30/06/2021

Pwning Cisco ISE: From Cross Site Scripting to Root Shell!

n this short video we show you how dangerous a cross site scripting (XSS) vulnerability can be.

Back in 2018, Pedro found 3 vulnerabilities that allow an unauthenticated attacker to achieve remote code execution as root in a Cisco Identity Services Engine device.

1- Stored cross site scripting (exploitable by an unauthenticated attacker)

2- Unsafe Java deserialization (exploitable by an authenticated user)

3- Privilege escalation to root due to incorrect file permissions

We start by sending an unauthenticated HTTP request to store the XSS payload on the device. Then, we send a phishing email to the device administrator. Once the device administrator clicks on the email link, he will be sent to the device page that contains our XSS payload. That payload sends a malicious request to a REST endpoint in the device that performs the Java deserialization, and we then get our shell running as the web server user. Finally we abuse the incorrect file permissions to get root!

For an in depth look on each vulnerability and how the exploit works under the hood, please check the advisory at https://github.com/pedrib/PoC/blob/master/advisories/Cisco/cisco_ise_rce.md

Previous

Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS

Next

Rooting an Arlo Q Plus Camera (SSH 🔙🚪?!)