关联漏洞
标题:
Cisco SD-WAN 路径遍历漏洞
(CVE-2022-20818)
描述:Cisco SD-WAN是美国思科(Cisco)公司的一种高度安全的云规模架构,具有开放性、可编程性和可扩展性。 Cisco SD-WAN Software存在路径遍历漏洞,该漏洞源于对应用程序CLI中的命令的访问控制不当,可能允许经过身份验证的本地攻击者获得提升的权限,成功利用此漏洞可以让攻击者执行任意命令。
描述
CVE-2022-20818: Local Privilege Escalation via Partial File Read in Cisco SD-WAN
介绍
# CVE-2022-20818: Local Privilege Escalation via Partial File Read in Cisco SD-WAN
The “config -> load” feature from Viptela SSH shell uses “wget” to fetch remote “command” files over FTP. By hosting a malicious FTP server and replacing the local files created by wget with symlinks, an attacker can abuse the “root” privileges with which the commands are run to read the first line of arbitrary files.
By reading the secret from “/etc/confd/confd_etc_secret”, the attacker is able to obtain an interactive shell with “root” privileges on the machine.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html).
### Requirements:
This vulnerability requires:
<br/>
- Access to the Viptela shell (e.g. via SSH)
<br/>OR
- Access to the local system
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2022-20818/blob/main/Cisco%20SD-WAN%20-%20CVE-2022-20818.pdf).
### Additional Resources:
[Article by Johnny "straight_blast" Yu](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77) detailing how to use the "/etc/confd/confd_etc_secret" secret + GDB to gain a root shell
The original ftp_server script used and modified in this exploit was taken from [here](https://github.com/jacklam718/ftp)
文件快照
[4.0K] /data/pocs/594c6214be303e9522b720e0d78d72e8c7e638c4
├── [2.0M] Cisco SD-WAN - CVE-2022-20818.pdf
└── [1.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。