id: cisco-ios-xe-panel

info:
  name: Cisco IOS XE - Detect
  author: bhutch
  severity: info
  description: |
    Cisco IOS XE login panel was detected.
  reference:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
    shodan-query: 'http.html_hash:1076109428'
    max-request: 1
    verified: "true"
  tags: panel,cisco

ssl:
  - address: "{{Host}}:{{Port}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - contains(http_body,'webui')
          - contains(ssl_issuer_dn,'IOS-Self-Signed-Certificate')
        condition: and

    extractors:
      - type: kval
        kval:
          - ssl_issuer_dn