Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for CVE-2019-1621, Cisco Data Center Network Manager arbitrary file download. #12059

Merged
merged 10 commits into from Aug 30, 2019

Conversation

@pedrib
Copy link
Contributor

commented Jul 6, 2019

  DCNM exposes a servlet to download files on /fm/downloadServlet.
  An authenticated user can abuse this servlet to download arbitrary files as root by specifying
  the full path of the file.
  This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
  work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
  (see References to understand why).

See also:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld

I will also put a full disclosure post up soon that contains more details, and will add the link here.

pedrib added 5 commits Jul 6, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

Thanks, @pedrib!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Jul 10, 2019

@wvu-r7 you're welcome, full disclosure link added!

@pedrib pedrib changed the title Add exploit for CVE-2019-1621, Cisco Data Center Network Manager arbitrary file upload. Add exploit for CVE-2019-1621, Cisco Data Center Network Manager arbitrary file download. Jul 10, 2019

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Jul 10, 2019

Corrected the title, this is actually the auxiliary arb download module; the file upload leading to RCE is PR #12058

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Jul 13, 2019

@acammack-r7 @wvu-r7 give me some time to address your points, I'm currently busy with other work! I don't like to make changes without testing locally with all the versions I have here (10.4.2, 11.0.1, 11.1.1), so need to downtime to address them. Please be patient!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 2, 2019

@acammack-r7 @wvu-r7 all done, good to go!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 14, 2019

ping!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 22, 2019

yo guys!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2019

And this one!

@wvu-r7 wvu-r7 self-assigned this Aug 22, 2019

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 24, 2019

@wvu-r7 please do, these are ready to go!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 24, 2019

The build failure is unrelated to the module I believe.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 28, 2019

Do you want a pcap to accelerate this?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

I might have to transfer these PRs to someone else. This might be my busiest week of the year. :(

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

A pcap would help, yes, but is there a virtual appliance we can test? This could benefit from module documentation.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Note to committers: please handle #12058 as well.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

A pcap would help, yes, but is there a virtual appliance we can test? This could benefit from module documentation.

There is a virtual appliance, but you need a Cisco contract to access it. I'll send a pcap soon.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Let me review this right quick, and if the pcap checks out, let's ship it.

@wvu-r7
Copy link
Contributor

left a comment

Quick-pass review. Should be clean enough to merge after.

modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/cisco/cisco_dcnm_download.rb Outdated Show resolved Hide resolved
@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

dcnm_download.pcap.zip

Pcap attached

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

Fixed most of your changes, except the ones where I provide a justification

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Cool, I can accept your justifications. Thanks for the quick changes!

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

Done!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Once #12058 (comment) is addressed, I plan to review the pcaps and land both PRs.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

ok that's it!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

@pedrib: This one has an f-d reference. Okay to land?

@wvu-r7 wvu-r7 removed the needs-docs label Aug 30, 2019

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 30, 2019

@wvu-r7 all good for all modules!

@wvu-r7 wvu-r7 added docs module and removed module labels Aug 30, 2019

wvu-r7 added a commit that referenced this pull request Aug 30, 2019

@wvu-r7 wvu-r7 merged commit 542c75d into rapid7:master Aug 30, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7
wvu-r7 approved these changes Aug 30, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

Release Notes

The Cisco Data Center Network Manager Arbitrary File Download module has been added to the framework. It targets a vulnerability in DCNM that exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file.

@pedrib pedrib deleted the pedrib:dcnm_download branch Aug 30, 2019

jmartin-r7 added a commit that referenced this pull request Aug 30, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Sep 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.