var-201109-0074
Vulnerability from variot
Buffer overflow in the cuil component in Cisco Telepresence System Integrator C Series 4.x before TC4.2.0 allows remote authenticated users to cause a denial of service (endpoint reboot or process crash) or possibly execute arbitrary code via a long location parameter to the getxml program, aka Bug ID CSCtq46496. Cisco Telepresence System Integrator C of cuil The component contains a buffer overflow vulnerability. Cisco TelePresence Endpoint is prone to memory-corruption and HTML-injection vulnerabilities. An attacker can exploit the HTML-injection issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. An attacker can exploit the memory-corruption issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/
TITLE: TANDBERG C Series Endpoints Script Insertion and Denial of Service Vulnerabilities
SECUNIA ADVISORY ID: SA46057
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46057/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46057
RELEASE DATE: 2011-09-22
DISCUSS ADVISORY: http://secunia.com/advisories/46057/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/46057/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46057
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: Two vulnerabilities have been reported in TANDBERG C Series Endpoints, which can be exploited by malicious users to conduct script insertion attacks and cause a DoS (Denial of Service).
1) Input passed as the Call ID when calling another endpoint is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed on an affected device when the malicious data is being viewed.
2) An error in the tshell application can be exploited to dereference an invalid memory address via overly long strings passed via the "location" parameter to the getXML script.
The vulnerabilities are reported in version 4.1.2 and prior.
SOLUTION: Update to version 4.2.0, which fixes vulnerability #2. Filter malicious characters and character sequences using a proxy.
ORIGINAL ADVISORY: http://www.senseofsecurity.com.au/advisories/SOS-11-010
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-010
Release Date. 19-Sep-2011 Last Update. - Vendor Notification Date. 21-Feb-2011 Product. Cisco Affected versions. C <= TC4.1.2, MXP <= F9.1 Severity Rating. Low - Medium Impact. Cookie/credential theft, impersonation, loss of confidentiality, client-side code execution, denial of service. Solution Status. Vendor patch References. 1. CVE-2011-2544 (CSCtq46488) 2. CVE-2011-2543 (CSCtq46496) 3. CVE-2011-2577 (CSCtq46500)
Details. Cisco TelePresence is an umbrella term for Video Conferencing Hardware and Software, Infrastructure and Endpoints. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing.
- Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488): Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call (e.g. to view call statistics), the HTML will render locally within the context of the logged in user. From this point it is possible to make changes to the system as the authenticated user. The flaw is due to the flexibility of the H.323 ID or SIP Display Name fields and failure to correctly validate user input.
Examples (MXP):
Rebooting the system:
The attacker may also choose to change passwords in the system, disable
encryption or enable telnet:
- Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496): Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for setting and getting configuration.
Example syntax is: http://ip/getxml?location=/Configuration/Video The request is sent to a locally listening shell (tshell). This is the case for all requests relating to performing an action on the system (e.g. config get or set). The shell then sends the input to the "main" application (/app/main, id=0), and the data is passed as a parameter.
It was discovered that the getXML handle does not properly perform length checking on the user supplied input before passing it to the tshell. Furthermore, there is no length checking performed in the tshell and no bounds checking performed in the main application where the parameter is consumed. As such, it is possible to send input that exceeds the size of the receiving buffer, subsequently causing an invalid address to be read. This causes a reboot on the Endpoints. The VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but it will restart the process itself which drops all calls.
Proof of Concept: GET /wsgi/getxml?location="+("A"5200)+("\x60"4)+("X"*4)+"HTTP/1.1\r\n Host: 192.168.6.99\r\n\r\n"
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670 Illegal memory access at: 0x5858585c Registers: GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037 0f315580 GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896 0000000b GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005 00000002 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002
As you can see, the crash string is passed as a parameter in GPR 8.
- Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500): Cisco TelePresence Endpoints utilise SIP for the call setup protocol. Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the receive field causes the system to reboot.
Proof of Concept: MXP: Exception 0x1100 : Data TLB load miss Active task FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr. accessed)
Solution. Upgrade to TC4.2 for the C series to fix validation issues.
Discovered by. David Klein, Sense of Security Labs.
About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations.
Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA
T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU
The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf
Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php . Restrict access to trusted users only
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201109-0074",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "telepresence c series software",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "tc4.1.1"
},
{
"model": "telepresence c series software",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "tc4.1.0"
},
{
"model": "telepresence codec c90",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "telepresence c series software",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "tc4.0.1"
},
{
"model": "telepresence c series software",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "tc4.0.4"
},
{
"model": "telepresence codec c60",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "telepresence c series software",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "tc4.0.0"
},
{
"model": "telepresence codec c40",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "telepresence c series software",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "tc4.1.2"
},
{
"model": "telepresence",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco",
"version": "system integrator c series tc4.2.0"
},
{
"model": "telepresence",
"scope": "lt",
"trust": 0.8,
"vendor": "cisco",
"version": "4.x"
},
{
"model": "telepresence codec c60",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "telepresence codec c90",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "telepresence codec c40",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "telepresence endpoint mxp f9.1",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "telepresence endpoint c tc4.1.2",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "49670"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:cisco:telepresence",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "David Klein of Sense of Security Labs",
"sources": [
{
"db": "BID",
"id": "49670"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
}
],
"trust": 0.9
},
"cve": "CVE-2011-2543",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2011-2543",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-50488",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2011-2543",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2011-2543",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201109-329",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-50488",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-50488"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in the cuil component in Cisco Telepresence System Integrator C Series 4.x before TC4.2.0 allows remote authenticated users to cause a denial of service (endpoint reboot or process crash) or possibly execute arbitrary code via a long location parameter to the getxml program, aka Bug ID CSCtq46496. Cisco Telepresence System Integrator C of cuil The component contains a buffer overflow vulnerability. Cisco TelePresence Endpoint is prone to memory-corruption and HTML-injection vulnerabilities. \nAn attacker can exploit the HTML-injection issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. \nAn attacker can exploit the memory-corruption issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a \"face-to-face\" virtual meeting room effect. ----------------------------------------------------------------------\n\nOvum says ad hoc tools are out-dated. The best practice approach?\nFast vulnerability intelligence, threat handling, and setup in one tool. \n\nRead the new report on the Secunia VIM:\nhttp://secunia.com/products/corporate/vim/ovum_2011_request/ \n\n----------------------------------------------------------------------\n\nTITLE:\nTANDBERG C Series Endpoints Script Insertion and Denial of Service\nVulnerabilities\n\nSECUNIA ADVISORY ID:\nSA46057\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/46057/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46057\n\nRELEASE DATE:\n2011-09-22\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/46057/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/46057/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46057\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nTwo vulnerabilities have been reported in TANDBERG C Series\nEndpoints, which can be exploited by malicious users to conduct\nscript insertion attacks and cause a DoS (Denial of Service). \n\n1) Input passed as the Call ID when calling another endpoint is not\nproperly sanitised before being used. This can be exploited to insert\narbitrary HTML and script code, which will be executed on an affected\ndevice when the malicious data is being viewed. \n\n2) An error in the tshell application can be exploited to dereference\nan invalid memory address via overly long strings passed via the\n\"location\" parameter to the getXML script. \n\nThe vulnerabilities are reported in version 4.1.2 and prior. \n\nSOLUTION:\nUpdate to version 4.2.0, which fixes vulnerability #2. Filter\nmalicious characters and character sequences using a proxy. \n\nORIGINAL ADVISORY:\nhttp://www.senseofsecurity.com.au/advisories/SOS-11-010\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-010\n\nRelease Date. 19-Sep-2011\nLast Update. -\nVendor Notification Date. 21-Feb-2011\nProduct. Cisco\nAffected versions. C \u003c= TC4.1.2, MXP \u003c= F9.1\nSeverity Rating. Low - Medium\nImpact. Cookie/credential theft,\n impersonation,\n loss of confidentiality,\n client-side code execution,\n denial of service. \nSolution Status. Vendor patch\nReferences. 1. CVE-2011-2544 (CSCtq46488)\n 2. CVE-2011-2543 (CSCtq46496)\n 3. CVE-2011-2577 (CSCtq46500)\n\nDetails. \nCisco TelePresence is an umbrella term for Video Conferencing Hardware\nand Software, Infrastructure and Endpoints. The C \u0026 MXP Series are the\nEndpoints used on desks or in boardrooms to provide users with a\ntermination point for Video Conferencing. \n\n1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488):\nCisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for\nmanaging, configuring and reporting. It is possible to set the Call ID\n(with H.323 or SIP) to a HTML value. If a call is made to another\nendpoint and an authenticated user browses to the web interface on the\nendpoint receiving the call (e.g. to view call statistics), the\nHTML will render locally within the context of the logged in user. From\nthis point it is possible to make changes to the system as the\nauthenticated user. The flaw is due to the flexibility of the H.323 ID\nor SIP Display Name fields and failure to correctly validate user input. \n\nExamples (MXP):\nRebooting the system: \u003cIMG SRC=\"/reboot\u0026Yes=please\"\u003e\nThe attacker may also choose to change passwords in the system, disable\nencryption or enable telnet:\n\u003cIMG SRC=/html_select_status?reload=other.ssi\u0026telnet=On\u003e\n\u003cIMG SRC=/html_select_status?reload=security.ssi\u0026/Configuration/\nConference/Encryption/Mode=Off\u0026/Configuration/SystemUnit/Password=test\u003e\n\n2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):\nCisco TelePresence systems (Endpoints and Infrastructure) use XPath for\nsetting and getting configuration. \n\nExample syntax is:\nhttp://ip/getxml?location=/Configuration/Video\nThe request is sent to a locally listening shell (tshell). This is the\ncase for all requests relating to performing an action on the system (e.g. \nconfig get or set). The shell then sends the input to the \"main\"\napplication (/app/main, id=0), and the data is passed as a parameter. \n\nIt was discovered that the getXML handle does not properly perform\nlength checking on the user supplied input before passing it to the\ntshell. Furthermore, there is no length checking performed in the tshell\nand no bounds checking performed in the main application where the\nparameter is consumed. As such, it is possible to send input that\nexceeds the size of the receiving buffer, subsequently causing an\ninvalid address to be read. This causes a reboot on the Endpoints. The\nVCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but\nit will restart the process itself which drops all calls. \n\nProof of Concept: GET\n/wsgi/getxml?location=\"+(\"A\"*5200)+(\"\\x60\"*4)+(\"X\"*4)+\"HTTP/1.1\\r\\n\nHost: 192.168.6.99\\r\\n\\r\\n\"\n\nReceived signal SIGSEGV (11) in thread 0x129e8480, TID 2670\nIllegal memory access at: 0x5858585c\nRegisters:\nGPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037 \n0f315580\nGPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896 \n0000000b\nGPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005 \n00000002\nGPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac \n129e5960\nGPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac \n129e5960\nNIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002\n\nAs you can see, the crash string is passed as a parameter in GPR 8. \n\n3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):\nCisco TelePresence Endpoints utilise SIP for the call setup protocol. \nSending a SIP INVITE with a 4x8 a\"s in the MAC Address field and the\nreceive field causes the system to reboot. \n\nProof of Concept: MXP:\nException 0x1100 : Data TLB load miss Active task\nFsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req\nfrom SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr. \naccessed)\n\nSolution. \nUpgrade to TC4.2 for the C series to fix validation issues. \n\nDiscovered by. \nDavid Klein, Sense of Security Labs. \n\nAbout us. \nSense of Security is a leading provider of information\nsecurity and risk management solutions. Our team has expert\nskills in assessment and assurance, strategy and architecture,\nand deployment through to ongoing management. We are\nAustralia\u0027s premier application penetration testing firm and\ntrusted IT security advisor to many of the countries largest\norganisations. \n\nSense of Security Pty Ltd\nLevel 8, 66 King St\nSydney NSW 2000\nAUSTRALIA\n\nT: +61 (0)2 9290 4444\nF: +61 (0)2 9290 4455\nW: http://www.senseofsecurity.com.au\nE: info@senseofsecurity.com.au\nTwitter: @ITsecurityAU\n\nThe latest version of this advisory can be found at:\nhttp://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf\n\nOther Sense of Security advisories can be found at:\nhttp://www.senseofsecurity.com.au/research/it-security-advisories.php \n. \nRestrict access to trusted users only",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-2543"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "BID",
"id": "49670"
},
{
"db": "VULHUB",
"id": "VHN-50488"
},
{
"db": "PACKETSTORM",
"id": "106650"
},
{
"db": "PACKETSTORM",
"id": "105229"
},
{
"db": "PACKETSTORM",
"id": "106651"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-50488",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-50488"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-2543",
"trust": 2.9
},
{
"db": "BID",
"id": "49670",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "46109",
"trust": 1.8
},
{
"db": "SECUNIA",
"id": "46057",
"trust": 1.8
},
{
"db": "SECTRACK",
"id": "1026072",
"trust": 1.7
},
{
"db": "EXPLOIT-DB",
"id": "17871",
"trust": 1.7
},
{
"db": "SREASON",
"id": "8393",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329",
"trust": 0.7
},
{
"db": "XF",
"id": "69907",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "17779",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20110919 CISCO TELEPRESENCE MULTIPLE VULNERABILITIES - SOS-11-010",
"trust": 0.6
},
{
"db": "SEEBUG",
"id": "SSVID-72141",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-50488",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "106650",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "105229",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "106651",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-50488"
},
{
"db": "BID",
"id": "49670"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "PACKETSTORM",
"id": "106650"
},
{
"db": "PACKETSTORM",
"id": "105229"
},
{
"db": "PACKETSTORM",
"id": "106651"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"id": "VAR-201109-0074",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-50488"
}
],
"trust": 0.52526317
},
"last_update_date": "2024-11-23T20:27:52.605000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "TelePresence",
"trust": 0.8,
"url": "http://www.cisco.com/en/US/products/ps7060/index.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-50488"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/49670"
},
{
"trust": 1.7,
"url": "http://www.exploit-db.com/exploits/17871"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1026072"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/46057"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/46109"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/519698/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://securityreason.com/securityalert/8393"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69907"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2543"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2543"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/69907"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/519698/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/17779"
},
{
"trust": 0.4,
"url": "http://www.senseofsecurity.com.au/advisories/sos-11-010.pdf"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/en/us/products/ps7060/index.html"
},
{
"trust": 0.2,
"url": "http://secunia.com/vulnerability_intelligence/"
},
{
"trust": 0.2,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.2,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.2,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.2,
"url": "http://secunia.com/products/corporate/vim/ovum_2011_request/"
},
{
"trust": 0.2,
"url": "http://www.senseofsecurity.com.au/advisories/sos-11-010"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/46057/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/46057/#comments"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46057"
},
{
"trust": 0.1,
"url": "http://www.senseofsecurity.com.au"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2544"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2543"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2577"
},
{
"trust": 0.1,
"url": "http://www.senseofsecurity.com.au/research/it-security-advisories.php"
},
{
"trust": 0.1,
"url": "http://ip/getxml?location=/configuration/video"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/46109/#comments"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46109"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/46109/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-50488"
},
{
"db": "BID",
"id": "49670"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "PACKETSTORM",
"id": "106650"
},
{
"db": "PACKETSTORM",
"id": "105229"
},
{
"db": "PACKETSTORM",
"id": "106651"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-50488"
},
{
"db": "BID",
"id": "49670"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"db": "PACKETSTORM",
"id": "106650"
},
{
"db": "PACKETSTORM",
"id": "105229"
},
{
"db": "PACKETSTORM",
"id": "106651"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-09-23T00:00:00",
"db": "VULHUB",
"id": "VHN-50488"
},
{
"date": "2011-09-19T00:00:00",
"db": "BID",
"id": "49670"
},
{
"date": "2011-09-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"date": "2011-11-06T03:38:15",
"db": "PACKETSTORM",
"id": "106650"
},
{
"date": "2011-09-19T13:34:23",
"db": "PACKETSTORM",
"id": "105229"
},
{
"date": "2011-11-06T03:38:18",
"db": "PACKETSTORM",
"id": "106651"
},
{
"date": "1900-01-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"date": "2011-09-23T10:55:02.693000",
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-50488"
},
{
"date": "2011-09-19T00:00:00",
"db": "BID",
"id": "49670"
},
{
"date": "2011-09-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-002256"
},
{
"date": "2011-09-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201109-329"
},
{
"date": "2024-11-21T01:28:29.757000",
"db": "NVD",
"id": "CVE-2011-2543"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Telepresence System Integrator C of cuil Component buffer overflow vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-002256"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201109-329"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.