Simple PoC-checker for CVE-2022-31749 by 1vere$k.
It exploits a parameter injection vulnerability in the WatchGuard SSH interface.
The vulnerability allows a low privileged user to exfiltrate arbitrary system files to an attacker controlled FTP server.
Fortunately, there is a builtin low privileged user named status that this script defaults to.
It isn't unreasonable to assume that the status user will use a password of readonly, but it isn't required.
The exploit exfiltrates the user file configd-hash.xml.
This file contains hashed user passwords.
The hashes are simply unsalted MD4. @funoverip described using hashcat to crack the hashes in this file all the way back in 2013
1. git clone https://github.com/iveresk/cve-2022-31749.git
2. cd cve-2022-31749
3. chmod +x *.sh
4. ./setup.sh
echo "-------------------Welcome-to-CVE-2022-31749-by-1veresk----------------+";
echo "+----------------------------------------------------------------------+";
echo "+-------------------For-The-Help---------------------------------------+";
echo "Example#1: ./cve-2022-31749.sh -h--------------------------------------+";
echo "Example#2: ./cve-2022-31749.sh --help----------------------------------+";
echo "+-------------------For-The-URL-Check----------------------------------+";
echo "Example#1: ./cve-2022-31749.sh -u <IP> <PASSWORD> [Default is 'readonly'";
echo "+-------------------For-The-File-Check---------------------------------+";
echo "Example#1: ./cve-2022-31749.sh -f <FILENAME>-<PASSFILE>----------------+";
echo "+----------------------------------------------------------------------+";
You are free to contact me via Keybase for any details.