-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Cisco Prime Infrastructure Health Monitor TarArchive Remote Code Execution #11956
Conversation
Good call. I will fix them up tomorrow. Thank you for reviewing @bcoles. |
Updated. Thanks again! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Release NotesThis module exploits a vulnerability found in Cisco Prime Infrastructure. The TarArchive Java class that the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which remote user can abuse by leveraging the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory. This allows them to gain arbitrary remote code execution. Authentication is not required to exploit this vulnerability. |
Description
This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user leveraging the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.
Special thanks to mr_me!
Vulnerable Setup:
There are two machines you want to set up using the same ISO, the first is called the "primary" server, and the other is "secondary" (High Availability) server. They both require the same hardware:
Pcap
A pcap is available. Just ask me!
Demo