Nday Exploit для ZyXEL NAS

[Vulns]

ZyXEL NAS pre-auth RCE via OS Command Injection
Цена: $10,000
Описания:

1. Item name : ZyXEL NAS pre-auth RCE via OS Command Injection
1. Affected OS: NAS Vulnerable Firmware Version: Firmware Release V5.21(AAZF.5)C0 (latest) and all precedent releases
NAS Vulnerable Models: NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, NSA2107
Vulnerability can aslo be tweaked to exploit: Firewall Vulnerable Firmware Version: UTM, ATP, and VPN firewalls running firmware version ZLD V4.35 Patch 0 through ZLD V4.35 Patch 2. Those with firmware versions before ZLD V4.35 Patch 0 are NOT affected.
Firewall Vulnerable Models: ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, ZyWALL1100

2. Vulnerable Target application versions and reliability.
List complete point release range. see previous ranges

3. Tested, functional against target application versions, list complete point release range.
see previous ranges

4. Does this exploit affect the current target version?
[ ] Yes
[x] No, see previous ranges

5. Privilege Level Gained
[ ] As logged in user (Select Integrity level below for Windows)
[ ] Web Browser's default (IE - Low, Others - Med)
[ ] Low
[ ] Medium
[ ] High
[X] Root, Admin or System
[ ] Ring 0/Kernel
[ ] Other

6. Minimum Privilege Level Required For Successful PE
[ ] As logged in user (Select Integrity level below for Windows)
[ ] Low
[ ] Medium
[ ] High
[ ] N/A
[X] Other, unauthenticated user

7. Exploit Type (select all that apply)
[X] Remote code execution
[ ] Privilege escalation
[ ] Font based
[ ] Sandbox escape
[ ] Information disclosure (peek)
[ ] Code signing bypass
[ ] Persistency
[ ] Other ____________________

8. Delivery Method
[ ] Via web page
[ ] Via file
[X] Via network protocol
[ ] Local privilege escalation
[ ] Other (please specify) ____________________

9. Bug Class
[ ] memory corruption
[X] design/logic flaw (auth-bypass / update issues)
[ ] input validation flaw (XSS/XSRF/SQLi/command injection, etc.)
[ ] misconfiguration
[ ] information disclosure
[ ] cryptographic bug
[ ] denial of service

10. Number of bugs exploited in the item: 1
11. Exploitation Parameters
[ ] Bypasses ASLR
[ ] Bypasses DEP / W ^ X
[ ] Bypasses Application Sandbox
[ ] Bypasses SMEP/PXN
[ ] Bypasses EMET Version 5.52±
[ ] Bypasses CFG (Win 8.1)
[X] N/A, not necessary

12. Is ROP employed?
[X] No
[ ] Yes (but without fixed addresses)

13. Does this item alert the target user?
No

14. How long does exploitation take, in seconds? max. 10 seconds

15. Does this item require any specific user interactions? No

16. Any associated caveats or environmental factors? For example - does the exploit determine
remote OS/App versioning,and is that required? Any browser injection method requirements?
For files, what is the access mode required for success?
Exploit will determine remote version

17. Does it require additional work to be compatible with arbitrary payloads?
[X] Yes
[ ] No

18. Is this a finished item you have in your possession that is ready for delivery immediately?
[X] Yes
[ ] No
[ ] 1-5 days
[ ] 6-10 days
[ ] More: ___________________________

19. Success rate (or number of necessary attempts) 100%

20. Does this item support continuation of execution? Yes

21. Description. Detail a list of deliverables including documentation. Video PoC, PoC, documentation, post support and automatic python exploit wizard (point and click)

22. Comments and other notes; unusual artifacts, other limitations, mitigations or other pieces of information : N/A

Упомянутый в Krebs on Security:

https://krebsonsecurity[.]com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
https://krebsonsecurity[.]com/2020/02/zyxel-0day-affects-its-firewall-products-too/

Firewall Vulnerable Models

• ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, ZyWALL1100

NAS Vulnerable Firmware Version

• Firmware Release V5.21(AAZF.5)C0 (latest) and all precedent releases

NAS Vulnerable Models

• NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, NSA210

За подробностями обращаться в Jabber
arimf@jabb.im

Сделка только строго через гаранта за ваш счёт.