From Patrik.Karlsson@ixsecurity.com Thu Apr 4 23:08:00 2002 From: Patrik Karlsson To: bugtraq@securityfocus.com Cc: Hackers@guardianit.se Date: Wed, 3 Apr 2002 17:58:28 +0200 Subject: iXsecurity.20020314.csadmin_fmt.a [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] iXsecurity Security Vulnerability Report No: iXsecurity.20020314.csadmin_fmt.a ======================================== Vulnerability Summary --------------------- Problem: Cisco Secure ACS webserver has a format string vulnerability. Threat: An attacker could send an "invalid" URL to the webserver listening on port 2002, resulting in a server crash and arbitrary code execution. Affected Software: Cisco Secure ACS 2.6.X and 3.0.1 (build 40). Platform: Windows NT/2000 verified Solution: Install the patch from Cisco. Vulnerability Description ------------------------- Cisco Secure ACS has a webserver interface listening on port 2002. The webserver has a format string condition, making it possible to overwrite EIP, resulting in a service crash and arbitrary code execution. Solution -------- Cisco PSIRT can confirm this vulnerability. The Security Advisory was published and it is at http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml Only Cisco ACS for Windows is affected. The Unix version is not affected by these issues. You can download patches by following instructions in the Advisory. Additional Information ---------------------- Cisco was contacted 20020315. This vulnerability was found and researched by Jonas Ländin, jonas.landin@ixsecurity.com Patrik Karlsson, patrik.karlsson@ixsecurity.com