CVE-2002-0160 in Secure Access Control Server
Summary
by MITRE
The administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to read HTML, Java class, and image files outside the web root via a ..\.. (modified ..) in the URL to port 2002.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/12/2019
The vulnerability described in CVE-2002-0160 represents a critical directory traversal flaw within Cisco Secure Access Control Server (ACS) for Windows implementations. This security weakness affects versions 2.6.x and earlier, as well as 3.x through 3.01 build 40, specifically impacting the administration function that operates on port 2002. The flaw stems from inadequate input validation mechanisms that fail to properly sanitize user-supplied URLs, allowing malicious actors to manipulate file paths through crafted directory traversal sequences.
The technical exploitation of this vulnerability relies on the manipulation of URL parameters using the ..\.. sequence, which represents a directory traversal attack pattern. When an attacker crafts a URL containing these modified directory traversal sequences, the ACS administration interface fails to properly validate or restrict file access beyond the intended web root directory. This allows unauthorized access to sensitive files including HTML documents, Java class files, and image resources that should normally be restricted from external access. The vulnerability operates at the application layer and can be exploited remotely without requiring authentication, making it particularly dangerous in networked environments.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with access to potentially sensitive configuration files, source code, and other administrative resources that could be leveraged for further attacks. Java class files accessed through this vulnerability might contain proprietary code or implementation details that could aid in developing more sophisticated attacks against the system. The exposure of HTML files could reveal administrative interfaces or documentation that provides insights into the system architecture and potential attack vectors. This type of vulnerability directly violates the principle of least privilege and can lead to complete system compromise when combined with other exploitation techniques.
Cisco Secure Access Control Server implementations are typically deployed in enterprise environments where they serve as critical access control infrastructure, making this vulnerability particularly concerning from a security perspective. The remote nature of the attack means that adversaries can exploit this weakness from outside the network perimeter, potentially allowing for reconnaissance and privilege escalation activities. This vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and can be categorized under ATT&CK technique T1083 for discovering system information. Organizations should immediately implement network segmentation to restrict access to port 2002, apply vendor security patches, and conduct thorough security assessments of their access control infrastructure to identify similar vulnerabilities in other network services. The incident highlights the importance of proper input validation and the need for robust security controls in authentication and authorization systems.