Cisco Prime Data Center Network Manager File Upload RCE (cisco-sa-20180502-prime-upload)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110518);
  script_version("1.2");
  script_cvs_date("Date: 2019/11/04");

  script_cve_id("CVE-2018-0258");
  script_bugtraq_id(104074);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf32411");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180502-prime-upload");
  script_xref(name:"TRA", value:"TRA-2018-11");

  script_name(english:"Cisco Prime Data Center Network Manager File Upload RCE (cisco-sa-20180502-prime-upload)");
  script_summary(english:"Checks server response.");

  script_set_attribute(attribute:"synopsis", value:
"A network management system running on the remote host is affected by
a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Cisco Prime Data Center Network Manager (DCNM) running on the
remote host is affected by a remote code execution vulnerability due
to improper input validation of the parameters in an HTTP request
processed by the XmpFileUploadServlet servlet.  An unauthenticated,
remote attacker can exploit this issue, via a specially crafted HTTP
request, to upload a Java Server Pages (JSP) file to a specific
folder using path traversal techniques and then execute that file
remotely. An exploit could allow the attacker to execute arbitrary
commands on the affected device with the privileges of the SYSTEM user");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-prime-upload
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1ab861c");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Prime Data Center Network Manager version 10.3(1) or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_data_center_network_manager");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_prime_dcnm_web_detect.nasl", "os_fingerprint.nasl");
  script_require_keys("installed_sw/cisco_dcnm_web");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

# Cisco says the Windows version is affected, but the Linux version is not.
os = get_kb_item('Host/OS');
# Test regardless of detected OS if Paranoid is set
if((report_paranoia < 2) && os && ('Windows' >!< os))
  audit(AUDIT_HOST_NOT, 'affected');
   
app  = "cisco_dcnm_web";

# Exit if app is not detected on host
get_install_count(app_name:app, exit_if_zero:TRUE);

# Exit if app is not detected on this port
port = get_http_port(default:443);
install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);

boundary = "--------" + rand_str(length:12, charset:"0123456789abcdef");
content_type = "multipart/form-data; boundary=" + boundary;

file_name = 'webshell.war';
file_content = 'file contents for ' + file_name;

# To verify the vulnerability, change the tacCaseID to use valid
# characters in directory names. A file will be saved in
# C:\temp\<tacCaseID>\<file_name>
# Example: tac_case_id = 'some_dir';
tac_case_id = '%00';

uri = '/Upload?svc=upload&maxFileSize=100000&tacCaseID=' + tac_case_id;

data = '--' + boundary + '\r\n';
data += 'Content-Disposition: form-data; name="data"; filename="' + file_name +'"\r\n';
data += 'Content-Type: text/plain\r\n\r\n';
data += file_content + '\r\n';
data += '--' + boundary + '--\r\n';

res = http_send_recv3(
  method        : 'POST',
  item          : uri,
  port          : port,
  content_type  : content_type,
  data          : data,
  exit_on_fail  : TRUE
);

# Patched: file upload endpoint no longer exists
if(res[0] =~ "^HTTP/[0-9]\.[0-9] 404")
{
  audit(AUDIT_INST_VER_NOT_VULN, app, install['version']);
}
# Vulnerable: server attempted to create a directory but failed
else if(res[0] =~ "^HTTP/[0-9]\.[0-9] 500")
{
  req = http_last_sent_request();
  report =
  '\nNessus was able to detect the issue by sending the following ' +
  'request :' +
  '\n' +
  '\n' +
  req;
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
# Unexpected
else
{
  audit(AUDIT_RESP_BAD, port, 'a HTTP request. Unexpected response status : ' + res[0]);
}