Authentication Bypass in Cisco Catalyst SD-WAN Peering Authentication

This repository contains a single Windows C++ exploit program and a README describing CVE-2026-20127 as a Cisco Catalyst SD-WAN authentication bypass. The code is a standalone operational PoC rather than a framework module. Its structure is simple: helper functions convert IPv4 addresses to/from integers for range scanning, a WinHTTP error-reporting helper prints Windows API failures, check_and_exploit_cve_2026_20127() performs target fingerprinting and the bypass attempt, scan_ip_range() iterates over an IPv4 range, and main() provides a minimal interactive CLI with /scan and /exit commands. The exploit capability is limited to network-based HTTPS probing and unauthorized access validation; it does not deliver RCE, persistence, or post-exploitation actions. First, it connects to each target on HTTPS/443 and sends GET / to identify likely Cisco SD-WAN systems by checking response headers for strings such as 'Server: Apache', 'X-VManage-Version', or 'Cisco', and response body markers such as 'Cisco vManage', 'SD-WAN Controller', or 'Cisco Systems, Inc.'. If the host appears relevant, it sends a second GET request to /dataservice/client/admin/settings with forged trust/authentication material: X-Forwarded-For set to 127.0.0.1, X-Authenticated-User set to admin, and fake JSESSIONID/vManageAuthToken cookies. It then treats HTTP 200 plus admin/configuration-related response content, while excluding obvious login-page markers, as evidence of successful bypass. Notable observables include the hardcoded user agent 'KRY5.2_SDWAN_Exploiter/1.0' for the WinHTTP session, the browser-like User-Agent header, the spoofed Referer https://vmanage.example.com/login, and the targeted admin path /dataservice/client/admin/settings. The repository is small, focused, and purpose-built for scanning and validating suspected vulnerable Cisco SD-WAN management hosts over a supplied IPv4 range.

Repository implements a Ruby-based exploit/PoC for CVE-2026-20127 affecting Cisco Catalyst SD-WAN Controller (vSmart) vdaemon DTLS control-plane authentication. The core bug is a trust of an attacker-controlled verify_status byte in the server handler vbond_proc_challenge_ack_ack() for CHALLENGE_ACK_ACK (msg_type=10), combined with an authentication-gate exemption for msg_type=10. The exploit establishes a DTLS 1.2 session to the target (default UDP/12346) using a self-signed certificate (generated or user-supplied), receives a CHALLENGE, then immediately sends a forged CHALLENGE_ACK_ACK with verify_status=1 to force the server to mark the peer authenticated. It then sends a Hello message to confirm the bypass (expects a Hello response). Structure/purpose by file: - bin/vdaemon_exploit: executable entry point that runs the CLI. - lib/vdaemon_exploit/cli.rb: argument parsing and validation; options include target/port, supplying or generating DTLS certs, and supplying or generating an SSH key for injection. - lib/vdaemon_exploit/exploit/runner.rb: orchestrates phases (DTLS handshake, receive CHALLENGE, send forged CHALLENGE_ACK_ACK, send HELLO, optional SSH key injection, keepalive). - lib/vdaemon_exploit/protocol/*: implements the vdaemon 12-byte header, message type constants, TLV encoding, and message bodies: - ChallengeAckAck: 2-byte body with verify_status (non-zero) + reserved. - Hello: constructs a structured hello body with TLVs. - SshKeyInject: builds a fixed-size 769-byte VMANAGE_TO_PEER payload containing a newline-wrapped SSH public key intended to be appended to vmanage-admin authorized_keys. - lib/vdaemon_exploit/transport/dtls_client.rb + dtls_ffi.rb: DTLS client implemented via Fiddle bindings to OpenSSL (DTLS_client_method, memory BIOs) over a connected UDP socket; explicitly disables peer certificate verification. - lib/vdaemon_exploit/crypto/*: generates self-signed X.509 cert/key and RSA SSH keypair; writes artifacts under ./data/ by default. Operational impact/capabilities: - Remote network authentication bypass on the DTLS control-plane protocol (no valid certificate required). - Optional post-bypass action to inject an SSH public key for vmanage-admin, enabling SSH/NETCONF access (example uses TCP/830). No hardcoded C2 infrastructure is present; endpoints are primarily the user-supplied target host and well-known service ports plus local artifact paths.

Repository contains a small, operational PoC exploit chain for alleged CVE-2026-20127 targeting Cisco Catalyst SD-WAN Manager/Controller web interfaces. Structure: - README.md: High-level description of CVE-2026-20127 and claimed impact (pre-auth RCE, SD-WAN fabric compromise). Mentions NETCONF/830 in narrative, but the provided code does not implement NETCONF interaction. - cisco-sdwan.py: Main exploit script. Uses requests.Session with TLS verification disabled. Steps: 1) GETs /reports/data/opt/data/containers/config/data-collection-agent/.dca to retrieve a 32-character DCA key. 2) POSTs to /jts/authenticated/j_security_check with j_username=viptela-reserved-dca and j_password=<dca_key> to obtain an authenticated session. 3) Abuses /dataservice/smartLicensing/uploadAck with a crafted multipart filename containing deep ../../ traversal to write a payload WAR into /var/lib/wildfly/standalone/deployments/<name>.gz.war (WildFly auto-deploy). 4) Attempts command execution by POSTing cmd to the deployed JSP at /cmd.gz/cmd.jsp; if already present, it skips deployment and just executes. - cmd.jsp: JSP webshell that runs arbitrary OS commands via bash -c <cmd> and returns stdout/stderr in the HTTP response. - .github/workflows/clojure.yml: Unrelated CI workflow (references Leiningen/Clojure) and does not match repo contents; likely boilerplate. Exploit capabilities: - Remote, network-based exploitation against a target base URL. - Credential/secret harvesting via unauthenticated file read of a DCA key. - Authentication as a reserved service account. - Arbitrary file write leading to server-side WAR deployment on WildFly. - Post-exploitation arbitrary command execution through a JSP webshell endpoint. Notable indicators/targets: - Specific vManage/vSmart-style endpoints: /reports/data/.../.dca, /jts/authenticated/j_security_check, /dataservice/smartLicensing/uploadAck. - WildFly deployments path: /var/lib/wildfly/standalone/deployments/. - Deployed webshell path: /cmd.gz/cmd.jsp. Overall purpose: Demonstrate an end-to-end RCE chain (secret retrieval -> login -> WAR drop -> webshell) suitable for lab validation and defensive testing, rather than a pure detection script.

Repository contains a small operational exploit for Cisco Catalyst SD-WAN/vManage CVE-2026-20127. Structure: (1) scan.py is the main entry point implementing a multi-threaded bulk exploiter/verifier. It disables TLS warnings, reads target URLs from a file, loads a user-supplied WAR (default cmd.war), and for each target: retrieves a DCA key from /reports/data/.../.dca, logs in via /jts/authenticated/j_security_check as viptela-reserved-dca, then uploads the WAR to /dataservice/smartLicensing/uploadAck using a crafted multipart filename that traverses into /var/lib/wildfly/standalone/deployments/ (WildFly auto-deploy). After upload it verifies deployment by requesting /cmd.gz/cmd.jsp and optionally executing a command (default whoami) by POSTing cmd=<command>. (2) cmd.jsp is a simple JSP webshell that runs arbitrary commands via bash -c and returns stdout/stderr prefixed with "command result". (3) README.md provides usage examples and notes that successful exploitation yields command output at /cmd.gz/cmd.jsp?cmd=whoami, and suggests replacing the WAR with a custom webshell. Overall purpose: bulk exploitation leading to remote command execution by deploying a JSP webshell through an authenticated upload/path traversal chain.

Repository purpose: a Python proof-of-concept exploit for CVE-2026-20127 targeting Cisco Catalyst SD-WAN controllers, chaining an authentication bypass (via DCA key disclosure and reserved account login) with an arbitrary file write/path traversal on an upload endpoint to deploy a WAR-packaged JSP webshell. Structure: - README.md: Describes the attack chain (DCA key discovery -> login -> WAR upload via traversal -> command execution via JSP) and provides CLI usage examples. - exploit.py (entry point): - create_war_from_jsp(): Builds a minimal .war containing the attacker-supplied JSP plus WEB-INF/web.xml. - exploit(): 1) GETs the DCA key from /reports/data/opt/data/containers/config/data-collection-agent/.dca. 2) POSTs credentials to /jts/authenticated/j_security_check using username 'viptela-reserved-dca' and the DCA key as password. 3) Uploads the WAR to /dataservice/smartLicensing/uploadAck using a multipart filename containing directory traversal to write into /var/lib/wildfly/standalone/deployments/. 4) Prints the expected deployment URL. - exec_jsp_command(): Optionally POSTs to the deployed JSP with parameter cmd and checks for the marker string 'command result'. - cmd.jsp: Webshell that executes arbitrary commands via Runtime.exec(["bash","-c",cmd]) and returns stdout/stderr. - requirements.txt: requests, urllib3, and logtext. Notable behaviors/IOCs: - Hardcoded reserved username: viptela-reserved-dca. - Predictable deployment path and URL pattern: /var/lib/wildfly/standalone/deployments/{name}.gz.war and {base}/{name}.gz/{name}.jsp. - Network endpoints used: /.dca key path, j_security_check login, and smartLicensing/uploadAck upload. Overall capability: unauthenticated-to-RCE chain resulting in a persistent web-accessible command execution endpoint (JSP webshell) on the target application server.

Repository contains a small, operational PoC exploit for alleged Cisco SD-WAN pre-auth RCE (claimed CVE-2026-20127). Structure: - README.md: high-level claim and impact notes. - cisco-sdwan.py: main exploit script. It (1) GETs a supposedly web-accessible DCA key from /reports/data/opt/data/containers/config/data-collection-agent/.dca, (2) logs in to /jts/authenticated/j_security_check as the reserved user 'viptela-reserved-dca' using that key, (3) abuses /dataservice/smartLicensing/uploadAck with a crafted multipart filename containing deep directory traversal to write a file into /var/lib/wildfly/standalone/deployments/ as <name>.gz.war, relying on WildFly auto-deploy to publish the app, and (4) attempts command execution by POSTing to the deployed JSP at /cmd.gz/cmd.jsp with parameter cmd. - cmd.jsp: JSP webshell that prints a marker string ("command result") and executes arbitrary OS commands via Runtime.getRuntime().exec(["bash","-c",cmd]), returning stdout and stderr. Notable implementation details/limitations: - The script expects a local file named cmd.war to exist, but the repository only includes cmd.jsp (no WAR packaging instructions or WAR artifact). The exploit therefore requires the operator to build cmd.war containing cmd.jsp. - The upload uses a traversal path embedded in the multipart filename to reach WildFly deployments; success depends on server-side handling of uploaded filenames and permissions. - The script treats exceptions during upload as success (prints "upload ok!") which can mask failures. Overall purpose: achieve remote code execution on a vulnerable Cisco SD-WAN management/controller web application by chaining key disclosure/auth bypass with arbitrary file write to deploy a WAR-based JSP webshell, then execute arbitrary commands over HTTP.