Exploit for Unprotected Alternate Channel in Cisco Ios Xe
Discription

CVE-2023-20198 Exploit PoC for CVE-2023-20198 Description CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the webui_wsma_http web endpoint without requiring authentication. By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges. Cisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS root user to facilitate implantation. This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints: The vulnerability check, config, and command execution options all target the cisco:wsma-exec SOAP endpoint to insert commands into the execCLI element tag. The add user option targets the cisco:wsma-config SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC. Abuse of the cisco:wsma-exec SOAP endpoint came from the nuclei template Abuse of the cisco:wsma-config SOAP endpoint came from the horizon3ai PoC Note: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit. Usage “` usage: exploit.py [-h] (-t targetIP |…Read More

Back to Main

Subscribe for the latest news: