Cisco RV Series Unauth RCE (CVE-2021-1472/CVE-2021-1473)

[jbaines-r7]

This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473) in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then the upload.cgi binary will use the contents of the HTTP Cookie field as part of a curl request aimed at an internal endpoint. The curl request is executed using popen and allows the attacker
to inject commands via the Cookie field. IoT Inspector has a nice write up describing the issues.

A remote and unauthenticated attacker using this module is able to achieve code execution as www-data. This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.

The one quirky thing about this module is that I experienced stability issues with the armle reverse stager (see #16107). I'm quite confident the module is not to blame (since I recreated without the module). However, since the Meterpreter payload doesn't land 100% of the time, I set the default to a standard unix reverse shell payload.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
• set RHOST <ip>
• check
• Verify the remote target is flagged as likely vulnerable
• set LHOST <ip>
• exploit
• You should get a reverse shell.

PCAP || GTFO

cisco_rv_rce.zip

Video || GTFO

https://www.youtube.com/watch?v=fqre3sbViXI

[jbaines-r7]

I've received review feedback a couple of times to not include this since it's the default value. However, when switching between targets (this module has two), if the default is not set then it needs to be manually entered. For example, if I start off with target 0 ('Unix Command') and switch to 'Linux Dropper' with no default set then the payload will be 'cmd/unix/reverse_netcat', which is obviously not a compatible payload.

[bcoles]

This is correct. You can and should set a payload for each target.

[space-r7]

Code looks good to me. Just left a suggestion regarding the module name in the verification steps in the docs.

[jbaines-r7]

Code looks good to me. Just left a suggestion regarding the module name in the verification steps in the docs.

Got it. Thanks!

[space-r7]

Release Notes

This adds an exploit for various Cisco RV series VPNs / Routers for firmware versions 1.0.03.20 and below. The module exploits both an auth bypass vulnerability and command injection vulnerability to achieve unauthenticated code execution as the www-data user against vulnerable devices.