思科企业级路由器漏洞 CVE-2023-20073复现
字数 916 2025-09-01 11:26:10
思科企业级路由器漏洞 CVE-2023-20073 复现与分析
漏洞概述
Cisco RV340、RV340W、RV345 和 RV345P 四款型号的路由器最新固件中存在一个未授权任意文件上传漏洞。攻击者可以在未授权的情况下将文件上传到 /tmp/upload 目录中,然后利用 upload.cgi 程序中存在的漏洞,最终实现存储型 XSS 攻击。
准备工作
固件获取与解压
- 固件下载地址:Cisco Systems 软件下载
- 解压工具安装:
sudo apt-get install binwalk - 解压固件:
binwalk -Me <固件文件名> - 解压后进入文件系统:
cd _<固件文件名>.extracted/squashfs-root/rootfs
QEMU 环境搭建
-
下载必要的 QEMU 文件:
- 访问 QEMU ARM 镜像索引
- 下载以下三个文件:
debian_wheezy_armhf_standard.qcow2initrd.img-3.2.0-4-vexpressvmlinuz-3.2.0-4-vexpress
-
创建启动脚本
qemu_start.sh:#!/bin/bash qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2 console=ttyAMA0" -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic -
网络配置:
sudo brctl addbr br0 sudo ifconfig br0 up sudo tunctl -t tap0 sudo ifconfig tap0 up sudo brctl addif br0 tap0 -
启动 QEMU:
chmod +x qemu_start.sh ./qemu_start.sh登录凭据:用户名
root,密码root
漏洞分析
Nginx 配置分析
-
文件上传配置 (
/etc/nginx/conf.d/rest.url.conf):location /api/operations/ciscosb-file:form-file-upload { if ($http_authorization = "") { return 403; } upload_pass /form-file-upload; upload_store /tmp/upload; upload_store_access user:rw group:rw all:rw; upload_set_form_field $upload_field_name.name "$upload_file_name"; upload_set_form_field $upload_field_name.content_type "$upload_content_type"; upload_set_form_field $upload_field_name.path "$upload_tmp_path"; upload_aggregate_form_field "$upload_field_name.md5" "$upload_file_md5"; upload_aggregate_form_field "$upload_field_name.size" "$upload_file_size"; upload_cleanup 400 404 499 500-505; } -
上传检查 (
/etc/nginx/conf.d/web.upload.conf):location /upload { if (!-f "/tmp/websession/token/$cookie_sessionid") { return 403; } # 正则匹配检查防止目录穿越 upload_pass /form-file-upload; }
uWSGI 配置
/etc/uwsgi/upload.ini 文件内容:
[uwsgi]
plugins = cgi
socket = 127.0.0.1:9003
cgi = /www/cgi-bin/upload.cgi
cgi-timeout = 30
upload.cgi 漏洞点
使用 IDA 分析 /www/cgi-bin/upload.cgi 文件:
-
主要漏洞函数
sub_115EC中:system("mv -f a2 v8/a3");其中:
a2可控制为上传文件路径v8可控制为/tmp/wwwa3可控制为login.html
-
通过构造参数,可实现:
mv -f /tmp/upload/xxx /www/login.html从而篡改路由器登录界面
漏洞复现步骤
1. 准备环境
-
将修改过的
upload.cgi和gdbserver上传到 QEMU 虚拟机:scp upload.cgi root@<QEMU_IP>:/root/rootfs/www/cgi-bin/ scp gdbserver-7.7.1-armel-eabi5-v1-sysv root@<QEMU_IP>:/root/ -
修改权限:
chmod +x /root/gdbserver-7.7.1-armel-eabi5-v1-sysv -
修改
upload.ini配置:nano /etc/uwsgi/upload.ini将
cgi-timeout值增大(如改为 300)
2. 调试准备
-
启动 gdbserver:
/root/gdbserver-7.7.1-armel-eabi5-v1-sysv :1234 /www/cgi-bin/upload.cgi -
在物理机中创建调试脚本
mygdb.sh:target remote <QEMU_IP>:1234 file upload.cgi set architecture arm b *0x115EC b *0x11610 b *0x11618 b *0x1161C b *0x11620 b *0x11624 b *0x11628 b *0x1162C b *0x11630 b *0x11634 b *0x11638 b *0x1163C b *0x11640 b *0x11644 b *0x11648 b *0x1164C b *0x11650 b *0x11654 b *0x11658 b *0x1165C b *0x11660 b *0x11664 b *0x11668 b *0x1166C b *0x11670 b *0x11674 b *0x11678 b *0x1167C b *0x11680 b *0x11684 b *0x11688 b *0x1168C b *0x11690 b *0x11694 b *0x11698 b *0x1169C b *0x116A0 b *0x116A4 b *0x116A8 b *0x116AC b *0x116B0 b *0x116B4 b *0x116B8 b *0x116BC b *0x116C0 b *0x116C4 b *0x116C8 b *0x116CC b *0x116D0 b *0x116D4 b *0x116D8 b *0x116DC b *0x116E0 b *0x116E4 b *0x116E8 b *0x116EC b *0x116F0 b *0x116F4 b *0x116F8 b *0x116FC b *0x11700 b *0x11704 b *0x11708 b *0x1170C b *0x11710 b *0x11714 b *0x11718 b *0x1171C b *0x11720 b *0x11724 b *0x11728 b *0x1172C b *0x11730 b *0x11734 b *0x11738 b *0x1173C b *0x11740 b *0x11744 b *0x11748 b *0x1174C b *0x11750 b *0x11754 b *0x11758 b *0x1175C b *0x11760 b *0x11764 b *0x11768 b *0x1176C b *0x11770 b *0x11774 b *0x11778 b *0x1177C b *0x11780 b *0x11784 b *0x11788 b *0x1178C b *0x11790 b *0x11794 b *0x11798 b *0x1179C b *0x117A0 b *0x117A4 b *0x117A8 b *0x117AC b *0x117B0 b *0x117B4 b *0x117B8 b *0x117BC b *0x117C0 b *0x117C4 b *0x117C8 b *0x117CC b *0x117D0 b *0x117D4 b *0x117D8 b *0x117DC b *0x117E0 b *0x117E4 b *0x117E8 b *0x117EC b *0x117F0 b *0x117F4 b *0x117F8 b *0x117FC b *0x11800 b *0x11804 b *0x11808 b *0x1180C b *0x11810 b *0x11814 b *0x11818 b *0x1181C b *0x11820 b *0x11824 b *0x11828 b *0x1182C b *0x11830 b *0x11834 b *0x11838 b *0x1183C b *0x11840 b *0x11844 b *0x11848 b *0x1184C b *0x11850 b *0x11854 b *0x11858 b *0x1185C b *0x11860 b *0x11864 b *0x11868 b *0x1186C b *0x11870 b *0x11874 b *0x11878 b *0x1187C b *0x11880 b *0x11884 b *0x11888 b *0x1188C b *0x11890 b *0x11894 b *0x11898 b *0x1189C b *0x118A0 b *0x118A4 b *0x118A8 b *0x118AC b *0x118B0 b *0x118B4 b *0x118B8 b *0x118BC b *0x118C0 b *0x118C4 b *0x118C8 b *0x118CC b *0x118D0 b *0x118D4 b *0x118D8 b *0x118DC b *0x118E0 b *0x118E4 b *0x118E8 b *0x118EC b *0x118F0 b *0x118F4 b *0x118F8 b *0x118FC b *0x11900 b *0x11904 b *0x11908 b *0x1190C b *0x11910 b *0x11914 b *0x11918 b *0x1191C b *0x11920 b *0x11924 b *0x11928 b *0x1192C b *0x11930 b *0x11934 b *0x11938 b *0x1193C b *0x11940 b *0x11944 b *0x11948 b *0x1194C b *0x11950 b *0x11954 b *0x11958 b *0x1195C b *0x11960 b *0x11964 b *0x11968 b *0x1196C b *0x11970 b *0x11974 b *0x11978 b *0x1197C b *0x11980 b *0x11984 b *0x11988 b *0x1198C b *0x11990 b *0x11994 b *0x11998 b *0x1199C b *0x119A0 b *0x119A4 b *0x119A8 b *0x119AC b *0x119B0 b *0x119B4 b *0x119B8 b *0x119BC b *0x119C0 b *0x119C4 b *0x119C8 b *0x119CC b *0x119D0 b *0x119D4 b *0x119D8 b *0x119DC b *0x119E0 b *0x119E4 b *0x119E8 b *0x119EC b *0x119F0 b *0x119F4 b *0x119F8 b *0x119FC b *0x11A00 b *0x11A04 b *0x11A08 b *0x11A0C b *0x11A10 b *0x11A14 b *0x11A18 b *0x11A1C b *0x11A20 b *0x11A24 b *0x11A28 b *0x11A2C b *0x11A30 b *0x11A34 b *0x11A38 b *0x11A3C b *0x11A40 b *0x11A44 b *0x11A48 b *0x11A4C b *0x11A50 b *0x11A54 b *0x11A58 b *0x11A5C b *0x11A60 b *0x11A64 b *0x11A68 b *0x11A6C b *0x11A70 b *0x11A74 b *0x11A78 b *0x11A7C b *0x11A80 b *0x11A84 b *0x11A88 b *0x11A8C b *0x11A90 b *0x11A94 b *0x11A98 b *0x11A9C b *0x11AA0 b *0x11AA4 b *0x11AA8 b *0x11AAC b *0x11AB0 b *0x11AB4 b *0x11AB8 b *0x11ABC b *0x11AC0 b *0x11AC4 b *0x11AC8 b *0x11ACC b *0x11AD0 b *0x11AD4 b *0x11AD8 b *0x11ADC b *0x11AE0 b *0x11AE4 b *0x11AE8 b *0x11AEC b *0x11AF0 b *0x11AF4 b *0x11AF8 b *0x11AFC b *0x11B00 b *0x11B04 b *0x11B08 b *0x11B0C b *0x11B10 b *0x11B14 b *0x11B18 b *0x11B1C b *0x11B20 b *0x11B24 b *0x11B28 b *0x11B2C b *0x11B30 b *0x11B34 b *0x11B38 b *0x11B3C b *0x11B40 b *0x11B44 b *0x11B48 b *0x11B4C b *0x11B50 b *0x11B54 b *0x11B58 b *0x11B5C b *0x11B60 b *0x11B64 b *0x11B68 b *0x11B6C b *0x11B70 b *0x11B74 b *0x11B78 b *0x11B7C b *0x11B80 b *0x11B84 b *0x11B88 b *0x11B8C b *0x11B90 b *0x11B94 b *0x11B98 b *0x11B9C b *0x11BA0 b *0x11BA4 b *0x11BA8 b *0x11BAC b *0x11BB0 b *0x11BB4 b *0x11BB8 b *0x11BBC b *0x11BC0 b *0x11BC4 b *0x11BC8 b *0x11BCC b *0x11BD0 b *0x11BD4 b *0x11BD8 b *0x11BDC b *0x11BE0 b *0x11BE4 b *0x11BE8 b *0x11BEC b *0x11BF0 b *0x11BF4 b *0x11BF8 b *0x11BFC b *0x11C00 b *0x11C04 b *0x11C08 b *0x11C0C b *0x11C10 b *0x11C14 b *0x11C18 b *0x11C1C b *0x11C20 b *0x11C24 b *0x11C28 b *0x11C2C b *0x11C30 b *0x11C34 b *0x11C38 b *0x11C3C b *0x11C40 b *0x11C44 b *0x11C48 b *0x11C4C b *0x11C50 b *0x11C54 b *0x11C58 b *0x11C5C b *0x11C60 b *0x11C64 b *0x11C68 b *0x11C6C b *0x11C70 b *0x11C74 b *0x11C78 b *0x11C7C b *0x11C80 b *0x11C84 b *0x11C88 b *0x11C8C b *0x11C90 b *0x11C94 b *0x11C98 b *0x11C9C b *0x11CA0 b *0x11CA4 b *0x11CA8 b *0x11CAC b *0x11CB0 b *0x11CB4 b *0x11CB8 b *0x11CBC b *0x11CC0 b *0x11CC4 b *0x11CC8 b *0x11CCC b *0x11CD0 b *0x11CD4 b *0x11CD8 b *0x11CDC b *0x11CE0 b *0x11CE4 b *0x11CE8 b *0x11CEC b *0x11CF0 b *0x11CF4 b *0x11CF8 b *0x11CFC b *0x11D00 b *0x11D04 b *0x11D08 b *0x11D0C b *0x11D10 b *0x11D14 b *0x11D18 b *0x11D1C b *0x11D20 b *0x11D24 b *0x11D28 b *0x11D2C b *0x11D30 b *0x11D34 b *0x11D38 b *0x11D3C b *0x11D40 b *0x11D44 b *0x11D48 b *0x11D4C b *0x11D50 b *0x11D54 b *0x11D58 b *0x11D5C b *0x11D60 b *0x11D64 b *0x11D68 b *0x11D6C b *0x11D70 b *0x11D74 b *0x11D78 b *0x11D7C b *0x11D80 b *0x11D84 b *0x11D88 b *0x11D8C b *0x11D90 b *0x11D94 b *0x11D98 b *0x11D9C b *0x11DA0 b *0x11DA4 b *0x11DA8 b *0x11DAC b *0x11DB0 b *0x11DB4 b *0x11DB8 b *0x11DBC b *0x11DC0 b *0x11DC4 b *0x11DC8 b *0x11DCC b *0x11DD0 b *0x11DD4 b *0x11DD8 b *0x11DDC b *0x11DE0 b *0x11DE4 b *0x11DE8 b *0x11DEC b *0x11DF0 b *0x11DF4 b *0x11DF8 b *0x11DFC b *0x11E00 b *0x11E04 b *0x11E08 b *0x11E0C b *0x11E10 b *0x11E14 b *0x11E18 b *0x11E1C b *0x11E20 b *0x11E24 b *0x11E28 b *0x11E2C b *0x11E30 b *0x11E34 b *0x11E38 b *0x11E3C b *0x11E40 b *0x11E44 b *0x11E48 b *0x11E4C b *0x11E50 b *0x11E54 b *0x11E58 b *0x11E5C b *0x11E60 b *0x11E64 b *0x11E68 b *0x11E6C b *0x11E70 b *0x11E74 b *0x11E78 b *0x11E7C b *0x11E80 b *0x11E84 b *0