From f998a28e12be370a1117c208e404306abb1edd2f Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 22 May 2023 20:58:34 +0530 Subject: [PATCH] Update unauth-ztp-ping.yaml --- .../zyxel/unauth-ztp-ping.yaml | 30 ++++++++++++------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/http/vulnerabilities/zyxel/unauth-ztp-ping.yaml b/http/vulnerabilities/zyxel/unauth-ztp-ping.yaml index 81c71616c6..c5f90e7bfb 100644 --- a/http/vulnerabilities/zyxel/unauth-ztp-ping.yaml +++ b/http/vulnerabilities/zyxel/unauth-ztp-ping.yaml @@ -1,7 +1,9 @@ id: unauth-ztp-ping info: - name: ZyXEL USG ZTP Lack of Authentication + name: Unauthenticated ZyXEL USG ZTP - Detect + author: dmartyn + severity: high description: | Make a ZyXEL USG with ZTP support, pre CVE-2023-28771 patch, do a DNS lookup by asking it to make an ICMP request. This template can be used to detect hosts potentially vulnerable to CVE-2023-28771, CVE-2022-30525, and other issues, without actually exploiting the vulnerability. @@ -10,24 +12,32 @@ info: - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls metadata: verified: "true" - author: dmartyn - severity: medium - tags: misconfig,unauth,zyxel,ztp + shodan-query: title:"USG FLEX" + tags: misconfig,unauth,zyxel,ztp,rce,oast -requests: +http: - raw: - - | # try resolve + - | POST /ztp/cgi-bin/handler HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Type: application/json - Connection: close {"command":"ping","dest":"{{interactsh-url}}"} - + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the DNS Interaction + part: interactsh_protocol words: - "dns" + + - type: word + part: body + words: + - "message" + - "result" + condition: and + + - type: status + status: + - 200