Rapid7 Vulnerability & Exploit Database

Cisco RV340 SSL VPN Unauthenticated Remote Code Execution

Back to Search

Cisco RV340 SSL VPN Unauthenticated Remote Code Execution

Disclosed
02/02/2022
Created
05/11/2022

Description

This module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.

Author(s)

  • Pedro Ribeiro <pedrib@gmail.com>
  • Radek Domanski <radek.domanski@gmail.com>

Platform

Linux

Architectures

armle

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/misc/cisco_rv340_sslvpn
msf exploit(cisco_rv340_sslvpn) > show targets
    ...targets...
msf exploit(cisco_rv340_sslvpn) > set TARGET < target-id >
msf exploit(cisco_rv340_sslvpn) > show options
    ...show and set options...
msf exploit(cisco_rv340_sslvpn) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;