CiscoZine

How to create self-signed certificates

Fabio Semperboni — Fri, 25 May 2012 13:32:54 +0000

A digital certificate or identity certificate is an electronic document which uses a digital signature to bind a public key with an identity, information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). However, there are situations where it is not possible use a CA, so the only solutions is to use a self-signed certificate, an identity certificate that is signed by [...]

April 2012: one Cisco vulnerability

Fabio Semperboni — Thu, 03 May 2012 13:31:38 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published one important vulnerability advisory: Buffer Overflow Vulnerabilities in the Cisco WebEx Player Buffer Overflow Vulnerabilities in the Cisco WebEx Player The Cisco WebEx Recording Format (WRF) player contains three buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. Vulnerable Products The vulnerabilities disclosed in this advisory affect the Cisco WebEx Recording Format (WRF) player. The following client builds of Cisco WebEx Business Suite (WBS 27) are affected by at least [...]

Cisco Networking Academy NetRiders competitions

Fabio Semperboni — Fri, 20 Apr 2012 12:29:53 +0000

NetRiders competitions provide students with hands-on practice and experience in a competitive environment, a chance to test their skills and recognize their weaknesses, showcase their knowledge, and create interactive networking skills as well as new friendships across the world. And for Instructors, this is a great opportunity to lead students and showcase teaching skills as well. Organized by Cisco, these competitions are a great opportunity for Networking Academy students to learn valuable Networking/IT skills through a series of online exams and simulation activities using Cisco Packet Tracer. Competitions are offered for students currently or recently enrolled in a Cisco Networking [...]

Unicast flooding due to asymmetric routing

Fabio Semperboni — Sun, 15 Apr 2012 18:57:01 +0000

Asymmetric routing is a situation where a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks, for instance on Internet. Asymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point from one security domain to [...]

March 2012: twelve Cisco vulnerabilities

Fabio Semperboni — Mon, 02 Apr 2012 10:03:25 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published twelve important vulnerability advisories: Cisco IOS Software Reverse SSH Denial of Service Vulnerability Cisco IOS Software RSVP Denial of Service Vulnerability Vulnerabilities in Cisco IOS Software Traffic Optimization Features Cisco IOS Software Multicast Source Discovery Protocol Vulnerability Cisco IOS Software Network Address Translation Vulnerability Cisco IOS Internet Key Exchange Vulnerability Cisco IOS Software Smart Install Denial of Service Vulnerability Cisco IOS Software Command Authorization Bypass Cisco IOS Software Zone-Based Firewall Vulnerabilities Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Cisco [...]

How to perform SSH RSA User Authentication

Fabio Semperboni — Tue, 27 Mar 2012 11:32:35 +0000

Cisco IOS SSH Version 2 (SSHv2) supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server. RSA based user authentication uses a private/public key pair associated with each user for authentication. The user must generate a private/public key pair on the client and configure a public key on the Cisco IOS SSH server to complete the authentication. An SSH user trying to establish the credentials provides an encrypted signature using the private key. The signature and the user’s public key are sent to the SSH [...]

Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera buffer overflow

Fabio Semperboni — Thu, 22 Mar 2012 19:39:53 +0000

The Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx auffers a buffer overflow vulnerability. When viewing the device web interface it asks to install an ActiveX control with the following settings: ProductName: PlayerPT ActiveX Control Module File version: 1.0.0.15 Binary path: C:\WINDOWS\system32\PlayerPT.ocx CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591} ProgID: PLAYERPT.PlayerPTCtrl.1 Safe for scripting (registry): True Safe for initialization (registry): True Vulnerability (Only for test): the SetSource() method is vulnerable to a buffer overflow vulnerability. Quickly, ollydbg dump: ... 03238225 8B5424 20 mov edx,dword ptr ss:[esp+20] 03238229 894424 10 mov dword ptr ss:[esp+10],eax 0323822D B9 32000000 mov ecx,32 03238232 33C0 xor [...]

Cisco Linksys WAG54GS CSRF Change Admin Password

Fabio Semperboni — Fri, 02 Mar 2012 13:50:09 +0000

The Cisco Linksys WAG54GS ADSL router suffers a cross site request forgery vulnerability. Below the source of the exploit (Only for test!) +--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Cisco Linksys WAG54GS (ADSL Router) change admin password # Date : 20-02-2012 # Author : Ivano Binetti (http://ivanobinetti.com) # Vendor site : http://www.linksysbycisco.com # Version : WAG54GS # Tested on : Firmware Version: V1.01.03 +--------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------[Change Admin Account Password by Ivano Binetti]--------------------------------------+ Summary 1)Introduction 2)Vulnerability Description 3)Exploit +---------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction Cisco Linksys WAG54GS is an ADSL Router which uses a web management interface -listening to default on tcp/ip port 80 - and "admin" as [...]

Cisco 2011 Annual Security Report

Fabio Semperboni — Fri, 10 Feb 2012 13:47:13 +0000

The Cisco Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and November 2011. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2012. “The older generation assumes everything is private, except what they choose to make public,” explains David Evans, chief futurist for Cisco. “To the younger generation, everything is public, except what they choose to make private. This default position—that everything is public—goes against how enterprises have [...]

Nmap for IOS? No, IOSMap

Fabio Semperboni — Wed, 08 Feb 2012 09:24:44 +0000

The Tcl shell can be used to run Cisco IOS CLI EXEC commands within a Tcl script. Using the Tcl shell to run CLI commands allows customers to build menus to guide novice users through tasks, to automate repetitive tasks, and to create custom output for show commands. Not everyone knows that it is possible to implement a port scanning tool like a light Nmap. Surfing the web I have found a tool named IOSMap, a Cisco port scanning tool. It is not mandatory know Tcl to use this script; the only thing you need to know is how execute a [...]

How to monitor devices with Cacti

Fabio Semperboni — Thu, 02 Feb 2012 08:50:21 +0000

There are many ways to monitor devices: netflow, span port, switchport and so on. Today I will explain how to monitor bandwith, CPU, … of routers and switches using SNMP and Cacti. Simple Network Management Protocol (SNMP) is an “Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more.” It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It consists [...]

January 2012: three Cisco vulnerabilities

Fabio Semperboni — Wed, 01 Feb 2012 13:19:21 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published three important vulnerability advisories: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability Cisco IP Video Phone E20 Default Root Account Cisco Digital Media Manager Privilege Escalation Vulnerability Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Security Management Appliances (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Vulnerable Products The following Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Security Management Appliances (SMA) are affected by this vulnerability: Cisco IronPort Email [...]

November 2011: two Cisco vulnerabilities

Fabio Semperboni — Fri, 02 Dec 2011 16:42:57 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published two important vulnerability advisories: Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series Device Default Root Account Manufacturing Error Cisco Small Business SRP500 Series Command Injection Vulnerability Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series Device Default Root Account Manufacturing Error Software that runs on Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series devices was updated to include secure default configurations beginning with the TC4.0 release. This change was accompanied by the release of Cisco Security Advisory cisco-sa-20110202-tandberg. Vulnerable Products All Cisco [...]

October 2011: ten Cisco vulnerabilities

Fabio Semperboni — Fri, 02 Dec 2011 16:27:15 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories: Buffer Overflow Vulnerabilities in the Cisco WebEx Player Cisco Unified Contact Center Express Directory Traversal Vulnerability Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras Cisco Security Agent Remote Code Execution Vulnerabilities Cisco Unified Communications Manager Directory Traversal Vulnerability CiscoWorks Common Services Arbitrary Command Execution Vulnerability Cisco Show and Share Security Vulnerabilities Directory Traversal Vulnerability in Cisco Network Admission Control Manager Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Multiple Vulnerabilities in Cisco Firewall Services [...]

IP traffic export: how to mirror traffic on a router

Fabio Semperboni — Thu, 17 Nov 2011 20:41:12 +0000

The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic, from a switched port, for analysis by a network analyzer. Unfotunately this feature works only on switches or switches Layer3. And in a router, what can I do to copy the traffic? In a previous article, I explained the Embedded Packet Capture, a powerful feature to capture data packets directly on the NVRAM. Another good solution is the ‘IP traffic export‘. Introduced in 12.3(4)T IOS, the IP Traffic Export feature allows users to configure their router to export IP packets that are [...]

Cisco completes acquisition of BNI Video

Fabio Semperboni — Tue, 15 Nov 2011 22:47:48 +0000

Cisco announced it has completed its acquisition of privately-held BNI Video. Headquartered in Boxborough, Mass., BNI Video supplies service providers with two major video products that offer video back-office and content delivery network (CDN) analytic capabilities. The acquisition advances the capabilities of Cisco’s Videoscape TV platform, which allows service providers to deliver compelling video experiences to any device over any Internet Protocol (IP) network. BNI Video’s technology also helps Cisco’s service provider customers reduce their operational costs and complexity, while expanding monetization opportunities. BNI Video is already well recognized by the largest service providers as having built a differentiated solution [...]

Cisco TelePresence exploits

Fabio Semperboni — Mon, 24 Oct 2011 06:55:58 +0000

Cisco TelePresence is an umbrella term for Video Conferencing Hardware and Software, Infrastructure and Endpoints. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing. 1. Post-authentication HTML Injection – CVE-2011-2544 (CSCtq46488): Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call [...]

September 2011: fifteen Cisco vulnerabilities

Fabio Semperboni — Tue, 11 Oct 2011 20:16:18 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published fifteen important vulnerability advisories: Cisco IOS Software IP Service Level Agreement Vulnerability Cisco Identity Services Engine Database Default Credentials Vulnerability Cisco IOS Software IPv6 over MPLS Vulnerabilities Cisco IOS Software IPv6 Denial of Service Vulnerability Cisco 10000 Series Denial of Service Vulnerability Cisco IOS Software Smart Install Remote Code Execution Vulnerability Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities Cisco IOS Software IPS and Zone-Based Firewall Vulnerabilities Cisco IOS Software Data-Link Switching Vulnerability Cisco IOS Software Network Address Translation Vulnerabilities Cisco Unified Communications Manager Session Initiation Protocol Memory [...]

Wake on LAN through Internet

Fabio Semperboni — Tue, 04 Oct 2011 11:48:31 +0000

I write this tutorial to show how it is simple wakup a PC through Internet using WOL feature. What is WOL feature? Wake-on-LAN (WOL) is an Ethernet computer networking standard that allows a computer to be turned on or woken up by a network message. The message is usually sent by a program executed on another computer on the same local area network. It is also possible to initiate the message from another network by using Subnet directed broadcasts or a WOL gateway service. Wake-on-LAN is implemented using a special network message called a magic packet. The magic packet contains [...]

Cisco completes acquisition of AXIOSS Software Assets

Fabio Semperboni — Tue, 13 Sep 2011 13:02:15 +0000

Cisco has completed its acquisition of service fulfillment software assets and associated employees from the UK subsidiary (formerly Axiom Systems) of Comptel Corporation (NASDAQ OMX Helsinki: CTL1V). The acquisition gives Cisco the abilityto extend network and service management technologies across its next-generation Internet Protocol (IP) network platforms, allowing service providers to quickly and efficiently launch new video, data, mobility and cloud services to their customers. Cisco acquired the AXIOSS software suite, a fulfillment platform that strengthens the Cisco service provider management offering by automating ordering and fulfillment. The software provides management capabilities for network services across Cisco’s five company priorities. [...]

August 2011: five Cisco vulnerabilities

Fabio Semperboni — Mon, 12 Sep 2011 12:59:48 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories: Apache HTTPd Range Header Denial of Service Vulnerability Denial of Service Vulnerability in Cisco TelePresence Codecs Open Query Interface in Cisco Unified Communications Manager and Cisco Unified Presence Server Cisco Unified Communications Manager Denial of Service Vulnerabilities Denial of Service Vulnerabilities in Cisco Intercompany Media Engine Apache HTTPd Range Header Denial of Service Vulnerability The Apache HTTPd server contains a denial of service vulnerability when it handles multiple, overlapping ranges. Multiple Cisco products may be affected by this vulnerability. Vulnerable Products The following products are confirmed [...]

July 2011: three Cisco vulnerabilities

Fabio Semperboni — Fri, 05 Aug 2011 13:17:51 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published three important vulnerability advisories: Cisco TelePresence Recording Server Default Credentials for Root Account Vulnerability Cisco SA 500 Series Security Appliances Web Management Interface Vulnerabilities Cisco ASR 9000 Series Routers Line Card IP Version 4 Denial of Service Vulnerability Cisco TelePresence Recording Server Default Credentials for Root Account Vulnerability Cisco TelePresence Recording Server Software Release 1.7.2.0 includes a root administrator account that is enabled by default. Successful exploitation of the vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings. Vulnerable Products [...]

Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute exploit

Fabio Semperboni — Thu, 07 Jul 2011 13:36:01 +0000

The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by the following vulnerabilities: Arbitrary Program Execution Vulnerability Local Privilege Escalation Vulnerability Cisco has released free software updates that address these vulnerabilities. There are no workarounds for this vulnerabilities. Below the source of the exploit (Only for test!). ## # $Id: cisco_anyconnect_exec.rb 12872 2011-06-06 20:15:51Z bannedit $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of [...]

Cisco Unified Operations Manager exploits

Fabio Semperboni — Wed, 06 Jul 2011 09:23:44 +0000

Cisco Unified Operations Manager (CuOM) is a NMS for voice developed by Cisco Systems. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network. Multiple vulnerabilities have been identified in Cisco Unified Operations Manager and associated products. These vulnerabilities include: multiple blind SQL injections multiple XSS directory traversal vulnerability Below the source of the exploit (Only for test!). Blind SQL injection vulnerabilities that affect CuOM (CVE-2011-0960): The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay [...]

Cisco Security Agent Management Console ‘st_upload’ RCE Exploit

Fabio Semperboni — Tue, 05 Jul 2011 09:21:28 +0000

Cisco Security Agent provides threat protection for server and desktop computing systems. Cisco Security Agent can function in a standalone manner or can be managed by the Management Center for Cisco Security Agent. The Management Center for Cisco Security Agent is affected by a vulnerability that could allow an unauthenticated attacker to perform remote code execution on the affected device. A successful exploit could allow the attacker to modify agent policies and system configuration and perform other administrative tasks. Note: This vulnerability can be exploited only by sending certain packets to the web management interface, which by default listens on [...]

June 2011: four Cisco vulnerabilities

Fabio Semperboni — Mon, 04 Jul 2011 16:27:41 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published four important vulnerability advisories: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series Default Credentials Vulnerability in Cisco Network Registrar Default Credentials for root Account on the Cisco Media Experience Engine 5600 Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by the following vulnerabilities: Arbitrary Program Execution Vulnerability Local Privilege Escalation Vulnerability Vulnerable Products The vulnerabilities described in this document apply to the Cisco AnyConnect Secure [...]

EPC: an Embedded Packet Capture

Fabio Semperboni — Wed, 22 Jun 2011 12:45:47 +0000

Started with IOS 12.4(20)T version, EPC or Embedded Packet Capture, is a powerful feature to capture data packets flowing through, to, and from, a Cisco router. In contrast with SPAN feature, EPC permits to save the dump directly on the NVRAM and for this reason, Embedded Packet Capture is useful whenever a network protocol analyzer might be useful in debugging a problem, but when it’s not practical to install such a device. The features are: The ability to capture IPv4 and IPv6 packets in the Cisco Express Forwarding path A flexible method for specifying the capture buffer size and type [...]

May 2011: five Cisco vulnerabilities

Fabio Semperboni — Wed, 01 Jun 2011 06:58:37 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories: Cisco Content Delivery System Internet Streamer: Web Server Vulnerability Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities Cisco IOS XR Software IP Packet Vulnerability Cisco XR 12000 Series Shared Port Adapters Interface Processor Vulnerability Cisco IOS XR Software SSHv1 Denial of Service Vulnerability Cisco Content Delivery System Internet Streamer: Web Server Vulnerability The Cisco Internet Streamer application, part of the Cisco Content Delivery System (Cisco CDS), contains a vulnerability in its web server component that could cause the web server engine to crash when processing specially [...]

April 2011: two Cisco vulnerabilities

Fabio Semperboni — Mon, 02 May 2011 12:44:16 +0000

The Cisco Product Security Incident Response Team (PSIRT) has published two important vulnerability advisories: Multiple Vulnerabilities in Cisco Unified Communications Manager Cisco Wireless LAN Controllers Denial of Service Vulnerability Multiple Vulnerabilities in Cisco Unified Communications Manager Cisco Unified Communications Manager (previously known as Cisco CallManager) contains the following vulnerabilities: Three denial of service (DoS) vulnerabilities that affect Session Initiation Protocol (SIP) services Directory transversal vulnerability Two SQL injection vulnerabilities Vulnerable Products The following products are affected by at least one of the vulnerabilities that are described in this advisory: Cisco Unified Communications Manager 6.x Cisco Unified Communications Manager 7.x Cisco [...]

Speed up your reload

Fabio Semperboni — Sat, 30 Apr 2011 12:18:37 +0000

How long does it take to reload your router? 3 or 4 minutes? Do you know that is possible to speed up your reboot? If your answer is negative, read how warm reload is faster than cold (classic) reload. Introduced in Cisco IOS Release 12.3(2)T, the warm reload feature allows users to reload their routers without reading images from storage. That is, the Cisco IOS image reboots without ROM monitor mode (ROMMON) intervention by restoring the read-write data from a previously saved copy in the RAM and by starting execution without either copying the image from flash to RAM or [...]