How did I find a Cisco XSS vulnerability?

How did I find a Cisco XSS vulnerability?

I found an XSS cross-site scripting vulnerability in Cisco's IOS SoftwareChecker. The vulnerability itself is not complicated. I would like to share with you the entire process of discovering the vulnerability.

Unintentional discovery

On this day, I was reading the vulnerability report provided by Cisco and accidentally discovered the security tool "Cisco Ios Software Checker. This tool is very useful for Cisco device administrators to determine whether Cisco IOS software has missed security patches or vulnerabilities.

I tried to submit some junk data in the input box used to search for the Cisco IOS version, and the result was ruthlessly rejected by the system. I think it may be because I didn't enter a valid IOS version.

Because the Cisco IOS software version can contain many different characters, I tried again using A valid IOS version string. I added A lot of "A" after "15.1 ". Then I was surprised to find that "AAAAAA" was successfully injected into the target page!

Interesting. I think it is necessary to look deeper. View the HTML source code and find a code injection point-onclick attribute of an input box.

Now I need to figure out which characters can be used.

 

Pay attention to double quotation marks and parentheses. Now I find what we need, but these can be injected into the input fields.

Input try

The first step is to avoid the input tag. I prefer to use onclick = "..." Attribute. Use a simple double quotation mark to add a malicious string. I have the ability to add the elements set to the input tag.

This is the input tag. After "15.1" INJECTION_STUFF_HERE is submitted to the form:

 
 

  
  
<input …onclick=”redrawRSS(’15.1”INJECTION_STUFF_HERE … > 
 
 

Now, my first thought is to change the input type to the image format, which may lead to unexpected discoveries.

 
 

  
  
<input … onclick=”redrawRSS(’15.1”type=image src=… > 
 
 

Perfect! Now I'm sure I can execute Javascript!

Next, I will add the onload = "attribute to the input tag, and then I can easily execute the alert (1) pop-up window on the target page. That is to say, I discovered an XSS vulnerability.

The following is a simple hole mining animation.

Http://static.freebuf.com/2015/01/6.gif

Http://static.freebuf.com/2015/01/7.gif

Conclusion

Cisco engineers quickly intercepted the vulnerability and fixed it.

This tells us that we should never trust user input, forget the west wall, but ignore the most basic security vulnerabilities.