Home / exploits Cisco Meraki Systems Manager CSRF / XSS / Functionality Abuse
Posted on 29 January 2015
( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ ____ ____ _____ \____ ==/ /_ _/ ___/ _ / / / | \ \__( <_> ) Y Y /______ /\___|__ / \___ >____/|__|_| / / /.-. / /:wq (x.0) '=.|w|.=' _=''"''=. presents.. Cisco Meraki Systems Manager Multiple Vulnerabilities Affected Versions: Cisco Meraki Systems Manager - Unknown Versions PDF: http://www.security-assessment.com/files/documents/advisory/Cisco_Meraki_Systems_Manager_Multiple_Vulnerabilities.pdf +-------------+ | Description | +-------------+ The Cisco Meraki Systems Manager system was found to suffer from a number of vulnerabilities. A Cross Site Request Forgery vulnerability was discovered, allowing an attacker to determine the registration code for an organisation's Systems Manager instance or send out spam email. A Stored Cross Site Scripting vulnerability was discovered, allowing a malicious end user running the Systems Manager MDM software to stage Cross Site Scripting attacks against the organisation's administrative users. The Cisco Meraki Systems Manager administrative console was found to suffer from a Mass Assignment vulnerability, allowing a malicious user to leverage the "Backpack" functionality to automatically download and install arbitrary applications to the end user devices. Additionally, legitimate updates for the Systems Manager MDM software were found to be shipped over HTTP. This allows an attacker to intercept and tamper the application package provided they have access to the network communications somewhere between the client and the Meraki cloud. +--------------+ | Exploitation | +--------------+ --[ Cross Site Request Forgery The Cisco Meraki System Manager administrative console uses an ‘X-CSRF-Token’ HTTP header to protect against Cross Site Request Forgery attacks, however it was found that this header is often not validated on the server side and can simply be omitted. The following POC can be used to coerce an authenticated user into sending an email containing arbitrary content to an arbitrary address. <html> <body> <form action="https://n85.meraki.com/Systems-Manager/n/Q6mExcvb/manage/configure/pcc_send_mdm_link/"> <input type="hidden" name="type" value="email" /> <input type="hidden" name="addr" value="ao367gnae9aer7ghb@mailinator.com" /> <input type="hidden" name="msg" value="Enroll in Meraki Systems Manager by opening this URL on your Android device:" /> <input type="hidden" name="platform" value="android" /> <input type="submit" value="Submit request" /> </form> </body> </html> The CSRF POC on the previous page will send an invitation message to ‘ao367gnae9aer7ghb@mailinator.com’. An attacker may leverage this to enumerate an organizations registration code and stage further attacks against the Meraki deployment. --[ Stored Cross Site Scripting As Systems Manager relies on a certificate on the mobile device (provisioned via SCEP during registration) to provide authentication. A condition was discovered wherein a malicious user can retrieve the relevant certificate and key and stage attacks against the Systems Manager administrative console. This lead to a Stored Cross Site Scripting vulnerability, where a malicious user may send a crafted request to /android/callback with malicious JavaScript code in the system_model parameter. The Mdm-Signature header is then recreated by the malicious user and the payload sent. The Mdm-Signature header can be generated by using a SpongyCastle content signer to generate a signature for the POST parameter data. The following is a request detailing the exploit. The system_model parameter is the affected field. The parameter field has been shortened for brevities sake. POST /android/callback HTTP/1.1 Mdm-Signature: <Recreated MDM Signature> Content-Length: <content length> Content-Type: application/x-www-form-urlencoded Host: <Meraki Host> Connection: Keep-Alive {snip}&system_model=Galaxy+XSS+%3cscript%3ealert(%27Malicious+Javascript%27)%3c%2fscript%3e{snip} The certificate and key used to create the Mdm-Signature header can be found under /data/data/com.meraki.sm/files/ on a provisioned Android device. The password for the keystore is under the ‘scep_keystore_password’ shared preference. In order to exploit this, the attacker must be registered against the Meraki MDM instance (in order to have the correct certificate). This requires the knowledge of a 10 digit enrollment code (xxx-xxx-xxxx). These need to be brute forced or obtained via other means (invitation email, QR code, etcetera). --[ Backpack Mass Assignment The ‘Backpack’ functionality of the Cisco Meraki Systems Manager can be abused to install arbitrary APK files on users’ devices. This is achieved by using mass assignment to define the ‘auto_download’ and ‘auto_install’ flags on a specific item (in this case an APK file). This is done in the post to /System-Manager/n/<id>/manage/configure/update_pcc_ios. Further information is available in the PDF version of this advisory. It should be noted that the management policy popup on the device disables the back button once the user is prompted to install the arbitrary APK and access back into the Meraki Systems manager application cannot be achieved without tapping the 'install' button. --[ Updates over HTTP An attacker with access to network traffic between the device and the Meraki servers may tamper the APK file used for updating. The update notification specifies ‘http://dl.meraki.net/androidsm/AndroidSM.apk’ as the document_url of the update. When an update is available, the http://dl.meraki.com URL is requested by the application. +----------+ | Solution | +----------+ The Cisco Meraki Systems Manager cloud has been patched as deemed appropriate by Cisco. +---------------------+ | Disclosure Timeline | +---------------------+ 13/10/2014 - Initial Advisory Sent to security@meraki.com 14/10/2014 - Response from Cisco acknowledging the advisory documents and confirming the Updates over HTTP vulnerability. 14/10/2014 - Response from Cisco stating that "The ability to require the download and installation of APK (and other files) is a feature of MDM Administration, and does not on its own constitute a vulnerability." In regards to the Mass Assignment vulnerability. Remaining vulnerabilities acknowledged and more information requested. 17/10/2014 - Additional information sent to Cisco, as requested. 30/10/2014 - Request for Update 30/10/2014 - Response stating the Cross Site Request Forgery and Cross Site Scripting vulnerabilities were resolved 29/01/2015 - Advisory Release +-------------------------------+ | About Security-Assessment.com | +-------------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web www.security-assessment.com Email info () security-assessment com Phone +64 4 470 1650
