Does not work, help

[DistressedPrincess]

Hello, tried running it against ios xe 16.12.10r but the script returns Server Error 500 and fails, it is reachable and the webui is open :\ Much appreciated!

[smokeintheshell]

Can you post full error output? It would be helpful to know at which point it errored out. Additional host details would help as well. Specifically, what specific kind of switch was targeted.

Also, it appears the 16.12.10r is not vulnerable: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z IOS XE version 16.12.x is only vulnerable on Catalyst Switch 3650 and 3850 until 16.12.10a

[DistressedPrincess]

oh is it only on 3650 & 3850? why does it matter if the vulnerability is in the software component of the webui? the switch is a catalyst 9300. it errored out on exStage1 (retStage1 wasn't 200, it was 500) I could send output later possibly, thanks a lot for your help anyways!

[smokeintheshell]

Cisco generally doesn't issue patches for unsupported hardware and software, so I'm guessing that only the 3650 and 3850 switches were supported for 16.12.x when patches were released, up until 16.12.10a. Their advisories leave a lot of room for questioning when it comes to whats actually vulnerable. Since you said the target is 16.12.10r, its likely patched in that version.

retStage1 comes from the HTTP basic authentication to navigate to the /webui/rest/softwareMgmt/installAdd endpoint where the malicious JSON is posted containing the command injection. An HTTP 500 response indicates that the JSON was not accepted, another pointer to being patched. The metasploit module has the highest vulnerable 16.12.x version being 16.12.10 but without any subversion, and Cisco's Software Checker lists the first fix available for CVE-2023-20198 and CVE-2023-20273 being 16.12.10a and 16.12.11 (separate release cycles), so I'm assuming that anything 16.12.10[*] is fixed. If you believe it should be vulnerable, give the msf module a shot and see if you can get any more details out of it or try my CVE-2023-20198 PoC to get a detailed version or [sanitized] running config out of it. Theoretically, if your target is vulnerable to 20273, it would likely also be vulnerable to 20198.

[DistressedPrincess]

Yes, I forgot to mention I also tried your CVE-2023-20198 PoC and it failed as well for the same switch. I will give the msf module a shot as well, also theoretically if I lower the switch version to 16.12.x below 16.12.10 it should work?

[smokeintheshell]

I believe it should yes. The PoC was originally written targeting a 9200 on 16.12.4. Reading the advisory right now, I'm not sure why they put in there only 3650 and 3850 for being fixed in 16.12.10a but that seems inconsequential. I do know that certain switches don't have a writable partition we can execute from, as I came across that in testing and development, but that shouldn't apply here.

[DistressedPrincess]

I see, thanks