Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for Cisco Data Center Network Manager file upload #12058

Merged
merged 12 commits into from Aug 30, 2019

Conversation

@pedrib
Copy link
Contributor

commented Jul 6, 2019

  DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
  An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
  directory and achieve remote code execution as root.
  This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
  versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
  directory for the WAR file upload.
  This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
  work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
  (see References to understand why).

Tested and working on 10.4(2) up to 11.1(1).
See
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodiscl

I will also have a full disclosure post soon with more details about the vulns, and will add the link here.

pedrib added 2 commits Jul 6, 2019
cisco_dcnm_upload_2019.rb Outdated Show resolved Hide resolved
cisco_dcnm_upload_2019.rb Outdated Show resolved Hide resolved
cisco_dcnm_upload_2019.rb Outdated Show resolved Hide resolved
cisco_dcnm_upload_2019.rb Outdated Show resolved Hide resolved
@acammack-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 10, 2019

Looks cool @pedrib! I think this module would be more at home in modules/exploits/multi/http/ than in the root Metasploit directory.

pedrib and others added 2 commits Jul 11, 2019
Update cisco_dcnm_upload_2019.rb
Co-Authored-By: @shellfail <jrobles@rapid7.com>
Update cisco_dcnm_upload_2019.rb
Co-Authored-By: @shellfail <jrobles@rapid7.com>
@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Jul 11, 2019

@acammack-r7 sorry mate, I must have been half asleep when I submitted the module, it deifnitely should be in modules/exploits/multi/http

pedrib added 2 commits Jul 12, 2019
Rename modules/exploit/multi/http/cisco_dcnm_upload_2019.rb to module…
…s/exploits/multi/http/cisco_dcnm_upload_2019.rb
@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Jul 13, 2019

@acammack-r7 @wvu-r7 give me some time to address your points, I'm currently busy with other work! I don't like to make changes without testing locally with all the versions I have here (10.4.2, 11.0.1, 11.1.1), so need to downtime to address them. Please be patient!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 2, 2019

@acammack-r7 @wvu-r7 all done, good to go!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 14, 2019

ping!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 22, 2019

yo guys!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2019

Hey, why don't I handle this!

@wvu-r7 wvu-r7 self-assigned this Aug 22, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Note to committers: please handle #12059 as well.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

dcnm_uploadp.pcap.zip

Pcap attached

@wvu-r7
Copy link
Contributor

left a comment

Would appreciate it if you applied the review from #12059, too.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

done! should be good to go!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

all good!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

all good?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

I'm fine with the code, but we do require a module doc per module now. If you are unable to provide, I can handle it.

You can at least copy the module description, setup notes, and example output into a Markdown file. Usually takes me five minutes.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

I'm going to sleep, but I'll check in on this and the other PR tomorrow.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

@pedrib: This one has an f-d reference. Okay to land?

@wvu-r7 wvu-r7 added docs and removed needs-docs labels Aug 30, 2019

wvu-r7 added a commit that referenced this pull request Aug 30, 2019

@wvu-r7 wvu-r7 merged commit 23d7a0e into rapid7:master Aug 30, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7
wvu-r7 approved these changes Aug 30, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

Release Notes

The Cisco Data Center Network Manager File Upload module has been added to the framework. It targets a vulnerability in DCNM that exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root.

@pedrib pedrib deleted the pedrib:dcnm_upload-1 branch Aug 30, 2019

jmartin-r7 added a commit that referenced this pull request Aug 30, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Sep 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.