[24947] in bugtraq
iXsecurity.20020314.csadmin_fmt.a
daemon@ATHENA.MIT.EDU (Patrik Karlsson)
Wed Apr 3 20:42:09 2002
To: bugtraq@securityfocus.com
Cc: Hackers@guardianit.se
Message-ID: <OFB6E27694.7B3F6C06-ONC1256B90.0048DDED@guardianit.se>
From: "Patrik Karlsson" <Patrik.Karlsson@ixsecurity.com>
Date: Wed, 3 Apr 2002 17:58:28 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
iXsecurity Security Vulnerability Report
No: iXsecurity.20020314.csadmin_fmt.a
========================================
Vulnerability Summary
---------------------
Problem: Cisco Secure ACS webserver has a format string
vulnerability.
Threat: An attacker could send an "invalid" URL
to the webserver listening on port 2002,
resulting in a server crash and arbitrary code
execution.
Affected Software: Cisco Secure ACS 2.6.X and 3.0.1 (build 40).
Platform: Windows NT/2000 verified
Solution: Install the patch from Cisco.
Vulnerability Description
-------------------------
Cisco Secure ACS has a webserver interface listening on port 2002.
The webserver has a format string condition, making it possible
to overwrite EIP, resulting in a service crash and arbitrary code
execution.
Solution
--------
Cisco PSIRT can confirm this vulnerability. The Security Advisory
was published and it is at
http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml
Only Cisco ACS for Windows is affected. The Unix version is not
affected by these issues. You can download patches by following
instructions in the Advisory.
Additional Information
----------------------
Cisco was contacted 20020315.
This vulnerability was found and researched by
Jonas Ländin, jonas.landin@ixsecurity.com
Patrik Karlsson, patrik.karlsson@ixsecurity.com
