Stealing files with packet tracer
Recently I have found a vulnerability inside Cisco’s Packet Tracer product which allows an attacker to traverse and access local files by exploiting the file:// scheme inside an iframe that can be embedded in activity wizard’s instruction window which is launched on start.
Affected versions
- All versions prior to 8.2.1
The discovery
While playing around with javascript inside the Instructions tab for Activity wizard I started thinking about ways to escape the webengine, trying to fetch with the file:// scheme was the first idea, but oddly when I tried to make a http request I couldn’t access the response, I knew for a fact that it had access to the internet as I had used an iframe earlier, perhaps my code was wrong but trying to debug such wasn’t easy, there’s no console and the javascript code kept running a loop so using alert() was very annoying. Instead I tried another way to make http requests, using iframes, as I earlier mentioned those worked. I used file://g:/secret.txt as the source and voila
Is this actually useful though? Can I read iframe content with javascript? Sure I can, I made a simple script that would run on page load and try to read the contents of my iframe with the id “test”
1<script>
2 window.addEventListener("load", (event) => {
3 alert(document.getElementById('test').contentWindow.document.body.innerText);
4 });
5</script>
6
7<iframe id="test" src="file://G:/secret.txt"/>
The implications
A bad actor could publish a malicious packet tracer activity that would read common sensitive files and send those to a remote server
A malicious student could infect an already existing packet tracer activity1 that would normally be sent back to the lector and opened for a review.
Timeline
- December 8, 2022 12:00 AM: Vulnerability discovered
- December 9, 2022 11:38 AM: A bug report was sent to the PSIRT
- December 13, 2022 12:19 AM: A bug case was opened by the PSIRT and I received a reply
- March 14, 2023: Cisco Packet Tracer 8.2.1 was released fixing the vulnerability