Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Cisco Prime Infrastructure Health Monitor TarArchive Remote Code Execution #11956

Merged
merged 6 commits into from
Jun 19, 2019
Merged

Add Cisco Prime Infrastructure Health Monitor TarArchive Remote Code Execution #11956

merged 6 commits into from
Jun 19, 2019

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Jun 7, 2019
edited
Loading

Description

This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user leveraging the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.

Special thanks to mr_me!

Vulnerable Setup:

There are two machines you want to set up using the same ISO, the first is called the "primary" server, and the other is "secondary" (High Availability) server. They both require the same hardware:

  • 4 CPU Cores.
  • 12288 MB of RAM (12GB).
  • 350GB of hard drive space, but you may still run out of it in days.
  • Both VMs should be on the same network.

Pcap

A pcap is available. Just ask me!

Demo

cpi_exploit

@wchen-r7
Copy link
Contributor Author

Good call. I will fix them up tomorrow. Thank you for reviewing @bcoles.

@wchen-r7
Copy link
Contributor Author

Updated. Thanks again!

wvu
wvu approved these changes Jun 10, 2019
View reviewed changes
Copy link
Contributor

@wvu wvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@wchen-r7 wchen-r7 merged commit 384cfc7 into rapid7:master Jun 19, 2019
wchen-r7 added a commit that referenced this pull request Jun 19, 2019
@wchen-r7
Land #11956 - Add Cisco Prime Infrastructure Health Monitor Tar RCE
c637755
@wchen-r7
Copy link
Contributor Author

wchen-r7 commented Jun 19, 2019
edited by tdoan-r7
Loading

Release Notes

This module exploits a vulnerability found in Cisco Prime Infrastructure. The TarArchive Java class that the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which remote user can abuse by leveraging the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory. This allows them to gain arbitrary remote code execution. Authentication is not required to exploit this vulnerability.

@wchen-r7 wchen-r7 self-assigned this Jun 19, 2019
msjenkins-r7 pushed a commit that referenced this pull request Jun 19, 2019
@wchen-r7 @msjenkins-r7
Land #11956 - Add Cisco Prime Infrastructure Health Monitor Tar RCE
7a74bbb
@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@jrobles-r7 jrobles-r7 jrobles-r7 left review comments

@wvu wvu wvu approved these changes

Assignees

@wchen-r7 wchen-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@wchen-r7 @bcoles @wvu @jrobles-r7 @tdoan-r7