wikiiop.blogg.se

Using this injection, an attacker can upload and download arbitrary files.įile writing turns out to be less useful than an attacker would hope.

Execution occurs using execle, so command injection isn’t possible, but argument injection is. The “Name” and “Password” values are not sanitized before they are combined into the “ftpput” and “ftpget” commands and executed via librmisvc.so. For example: WG>diagnose to ftp://test/test The arguments are injected when the SSH CLI prompts the attacker for a username and password when using the diagnose or import pac commands. Vulnerability detailsĬVE-2022-31749 is an argument injection into the ftpput and ftpget commands. This issue was discovered by Jake Baines of Rapid7, and it is being disclosed in accordance with Rapid7's vulnerability disclosure policy. Rapid7 discovered CVE-2022-31749 while analyzing the WatchGuard XTM appliance for the writeup of CVE-2022-26318 on AttackerKB. In February 2022, GreyNoise and CISA published details of WatchGuard appliances vulnerable to CVE-2022-26318 being exploited in the wild. There are more than 9,000 WatchGuard appliances exposing their SSH interface. The appliances share a common underlying operating system named Fireware OS.Īt the time of writing, there are more than 25,000 WatchGuard appliances with their HTTP interface discoverable on Shodan. WatchGuard Firebox and XTM appliances are firewall and VPN solutions ranging in form factor from tabletop, rack mounted, virtualized, and “rugged” ICS designs. On June 23, Watchguard published an advisory and released patches in Fireware OS 12.8.1, 12.5.10, and 12.1.4. Rapid7 reported these issues to WatchGuard, and the vulnerabilities were assigned CVE-2022-31749. Additionally, a remote and highly privileged user can write arbitrary system files when using the SSH interface due to an argument injection affecting the import pac command. A remote and low-privileged WatchGuard Firebox or XTM user can read arbitrary system files when using the SSH interface due to an argument injection vulnerability affecting the diagnose command.