CVE-2023-20198 PoC — Cisco IOS XE Software 安全漏洞

Title:Cisco IOS XE Software 安全漏洞 (CVE-2023-20198)
Description:Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

CVE-2023-20198是思科IOS XE软件Web UI功能中的一个严重漏洞，允许未经身份验证的远程攻击者在受影响的系统上创建具有特权级别15的账户，从而完全控制设备。

# CVE-2023-20198-poc
CVE-2023-20198是思科IOS XE软件Web UI功能中的一个严重漏洞，允许未经身份验证的远程攻击者在受影响的系统上创建具有特权级别15的账户，从而完全控制设备。 

该漏洞的产生主要源于Web UI功能中路径解析的不当处理。攻击者通过精心构造的HTTP请求，利用双重URL编码绕过Nginx的路径过滤机制，直接访问受保护的内部端点，如`/webui_wsma_http`。通过这些端点，攻击者可以发送特制的SOAP请求，执行任意CLI命令或进行配置更改。 

具体而言，攻击者发送的请求路径经过双重编码处理，使得Nginx在解析时未能正确识别并阻止非法访问，导致未经授权的请求被转发到后端的`iosd`服务。通过该服务，攻击者可以利用Web服务管理代理（WSMA）功能，发送SOAP请求，创建具有最高权限的用户账户，进而完全控制受影响的设备。 

思科已发布安全公告，建议用户尽快升级至修复版本，并采取相应的安全措施以防止此类攻击。  

 [4.0K]  /data/pocs/cd7567045f04f4dc04847d0f34d64f70599870f7
├── [6.2K]  CVE-2023-20198-poc.py
├── [ 11K]  LICENSE
└── [1.1K]  README.md

0 directories, 3 files