nuclei-templates/http/vulnerabilities/backdoor/cisco-implant-detect.yaml

id: cisco-implant-detect

info:
  name: Cisco IOS XE - Impant Detection
  author: DhiyaneshDK,rxerium
  severity: critical
  description: |
    Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
  remediation: |
    Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: 'no ip http server' or 'no ip http secure-server'.
  reference:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
    - https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/
    - https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198
    - https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner/blob/main/implant-scanner.go
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html_hash:1076109428
    product: ios_xe
    vendor: cisco
  tags: backdoor,cisco,ios,kev

http:
  - raw:
      - |
        GET /webui HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1
        Host: {{Hostname}}
        Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb

    redirects: true
    max-redirects: 3

    matchers-condition: and
    matchers:
      - type: regex
        part: body_1
        regex:
          - 'webui-centerpanel-title'

      - type: regex
        part: body_2
        regex:
          - '^([a-f0-9]{18})\s*$'

      - type: dsl
        dsl:
          - status_code_2 == 200
# digest: 4a0a004730450220168522beff645c0b82f0faf7ad2359a372694bf17bc6f31378277c1b01647f63022100e5adbdb3bdd6f922a15f8a4296295d521520a5c56503dba4c72aa487c8b63b73:922c64590222798bb761d5b6d8e72950
TemplateMan Update [Fri Oct 27 08:59:57 UTC 2023] :robot: 2023-10-27 08:59:57 +00:00			`id: cisco-implant-detect`

			`info:`
			`name: Cisco IOS XE - Impant Detection`
			`author: DhiyaneshDK,rxerium`
Update cisco-implant-detect.yaml 2023-10-27 09:31:08 +00:00			`severity: critical`
TemplateMan Update [Fri Oct 27 08:59:57 UTC 2023] :robot: 2023-10-27 08:59:57 +00:00			`description: \|`
			`Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.`
			`remediation: \|`
			`Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: 'no ip http server' or 'no ip http secure-server'.`
			`reference:`
			`- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z`
			`- https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/`
			`- https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198`
			`- https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner/blob/main/implant-scanner.go`
			`metadata:`
			`verified: true`
			`max-request: 2`
			`shodan-query: http.html_hash:1076109428`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`product: ios_xe`
			`vendor: cisco`
TemplateMan Update [Fri Oct 27 08:59:57 UTC 2023] :robot: 2023-10-27 08:59:57 +00:00			`tags: backdoor,cisco,ios,kev`

			`http:`
			`- raw:`
			`- \|`
			`GET /webui HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1`
			`Host: {{Hostname}}`
Update cisco-implant-detect.yaml 2023-10-31 06:06:49 +00:00			`Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb`
TemplateMan Update [Fri Oct 27 08:59:57 UTC 2023] :robot: 2023-10-27 08:59:57 +00:00
			`redirects: true`
			`max-redirects: 3`
TemplateMan Update [Tue Oct 31 10:54:20 UTC 2023] :robot: 2023-10-31 10:54:20 +00:00
TemplateMan Update [Fri Oct 27 08:59:57 UTC 2023] :robot: 2023-10-27 08:59:57 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body_1`
			`regex:`
			`- 'webui-centerpanel-title'`

			`- type: regex`
			`part: body_2`
			`regex:`
			`- '^([a-f0-9]{18})\s*$'`

			`- type: dsl`
			`dsl:`
			`- status_code_2 == 200`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a004730450220168522beff645c0b82f0faf7ad2359a372694bf17bc6f31378277c1b01647f63022100e5adbdb3bdd6f922a15f8a4296295d521520a5c56503dba4c72aa487c8b63b73:922c64590222798bb761d5b6d8e72950`