Cisco Prime Infrastructure to unauthorized remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

Not all of the directory traversal vulnerability can cause the same impact, the specific impact of the range depends on the directory traversal purposes, as well as the use of the process requires user interaction degree. Such a simple vulnerability in the actual code may be hidden very deep, so might have disastrous consequences.
Cisco Prime Infrastructure（PI）fix a directory traversal vulnerability, CVE-2019-1821, however I do not know the patch details, and I can’t test I have no Cisco license, so I decided to here and share the relevant details, hope someone can help me verify the code robustness.
In this article, I analyzed the CVE-2019-1821 of the discovery process and the use of the method, which is an unauthorized service end to remote code execution RCE）loopholes also happen to be we In Full-Stack Web Attack Training course of the upcoming relates to the content.

0x01-related background
Cisco website to Prime Infrastructure（PI）is described as follows:
Cisco Prime Infrastructure is exactly the solution you need that can be used for tasks simplified and automated management, while capable of fully utilizing the Cisco network for the intelligent edge. This solution is powerful, can help you… Integrated products, manage the network to achieve mobile collaboration and simplify WAN management.
To be honest, I’m still processing not suitable for the scene, so I decided to turn it in Wikipedia:
Cisco Prime is a network management software by Cisco Systems the various software applications of the composition. Most applications for the enterprise or service provider network.
Thanks to Wikipedia, this phrase looks more easy to understand, it seems I’m not the first to product features confused people. However regardless of how in the Security Studies aspect of these information is not the focus.

0x02 research objectives
我的漏洞测试环境为PI-APL-3.4.0.0.348-1-K9.iso（d513031f481042092d14b77cd03cbe75, the patch is PI_3_4_1-1.0.27. ubf (56a2acbcf31ad7c238241f701897fcb1)。 According to the official statement, this patch can mend Pedro found that vulnerability, CVE-2018-15379-in. However while we can see that a single CVE number corresponds to the two different vulnerabilities, of which only one vulnerability has been successfully patched.
piconsole/admin# show version
Cisco Prime Infrastructure

Version : 3.4.0
Build : 3.4.0.0.348
Critical Fixes:
PI 3.4.1 Maintenance Release ( 1.0.0 )
The default after installation, I need to set up High Availability HA high availability-in order to access the target code. According to the document description, which is installed Cisco PI, when the standard practice. Although the process looks very complicated, but in fact is the deployment of two different PI, and then configure the one of the main（primary）HA server, another for the secondary（secondary）HA server.
!
Figure 1. High Availability diagram
Consuming a lot of memory and hard drive space, the final build results are as follows:
! [](/Article/UploadPic/2019-5/2019521231940385. png)
In addition, the in directly to the Cisco feedback before, one of my friends confirmed in 3. 5 version this bug still exists.

0x03 vulnerability analysis
In/opt/CSCOlumos/healthmonitor/webapps/ROOT/WEB-INF/web. xml file, we find the following:

servlet>
servlet-name>UploadServletservlet-name>
display-name>UploadServletdisplay-name>
servlet-class>
com. cisco. common. ha. fileutil. UploadServlet
servlet-class>
servlet>
servlet-mapping>
servlet-name>UploadServletservlet-name>
url-pattern>/servlet/UploadServleturl-pattern>
servlet-mapping>
This servlet is the Health Monitor part of the application, the need for configuring and connecting HA servers, refer to earlier“research goal” - related content.
In/opt/CSCOlumos/lib/pf/rfm-3.4.0.403.24. jar file, we can find the UploadServlet class is the corresponding code:
public class UploadServlet
extends HttpServlet
{
private static final String FILE_PREFIX = “upload_”;
private static final int ONE_K = 1024;
private static final int HTTP_STATUS_500 = 500;
private static final int HTTP_STATUS_200 = 200;
private boolean debugTar = false;
public void init() {}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
{
String fileName = null;
long fileSize = 0L;
boolean result = false;
response. setContentType(“text/html”);
String destDir = request. getHeader(“Destination-Dir”); // 1
String archiveOrigin = request. getHeader(“Primary-IP”); // 2
String fileCount = request. getHeader(“Filecount”); // 3

[1] [2] [3] [4] [5] next