-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zyxel Firewall Unauthenticated Command Injection (CVE-2022-30525) #16563
Merged
gwillcox-r7
merged 8 commits into
rapid7:master
from
jbaines-r7:zyxel_ztp_command_injection_cve_2022_30525
May 13, 2022
Merged
Zyxel Firewall Unauthenticated Command Injection (CVE-2022-30525) #16563
gwillcox-r7
merged 8 commits into
rapid7:master
from
jbaines-r7:zyxel_ztp_command_injection_cve_2022_30525
May 13, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bcoles
reviewed
May 12, 2022
bwatters-r7
reviewed
May 12, 2022
gwillcox-r7
reviewed
May 13, 2022
Revisions look good, and PCAP and video have been verified. Will go ahead and land this after tests pass. |
gwillcox-r7
added
the
rn-modules
release notes for new or majorly enhanced modules
label
May 13, 2022
Release NotesA new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits CVE-2022-30525, an unauthenticated and remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. This module exploits a command injection exposed by the
/ztp/cgi-bin/handler
when handlingsetWanPortSt
commands. The module adds OS commands to themtu
field of thesetWanPortSt
request in order to achieve command execution asnobody
.Affected Zyxel models are:
Check method
The command injection is blind, so I wrote the check function to key off of two elements in the management interface's
index.html
:I wrote a test server to validate that works across all affected versions. The test server uses some
index.html
I snagged off of Shodan. Thecheck
function works fine on all of those.Another Thing
I set the disclosure date to April 28, 2022. That's the date Zyxel released the patched firmware. 🤷
Verification
If you have a test target:
use exploit/linux/http/zyxel_ztp_rce
set RHOST <ip>
check
set LHOST <ip>
run
nobody
shellPoC Video || GTFO
https://youtu.be/ATdh-TW934k
PCAP || GTFO
zyxel_cve_2022_30525_twice.zip
Perhaps useful to some, the following Suricata rule triggers for both exploitation attempts in the pcap (one for reverse bash, one for reverse meterpreter).