CVE-2019-1698 PoC — Cisco IoT Field Network Director 代码问题漏洞

Source

https://github.com/raytran54/CVE-2019-1698

Associated Vulnerability

Title:Cisco IoT Field Network Director 代码问题漏洞 (CVE-2019-1698)
Description:Cisco IoT Field Network Director（IoT-FND）是美国思科（Cisco）公司的一套端到端的物联网管理系统。该系统具有设备管理、资产跟踪和智能计量等功能。 Cisco IoT Field Network Director中的Cisco Internet的基于Web的用户界面存在XML外部实体注入漏洞，该漏洞源于程序在解析XML文件时，错误地处理了XML外部实体条目。攻击者可通过导入带有恶意条目的XML文件利用该漏洞获取设备所存储信息的读取权限。

Readme

# CVE-2019-1698
- Check the diff code betwween ver has vuln and ver of code with fix vuln:

**Code reference 1:** <https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php>
![image](https://github.com/user-attachments/assets/1922c3f4-7443-4723-b3d2-6aee7adc4510)


**Code reference 2:** <https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php>
![image](https://github.com/user-attachments/assets/715b4747-46ed-42d8-8112-be2a5d64a705)


Therefore, the following file is relevant to this CVE:

```
wp-content/plugins/notificationx/includes/Core/Rest/Analytics.php
```
Now, we will check the file might have vuln code:
![image](https://github.com/user-attachments/assets/6001cf4f-fbba-4686-a418-835e4219c04a)
Focus on the `insert_analytics()` function:
![image](https://github.com/user-attachments/assets/e6451538-1939-42c2-ad64-b439e4b51fc1)
It receives the `$request` (coming from the user) and extracts the `type` parameter.

Then, this value is then passed to the `CoreAnalytics::get_instance()->insert_analytics()` function:
![image](https://github.com/user-attachments/assets/e610daf2-bc69-4a4d-b4e5-12d360d2fcc1)

To trigger this code, we can notice the mapped route (from the `Analytics` class, inside the `register_routes()` function):

```
$this->namespace . '/' . $this->rest_base
```

And the constructor for the `Analytics` class reveals the values for the `namespace` and `rest_base` variables:

```
public function __construct() {
	$this->namespace = 'notificationx/v1';
	$this->rest_base = 'analytics';
	add_action('rest_api_init', [$this, 'register_routes']);
}
```

So, the relevant (vulnerable) code that accepts the user-supplied `type` parameter, can be reached via the following route:

```
notificationx/v1/analytics
```
But what's the method for exploiting and where is the SQL query for injection?

Since the user-supplied `type` parameter is passed to:

```
CoreAnalytics::get_instance()->insert_analytics( absint( $params['nx_id'] ), $type );
```

Locating this function:

![image](https://github.com/user-attachments/assets/f2ec69d3-f2f6-47aa-b523-b1a36970a386)
 Let's check this function code in the highlighted file:

`wp-content/plugins/notificationx/includes/Core/Analytics.php`**:**
![image](https://github.com/user-attachments/assets/f97acfc4-2865-4869-bb81-93b7aa7d767e)

If you are thinking that it the vulnerability lies in the `increment_count()` function, then you are absolutely on the right track!

Here's the `increment_count` function (and it has the `$type` parameter coming from the user):
![image](https://github.com/user-attachments/assets/3944bf4e-b9f9-4fca-a95c-b5b4d5bebf47)

This function in-turn calls `update_analytics()` function. Let's address for it:
![image](https://github.com/user-attachments/assets/7627a8fb-0d9a-42c8-bf5e-28f4718474ce)

![image](https://github.com/user-attachments/assets/5a15a5ef-594b-4f20-a990-d2ec63044c98)

File Snapshot


 [4.0K]  /data/pocs/4d79dd15d03fd0324a482246bf00e2bc4a04a8c8
└── [2.9K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!