Vigil@nce: Cisco, 3Com, HTML injection via SNMP
October 2008 by Vigil@nce
SYNTHESIS
When the attacker knows the SNMP write community, he can inject
HTML code in order to elevate his privileges.
Gravity: 1/4
Consequences: privileged access/rights
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 23/10/2008
IMPACTED PRODUCTS
– 3Com NETBuilder II
– Cisco Catalyst
– Cisco Router
DESCRIPTION
A write community is used to change parameters of a device via
SNMP.
Depending on the configuration, some write communities can not be
used to alter some parameters. An attacker knowing a write
community can for example be only allowed to alter sysContact and
sysLocation.
The attacker can then inject JavaScript code in sysLocation. When
another administrator connects to the web administrative interface
of the device (which does not filter special characters), the
JavaScript code is then executed with his privileges.
An attacker knowing a write community can thus acquire privileges
that he does not already have.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8198