A couple months ago I came across a sort of interesting bug in the
CSUtil.exe. I'd say the overall severity of the vulnerability is pretty low, but I'm wondering if anyone can think of creative ways to exploit it. In this post I'll describe the vulnerability and if you can think of a cool way to exploit it, let me know in the comments below.
CSUtil.exeis a command line utility included within Cisco ACS for Windows. It can preform a variety of functions to parse data from the ACS database and is often used to manually backup the database. It's most commonly invoked by a user with appropriate administrator level rights and output files are stored by default within the directory from which the utility was ran.
File Write RedirectThe vulnerability is introduced when issuing the "
-t" option which retrieves a local user's PAC and writes it to a file. During the export process,
CSUtil.exewrites a string to a temporary file,
tmpUserFileName.txt, then later uses that string as the file name to write the PAC file to. If someone else writes an alternate string to the
CSUtil.exehas written the initial string, it's possible to redirect the location in which the PAC file gets written to.
This is demonstrated in the following Video:
Some important notes to mention:
tmpUserFileName.txtis written to the same directory where the tool was run from and thus the attacker must have appropriate permissions to write to files within that directory
- This attack appears to be very much timing related since the attacker would need to overwrite the
tmpUserFileName.txtfile contents after
CSUtil.exeis run but before it completes
- It is possible to overwrite existing files at potentially arbitrary locations, but they must end in "
So... In my mind, this is a relatively low risk issue given all of the restrictions. What do you think? Can you make it a high?