Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for Cisco UCS Unauthenticated Remote Code Execution #12243

Merged
merged 9 commits into from Aug 30, 2019

Conversation

@pedrib
Copy link
Contributor

commented Aug 28, 2019

This PR adds an exploit module for Cisco UCS up to version 6.7.0.2. From the module's description:

  The Cisco UCS Director virtual appliance contains two flaws that can be combined
  and abused by an attacker to achieve remote code execution as root.
  The first one, CVE-2019-1937, is an authentication bypass, that allows the
  attacker to authenticate as an administrator.
  The second one, CVE-2019-1936, is a command injection in a password change form,
  that allows the attacker to inject commands that will execute as root.
  This module combines both vulnerabilities to achieve the unauthenticated command
  injection as root.
  It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
  Note that Cisco also mentions in their advisory that their IMC Supervisor and
  UCS Director Express are also affected by these vulnerabilities, but this module
  was not tested with those products.
pedrib added 7 commits Jul 6, 2019
@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 28, 2019

Demo VMs can be downloaded from https://www.cisco.com/c/en/us/support/servers-unified-computing/ucs-director-evaluation/model.html
I can also provide a pcap if needed

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

I was just reading https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt and saw that two Metasploit modules were created, then went to check GitHub, and here we are once again. It's you. :)

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

@wvu-r7 went ahead and pre-empted some of your comments, made adjustments to match what we discussed in the other PR.
However this time I kept the "and" and "or" instead of the "&&" and "||", as most of the times I was using the former.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

do you want pcaps?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Pcaps are always good.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

pcaps.tar.gz
Here you go!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

However this time I kept the "and" and "or" instead of the "&&" and "||", as most of the times I was using the former.

This one isn't a style issue so much as a logical issue. and and or have different precedence compared to && and ||. The best practice is to prefer the operators that are more predictable.

That said, you're using the English operators exclusively for control flow, and you're using parens properly, so it should be fine, functionality-wise.

It seems you come from Python with your style, and that's fine, but Ruby is wacky and has a billion ways to do any given thing.

I also know this isn't your first rodeo, as we've worked together before, and you've written at least 50 modules. I'm fine leaving your English operators in place, but I have a responsibility to point out where they may introduce bugs. So far, I think we're okay!

ETA: This is a good post on the difference between the two sets of operators: https://mixandgo.com/learn/understanding-boolean-operator-precedence-in-ruby.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

@wvu-r7 I have no problem using whatever, it's just that most of my code is copy paste, therefore these things can go both ways... and I can be lazy sometimes.

I always use parens in my code, for all languages (not just Ruby) even if I know the operator precedence rules, as I believe this makes the code clearer to read.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

btw I have now added docs to this, and going to add to the other UCS module too now

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2019

just waiting for the full disclosure link to appear in the archives, so I can replace the placeholder in both the module and the docs

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Cool, once that's done, I'll land this and the other.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

@pedrib: Does that happen at the end of the month? I won't be available in September.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 30, 2019

@wvu-r7 no mate it's usually 24h, but sometimes can take up to 3 or 4 days, depending on their queue; anyway, should be soon!

@space-r7 space-r7 added docs and removed needs-docs labels Aug 30, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

Oh, whoops. I wasn't assigned to this PR. I got them confused. I'll go land the others.

@pedrib

This comment has been minimized.

Copy link
Contributor Author

commented Aug 30, 2019

@wvu-r7 all modules are good to go, including the UCS ones, I've just added the FD reference!
They're not assigned to you but can you also land them?

@wvu-r7 wvu-r7 self-assigned this Aug 30, 2019

wvu-r7 added a commit that referenced this pull request Aug 30, 2019

@wvu-r7 wvu-r7 merged commit 1ae21a4 into rapid7:master Aug 30, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7
wvu-r7 approved these changes Aug 30, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

Release Notes

The Cisco UCS Unauthenticated RCE module has been added to the framework. It targets CVE-2019-1937 and CVE-2019-1936.

@pedrib pedrib deleted the pedrib:cisco_ucs branch Aug 30, 2019

jmartin-r7 added a commit that referenced this pull request Aug 30, 2019

@tdoan-r7 tdoan-r7 added rn-modules and removed rn-modules labels Sep 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.