Cisco Prime Network Analysis Module Directory Traversal Vulnerability

December 21, 2017

Cisco Prime Network Analysis Module (NAM) is a network management software that allows network administrators with multifaceted visibility to help optimize network resources, troubleshoot performance issues, and deliver a consistent enduser experience.

A directory traversal vulnerability has been reported in the Cisco Prime Network Analysis Module. Because an input validation bug when processing certain HTTP parameters, an attacker could send a certain crafted HTTP request to graph.php to gain access to any file/folder accessible to the web service, and even delete any file if the permission is allowed to the web service.

The file graph.php in Cisco Prime Network Analysis Module is used for displaying graphic elements such as charts on the webpage. This file has a module of reading local files inside /tmp. The name of the file in /tmp directory will be specified by the sfile parameter. However, the graph.php lacks necessary filtering on this parameter. When a request is set with "../", it could access files outside the web folder, causing a directory traversal vulnerability. What makes things worse is, the HTTP request is used for deleting a file. That means an unauthenticated attacker could cause decent damage on the target server.

 // open file if(!file_exists($sfile) || !($f = fopen($sfile, "r"))) { error_log("Stat file not found: $sfile"); exit; }  // read file while(!feof($f) && strncmp(fgets($f, 2000), "| Interval ", 12)) // skip other stats {;} fgets($f, 2000); $j = 0; $bytes = array(); while(!feof($f)) { $s = fgets($f, 2000);   $s = substr($s , strrpos($s, "| "));   $s = substr($s, 1, -2);   $bytes[$j++] = (int)trim($s); } fclose($f);  // only checks if the path starts with /tmp/, if so, delete the file. // no filter on the parameter  if(strncmp($sfile, "/tmp/", 5)==0) unlink($sfile); 

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13122: Cisco Prime Network Analysis Module graph sfile Directory Traversal