utility web page on the Cisco box which ends up displaying HTML code set by the attacker
- From that point on, the attacker has access to the victim’s authenticated session and can do a number of things, such as resetting the administrator’s password
Additionally, Cisco IOS also appears to be vulnerable to a yet unpatched Cross Site Request Forgery vulnerability. By forcing a victim network operator to visit a page such as ‘http://cisco-box/level/15/configure/-/enable/secret/a-new-password’, the password is reset to “a-new-password”. This is not new information and has been previously mentioned in the advisory by ProCheckUp recently and elsewhere back in January 2008.
HTTP is not the only way to inject HTML code into a web interface (leading to XSS). ProCheckUp had previously released a paper which describes exploitation of SNMP write access to change values that are displayed in the Cisco IOS Web configuration. By inserting HTML code as the name of the Cisco device, the Web Interface turns into a backdoor that the attacker can control. During my tests I was able to find embedded VoIP devices that have similar vulnerabilities when they display the user input such as the “caller-id” in the logs.
It seems that these web configuration interfaces have a long way to go in terms of Web Application Security and the repercussions can be decremental in the case of a targeted or drive-by attack on your organization. My recommendations are:
- Disable the HTTP interface if possible; some organizations have a policy to disable the Cisco IOS Web interface
- Limit the number of people that have access to the HTTP interfaces of embedded devices; this limits the number of people that may be victim to a Cross Site Scripting or Cross Site Request Forgery attack
- Make use of separate web browser to configure your embedded devices; i.e. use Internet explorer for your embedded device and Firefox for your normal browsing