2023-05-04 09:14:16 +00:00
id : unauth-ztp-ping
info :
2023-05-22 15:28:34 +00:00
name : Unauthenticated ZyXEL USG ZTP - Detect
author : dmartyn
severity : high
2023-05-04 09:14:16 +00:00
description : |
Make a ZyXEL USG with ZTP support, pre CVE-2023-28771 patch, do a DNS lookup by asking it to make an ICMP request.
This template can be used to detect hosts potentially vulnerable to CVE-2023-28771, CVE-2022-30525, and other issues, without actually exploiting the vulnerability.
reference :
- https://www.fullspectrum.dev/the-hunt-for-cve-2023-28771-friends-part-2-fingerprinting-handler/
2023-05-04 09:54:09 +00:00
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
2023-05-04 09:14:16 +00:00
metadata :
2023-06-03 18:56:35 +00:00
max-request : 1
2023-05-22 15:28:34 +00:00
shodan-query : title:"USG FLEX"
2023-06-04 08:13:42 +00:00
verified : true
2023-05-22 15:28:34 +00:00
tags : misconfig,unauth,zyxel,ztp,rce,oast
2023-05-04 09:14:16 +00:00
2023-05-22 15:28:34 +00:00
http :
2023-05-04 09:14:16 +00:00
- raw :
2023-05-22 15:28:34 +00:00
- |
2023-05-04 09:14:16 +00:00
POST /ztp/cgi-bin/handler HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
{"command" : "ping" , "dest" : "{{interactsh-url}}" }
2023-05-22 15:28:34 +00:00
matchers-condition : and
2023-05-04 09:14:16 +00:00
matchers :
- type : word
2023-05-22 15:28:34 +00:00
part : interactsh_protocol
2023-05-04 09:14:16 +00:00
words :
- "dns"
2023-05-22 15:28:34 +00:00
- type : word
part : body
words :
- "message"
- "result"
condition : and
- type : status
status :
- 200