Cisco IOX XE Unauthenticated RCE | CVE-2023-20198 and CVE-2023-20273 Exploit

Cisco IOX XE Unauthenticated RCE | CVE-2023-20198 and CVE-2023-20273 Exploit

vRuby by Prapattimynk

This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root

Android Android 5.0Exploits And POCs
( 812 ratings )
Price: $0
File CVE-2023-20198 and CVE-2023-20273 Exploit
Publisher Prapattimynk
Genre Exploits And POCs
Size 10kb
File Type Ruby
Os All
Mod Version Ruby
Report Report
CVE-2023-20198 and CVE-2023-20273 Exploit is the most famous version in the CVE-2023-20198 and CVE-2023-20273 Exploit series of publisher
Download

This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions.

CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the webui_wsma_http web endpoint without requiring authentication.
By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.
Cisco’s investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS root user to facilitate implantation.

This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:
The vulnerability check, config, and command execution options all target the cisco:wsma-exec SOAP endpoint to insert commands into the execCLI element tag.
The add user option targets the cisco:wsma-config SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.

Abuse of the cisco:wsma-exec SOAP endpoint came from the nuclei template
Abuse of the cisco:wsma-config SOAP endpoint came from the horizon3ai PoC



Recommended for You

You may also like

Comments

Your email address will not be published. Required fields are marked *

Next Post X
Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.