Create unauth-ztp-ping.yaml

[dm-ct]

Creates a template that can detect ZyXEL ZTP (Zero Touch Provisioning) interfaces that lack any authentication checks, by using the "ping" feature to force a DNS/ICMP interaction with OAST.

Authentication checks were added in the firmware updates with fixes for CVE-2023-28771.

Note: this does not actively exploit CVE-2023-28771, it just finds hosts that don't have that firmware update due to changes in those updates. See writeup.

A writeup on how this template was created can be found here: https://www.fullspectrum.dev/the-hunt-for-cve-2023-28771-friends-part-2-fingerprinting-handler/

Template Validation

I've validated this template locally?

• YES
• NO

Redacted testing output of template with -debug and -verbose flags set, showing it working just fine.

$ ./nuclei -duc -debug -t ./ztpprod.yaml -verbose -u https://[redacted]/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.9

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.9 (outdated)
[INF] Using Nuclei Templates 9.3.7 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[INF] Using Interactsh Server: oast.live
[DBG] Protocol request variables:
        1. DN => [redacted]
        2. Path => /
        3. Hostname => [redacted]
        4. Scheme => https
        5. RDN => [redacted]
        6. Host => [redacted]
        7. SD => [redacted]
        8. File => /
        9. Port => 443
        10. FQDN => [redacted]
        11. BaseURL => https://[redacted]/
        12. RootURL => https://[redacted]
        13. TLD => [redacted]

[INF] [unauth-ztp-ping] Dumped HTTP request for https://[redacted]/ztp/cgi-bin/handler

POST /ztp/cgi-bin/handler HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Length: 71
Connection: close
Content-Type: application/json
Accept-Encoding: gzip

{"command":"ping","dest":"[redacted].oast.live"}
[DBG] Protocol response variables:
        1. ip =>
        2. host => https://[redacted]/
        3. template-info => {ZyXEL USG ZTP Lack of Au .... ap[verified:true] <nil> }
        4. response => HTTP/1.1 200 OK  Connecti .... 427/250.029/0.617 ms\n"}
        5. status_code => 200
        6. content_length => -1
        7. FQDN => [redacted]
        8. template-id => unauth-ztp-ping
        9. content_type => text/html; charset=utf-8
        10. RootURL => https://[redacted]
        11. File => /
        12. request => POST /ztp/cgi-bin/handler .... [redacted].oast.live"}
        13. matched => https://[redacted]/ztp/cgi-bin/handler
        14. duration => 6.688841685
        15. DN => [redacted]
        16. Hostname => [redacted]
        17. Scheme => https
        18. Path => /
        19. interactsh-server => oast.live
        20. TLD => [redacted]
        21. SD => [redacted]
        22. Host => [redacted]
        23. all_headers => HTTP/1.1 200 OK  Connecti .... May 2023 09:18:40 GMT
        24. date => Thu, 04 May 2023 09:18:40 GMT
        25. body => {"message": "Success", "c .... 427/250.029/0.617 ms\n"}
        26. BaseURL => https://[redacted]/
        27. RDN => [redacted]
        28. template-path => /home/[redacted]/ztpprod.yaml
        29. Port => 443
        30. curl-command => curl -X 'POST' -d '{"comm .... [redacted]/ztp/cgi-bin/handler'
        31. header => HTTP/1.1 200 OK  Connecti .... May 2023 09:18:40 GMT
        32. interactsh-id => [redacted]
        33. type => http
        34. interactsh-url => [redacted].oast.live

[DBG] [unauth-ztp-ping] Dumped HTTP response https://[redacted]/ztp/cgi-bin/handler

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Date: Thu, 04 May 2023 09:18:40 GMT

{"message": "Success", "code": 0, "result": "PING [redacted].oast.live (178.128.210.172) 56(84) bytes of data.\n64 bytes from 178.128.210.172: icmp_seq=1 ttl=42 time=250 ms\n64 bytes from 178.128.210.172: icmp_seq=2 ttl=42 time=249 ms\n64 bytes from 178.128.210.172: icmp_seq=3 ttl=42 time=249 ms\n64 bytes from 178.128.210.172: icmp_seq=4 ttl=42 time=249 ms\n\n--- [redacted].oast.live ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3002ms\nrtt min/avg/max/mdev = 249.062/249.427/250.029/0.617 ms\n"}
[[redacted]] Received DNS interaction from [redacted] at 2023-05-04 09:18:42
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 38354
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;[redacted].oast.live.   IN       A



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 38354
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;[redacted].oast.live.   IN       A

;; ANSWER SECTION:
[redacted].oast.live.    3600    IN      A       178.128.210.172

;; AUTHORITY SECTION:
[redacted].oast.live.    3600    IN      NS      ns1.oast.live.
[redacted].oast.live.    3600    IN      NS      ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.  3600    IN      A       178.128.210.172
ns2.oast.live.  3600    IN      A       178.128.210.172


[2023-05-04 11:18:47] [unauth-ztp-ping:word-1] [http] [medium] https://[redacted]/ztp/cgi-bin/handler

[pussycat0x]

Hi @dm-ct Thank you for sharing this template with the community and for your contribution to this project 🚀 . I have updated the matcher. Can you check and let me know if it works for you?

[DhiyaneshGeek]

Hi @dm-ct Thank you so much for sharing this template with the community !

Really appreciate your contribution towards the template project 😄