CVE-2022-31749 PoC — WatchGuard Fireware OS 安全漏洞

Source

https://github.com/iveresk/cve-2022-31749

Associated Vulnerability

Title:WatchGuard Fireware OS 安全漏洞 (CVE-2022-31749)
Description:WatchGuard Fireware OS是美国WatchGuard公司的一个在 Firebox 上运行的软件。 WatchGuard Fireware OS存在安全漏洞。攻击者利用该漏洞使用非特权凭据将文件上传或读取到 WatchGuard Firebox 和 XTM 设备上任意位置。

Description

Simple PoC-checker for CVE-2022-31749 by 1vere$k

Readme

# CVE-2022-31749 by 1vere$k
Simple PoC-checker for CVE-2022-31749 by 1vere$k.  
It exploits a parameter injection vulnerability in the `WatchGuard` SSH interface.  
The vulnerability allows a low privileged user to exfiltrate arbitrary system files to an attacker controlled FTP server.  
Fortunately, there is a builtin low privileged user named status that this script defaults to.  
It isn't unreasonable to assume that the `status user` will use a `password of readonly`, but it isn't required.

The exploit exfiltrates the user file `configd-hash.xml`.  
This file contains hashed user passwords.  
The hashes are simply unsalted MD4. @funoverip [described](https://web.archive.org/web/20160522043540/http://funoverip.net/2013/09/cracking-watchguard-passwords/) using hashcat to crack the hashes in this file all the way back in 2013

## Installing

```
1. git clone https://github.com/iveresk/cve-2022-31749.git
2. cd cve-2022-31749
3. chmod +x *.sh
4. ./setup.sh
```

## Usage

```
	echo "-------------------Welcome-to-CVE-2022-31749-by-1veresk----------------+";
	echo "+----------------------------------------------------------------------+";
	echo "+-------------------For-The-Help---------------------------------------+";
	echo "Example#1: ./cve-2022-31749.sh -h--------------------------------------+";
	echo "Example#2: ./cve-2022-31749.sh --help----------------------------------+";
	echo "+-------------------For-The-URL-Check----------------------------------+";
	echo "Example#1: ./cve-2022-31749.sh -u <IP> <PASSWORD> [Default is 'readonly'";
	echo "+-------------------For-The-File-Check---------------------------------+";
	echo "Example#1: ./cve-2022-31749.sh -f <FILENAME>-<PASSFILE>----------------+";
	echo "+----------------------------------------------------------------------+";
```

## Contact
You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details.

File Snapshot


 [4.0K]  /data/pocs/fc7638010494cf7c9ca28f4d4f689cab4e47c384
├── [2.1K]  cve-2022-31749.sh
├── [1.0K]  LICENSE
├── [  68]  passwords-example
├── [1.9K]  README.md
└── [  87]  setup.sh

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!