Jack Heysel
1.8 KiB
Vulnerable Application
This module exploits multiple vulnerabilities in order to obtain pre-auth command injection the multiple Zyxel device models.
The exploit chain uses CVE-2023-33012 which is a command injection vulnerability which can be exploited when uploading a
new configuration to /ztp/cgi-bin/parse_config.py by appending a command to the option ipaddr field.
The command injection is length limited to 0x14 bytes and is why this exploit chains a .qsr file write vulnerability as well in order to write the payload to a file which has no length limit and then call the payload with the command injection.
Two caveats of this exploit chain were described by Jacob Baines in the following blog post.
- In order for the target to be vulnerable Cloud Management Mode (SD-WAN mode) must be enable (it is not by default).
- The target can only be exploited once due to the order of operations in which the exploit functions.
| Product | Affected Versions |
|---|---|
| ATP | V5.10 through V5.36 Patch 2 |
| USG FLEX | V5.00 through V5.36 Patch 2 |
| USG FLEX 50(W) / USG20(W)-VPN | V5.10 through V5.36 Patch 2 |
| VPN | V5.00 through V5.36 Patch 2 |
Setup
This module was tested against USG Flex Version (???). To test this module you will need to acquire a hardware device running one of the vulnerable firmware versions listed above.
Verification Steps
- Start msfconsole
- Do:
use zyxel_parse_config_rce - Set the
RHOSTandLHOST - Run the module
- Receive a Meterpreter session as the
rootuser.