Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Cisco Prime Infrastructure Health Monitor TarArchive Remote Code Execution #11956

Merged
merged 6 commits into from Jun 19, 2019

Conversation

Projects
None yet
5 participants
@wchen-r7
Copy link
Contributor

commented Jun 7, 2019

Description

This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user leveraging the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.

Special thanks to mr_me!

Vulnerable Setup:

There are two machines you want to set up using the same ISO, the first is called the "primary" server, and the other is "secondary" (High Availability) server. They both require the same hardware:

  • 4 CPU Cores.
  • 12288 MB of RAM (12GB).
  • 350GB of hard drive space, but you may still run out of it in days.
  • Both VMs should be on the same network.

Pcap

A pcap is available. Just ask me!

Demo

cpi_exploit

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 10, 2019

Good call. I will fix them up tomorrow. Thank you for reviewing @bcoles.

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 10, 2019

Updated. Thanks again!

@wvu-r7

wvu-r7 approved these changes Jun 10, 2019

Copy link
Contributor

left a comment

LGTM.

@wchen-r7 wchen-r7 merged commit 384cfc7 into rapid7:master Jun 19, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Jun 19, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 19, 2019

Release Notes

This module exploits a vulnerability found in Cisco Prime Infrastructure. The TarArchive Java class that the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which remote user can abuse by leveraging the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory. This allows them to gain arbitrary remote code execution. Authentication is not required to exploit this vulnerability.

@wchen-r7 wchen-r7 self-assigned this Jun 19, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 19, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Jun 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.