关联漏洞
标题:
Zyxel USG Series 加密问题漏洞
(CVE-2020-29583)
描述:Zyxel USG Series是中国合勤(Zyxel)公司的一系列用于公司环境的防火墙设备。 Zyxel USG devices Firmware version 4.60 存在安全漏洞,该漏洞源于包含一个无文档的帐户(zyfwp)和一个不可更改的密码。这个帐户的密码可以在固件的明文中找到。用户可以使用该帐户以管理员权限登录到ssh服务器或web界面。
描述
Scanner for Zyxel products which are potentially vulnerable due to an undocumented user account (CVE-2020-29583)
介绍
# Scanner for Zyxel products which are vulnerable due to an undocumented user account (CVE-2020-29583)
Vuln details: https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html (But I'm not sure if it's really possible to login with zyfwp via the web interface? Any reports would be appreciated. Also the link to the "full list of affected devices" misses NXC2500 and NXC5500.)
Fingerprinting the vulnerable version is done via certain strings in index.html, e.g. v=200406233228 is a vulnerable USG40. The scanner reliably finds the vulnerable firmware version on these devices:
* USG40
* ZyWALL 110
* ZyWALL 310
* ZyWALL 1100
These strings are unique per model and I don't know them for the rest of the models (Zyxel has deleted the vulnerable firmware version from their servers.) For all other boxes, the scanner only checks the device model if they're potentially vulnerable.
The scanner doesn't try the password for legal reasons, but feel free to do that on any devices you found in your own networks. (Username: zyfwp Password: PrOw!aN_fXp)
If you need to look into the firmware, decryption still works like in 2010: https://www.redteam-pentesting.de/de/advisories/rt-sa-2011-003/-authentication-bypass-in-configuration-import-and-export-of-zyxel-zywall-usg-appliances nicely described in https://twitter.com/cybercdh/status/1345654215654461440
The scanner is multithreaded and can parse files cotaining CIDR netmasks, but for bigger networks you still might want to use nmap for finding open TCP 443 ports before vuln scanning them.
Default port for vuln scanning is TCP 443, change with --port.
Devices found using this script:
* USG20-VPN
* USG20W-VPN
* USG40
* USG40W
* USG60
* USG60W
* USG110
* USG210
* USG310
* USG1100
* USG1900
* USG2200
* Any ZyWALL
* ZyWALL 110
* ZyWALL 310
* ZyWALL 1100
* ATP100
* ATP100W
* ATP200
* ATP500
* ATP700
* ATP800
* VNP50
* VPN100
* VPN300
* VPN000
* USG FLEX
* FLEX 100
* FLEX 100W
* FLEX 200
* FLEX 500
* FLEX 700
* NXC2500
* NXC5500
# Usage
The scanner can parse:
* IPs
* CIDR notations, for example: 192.168.1.0/24
* Hostnames
* Routing AS, e.g. as1234
* Plaintext files containing anything of the above, one entry per line, passed as file:netlist.txt
```
Example: python3 scan_CVE-2020-29583.py 192.168.1.1/24 # vuln scan for cve-2020-0609 on UDP 3391
Example2 python3 scan_CVE-2020-29583.py 192.168.1.1/24 --webcheck # check webpage for RD gateway
Example3: python3 scan_CVE-2020-29583.py 192.168.1.1
Example4: python3 scan_CVE-2020-29583.py fakewebsiteaddress.com
Example5: python3 scan_CVE-2020-29583.py as15169
Example6: python3 scan_CVE-2020-29583.py file:hostfile.txt
usage: scan_CVE-2020-29583.py [-h] [--port PORT]
[--verbose]
target
```
No installation required.
Debian/Kali needs: apt-get install python3-netaddr
For performance tuning you can change the threading parameters in the script at "kind of config".
文件快照
[4.0K] /data/pocs/b93e2464c1eb9d6145467f5acdc1327b2042eaf3
├── [ 34K] LICENSE
├── [2.9K] README.md
└── [9.3K] scan_CVE-2020-29583.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。