Zyxel Firewall Unauthenticated Command Injection (CVE-2022-30525)

[jbaines-r7]

This module exploits CVE-2022-30525, an unauthenticated and remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. This module exploits a command injection exposed by the /ztp/cgi-bin/handler when handling setWanPortSt commands. The module adds OS commands to the mtu field of the setWanPortSt request in order to achieve command execution as nobody.

Affected Zyxel models are:

• USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
• USG20-VPN and USG20W-VPN using firmware 5.21 and below
• ATP 100, 200, 500, 700, 800 using firmware 5.21 and below

Check method

The command injection is blind, so I wrote the check function to key off of two elements in the management interface's index.html:

• The title tag. It reliably contains the model (e.g. USG FLEX 100).
• A timestamp indicating when the firmware was compiled. The fixed firmware all have a timestamp of April 20, 2022.

I wrote a test server to validate that works across all affected versions. The test server uses some index.html I snagged off of Shodan. The check function works fine on all of those.

Another Thing

I set the disclosure date to April 28, 2022. That's the date Zyxel released the patched firmware. 🤷

Verification

If you have a test target:

• Follow setup steps above.
• Do: use exploit/linux/http/zyxel_ztp_rce
• Do: set RHOST <ip>
• Do: check
• Verify the remote host is vulnerable.
• Do: set LHOST <ip>
• Do: run
• Verify the module acquires a nobody shell

PoC Video || GTFO

https://youtu.be/ATdh-TW934k

PCAP || GTFO

zyxel_cve_2022_30525_twice.zip

Perhaps useful to some, the following Suricata rule triggers for both exploitation attempts in the pcap (one for reverse bash, one for reverse meterpreter).

alert http any any -> any any ( \
    msg:"Possible Zyxel ZTP setWanPortSt mtu Exploit Attempt"; \
    flow:to_server; \
    http.method; content:"POST"; \
    http.uri; content:"/ztp/cgi-bin/handler"; \
    http.request_body; content:"setWanPortSt"; \
    http.request_body; content:"mtu"; \
    http.request_body; pcre:"/mtu["']\s*:\s*["']\s*[^0-9]+/i";
    classtype:misc-attack; \
    sid:221270;)

[gwillcox-r7]

Revisions look good, and PCAP and video have been verified. Will go ahead and land this after tests pass.

[gwillcox-r7]

Release Notes

A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user.