-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sploit for Cisco RV340 SSL VPN - CVE-2022-20699 #16169
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
@pedrib Given its unlikely that we will have a copy of this VPN in house, feel free to do your usual and send the PCAPs over when you have a chance 👍 |
I have one, and planned to test the module out over the weekend. |
@jbaines-r7 awesome, thank you. We tested it thoroughly on versions 1.0.03.15 to .03.24 and it worked beautifully, but external validation is always good. If you feel adventurous, try firmwares < 1.0.03.15. We tried the very first firmware released in 2017 (1.0.0-something) and that didn't work, but we might have gone too far back. The 1.0.02.-something series might work. To test the module, do the following:
EDIT: now that I'm thinking, it might be a good idea to add these instructions to the module docs. Those are in the works, although next week I'm a bit busy, might take a while. |
@gwillcox-r7 @jbaines-r7 you guys don't have ARMLE encoders for shellcode right? Or did I miss something? EDIT: @timwr told me the ARMLE payloads might be null free already, have to admit we didn't even think of that. However we would have to guarantee that they are always null free for any lhost / lport combination |
This comment was marked as off-topic.
This comment was marked as off-topic.
Ran a few tests, Metasploit DOES NOT produce ARMLE null free shellcode, and there are no encoders to do so, hence we need to stick to our own shellcode. We also realised that this exploit has a bug in a very specific corner case. We need to modify the shellcode for this specific case, with a similar trick like we do to null the AF_INET struct byte (check the shellcode comment I just added), however bear in mind this will take a while since we're both pretty busy right now. |
Validated on 1.0.03.20. Quick and clean, nice exploit ❤️
I'll be happy to test against a wider range of firmware, if desired, once code reviews have been done and the code is in a state that is more likely to be landed. |
@jbaines-r7 good to know! Thanks for testing. First let's try and fix that bug with ".0" addresses, once that is done, we'll need to test again a variety of scenarios to check if there's any breakage. |
# A null free shellcode is needed, as this memory corruption is done through `strcat()` | ||
# | ||
# SHELLCODE_START: | ||
# // Original shellcode from Azeria's blog |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's make sure we have all attribution requirements included.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the source of the shellcode: https://azeria-labs.com/tcp-reverse-shell-in-assembly-arm-32-bit/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry; I must have missed this response. We wanted to be super specific and make sure that the shellcode was not licensed in a way that would prevent us from having it in the project.
hey all, the shellcode is now fixed! It should work flawless for IP addresses with 0 in any of the 2nd, 3rd or 4th octets. Please test! |
hey everyone, I made a major update - turns out we don't need to flush the caches beforehand, so our shellcode just got smaller. I made some better comments on the module, and added the docs. Please test again! |
we're all green woohoo! ready to merge? |
@jbaines-r7 Any chance you can take another look at this given you have a test target? @bwatters-r7 Does the changes look good from your end? |
Yup! I'll add it to my TODO for this week. I think I'm booked up with writing today :( But tomorrow/Wednesday, I'll work this out again. |
The most recent version doesn't appear to be working for me:
10.0.0.5 is the Cisco device on the WAN side and my box (10.0.0.2) should, in theory, be reachable. The version tested was 1.0.03.20. |
@jbaines-r7 sorry I completely missed this, thought I had responded. |
Hi, could you please share date (are the any?) when the module will be released? |
There's no ETA. In the interim you can download the module files here: https://github.com/rapid7/metasploit-framework/pull/16169/files |
Sorry for the delay @pedrib. @gwillcox-r7 this is working. Below there is output and a video. From my point of view, there are minor code changes that would be good but I don't see any reason to hold this up any longer than I've already held it up 🤷 I'll leave my RV340 running so I can retest anything quickly.
|
…atting. Also update exploit ranking since this exploit doesn't retrieve version information before exploiting and is not 100% reliable so Excellent ranking isn't appropriate
Will land this once tests pass, thanks for testing this @jbaines-r7! Updates were mainly to reduce ranking down to GoodRanking since the exploit isn't 100% reliable so ExcellentRanking isn't appropriate, and it doesn't detect the target version so GreatRanking wasn't appropriate either, and to fix up some minor formatting issues in the markdown for the documentation. Also added in the AutoCheck library so we can automatically detect if target is a likely candidate or not prior to exploiting. |
Release NotesA new module has been added in which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the |
Thanks everyone, you're awesome! |
This pull request adds an exploit for CVE-2022-20699, a fully remote root, which is exploitable over the Internet, for the Cisco RV 340 VPN Gateway router. This vulnerability was used in Pwn2Own Austin 2021 and presented at OffensiveCon 2022 by me and @rdomanski
For more info check our advisory.
Note that we need to use our own shellcode, as Metasploit doesn't have ARMLE encoders for null free shellcode. Or are we wrong? We couldn't find a way!
Anyway, running this module results in a beautiful reverse root shell.