nuclei-templates/http/vulnerabilities/backdoor/cisco-implant-detect.yaml

52 lines
2.1 KiB
YAML

id: cisco-implant-detect
info:
name: Cisco IOS XE - Impant Detection
author: DhiyaneshDK,rxerium
severity: critical
description: |
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
remediation: |
Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: 'no ip http server' or 'no ip http secure-server'.
reference:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/
- https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198
- https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner/blob/main/implant-scanner.go
metadata:
verified: true
max-request: 2
shodan-query: http.html_hash:1076109428
tags: backdoor,cisco,ios,kev
http:
- raw:
- |
GET /webui HTTP/1.1
Host: {{Hostname}}
- |
POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1
Host: {{Hostname}}
Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb
redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: regex
part: body_1
regex:
- 'webui-centerpanel-title'
- type: regex
part: body_2
regex:
- '^([a-f0-9]{18})\s*$'
- type: dsl
dsl:
- status_code_2 == 200
# digest: 4a0a004730450221009bed827c233b916acb8561dd03560c4e842b68f045e87efa57e1885457f916690220357c2dacd99f1c984391e81488e2f48548e49dbe531153e94f2e5142aeee97e9:922c64590222798bb761d5b6d8e72950