Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-31749 PoC — Authenticated arbitrary file read/write in WatchGuard Fireware OS

Source
https://github.com/iveresk/cve-2022-31749
Associated Vulnerability
Title:Authenticated arbitrary file read/write in WatchGuard Fireware OS (CVE-2022-31749)
Description:An argument injection vulnerability in the diagnose and import pac commands in WatchGuard Fireware OS before 12.8.1, 12.1.4, and 12.5.10 allows an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations on WatchGuard Firebox and XTM appliances
Description
Simple PoC-checker for CVE-2022-31749 by 1vere$k
Readme
# CVE-2022-31749 by 1vere$k
Simple PoC-checker for CVE-2022-31749 by 1vere$k.  
It exploits a parameter injection vulnerability in the `WatchGuard` SSH interface.  
The vulnerability allows a low privileged user to exfiltrate arbitrary system files to an attacker controlled FTP server.  
Fortunately, there is a builtin low privileged user named status that this script defaults to.  
It isn't unreasonable to assume that the `status user` will use a `password of readonly`, but it isn't required.

The exploit exfiltrates the user file `configd-hash.xml`.  
This file contains hashed user passwords.  
The hashes are simply unsalted MD4. @funoverip [described](https://web.archive.org/web/20160522043540/http://funoverip.net/2013/09/cracking-watchguard-passwords/) using hashcat to crack the hashes in this file all the way back in 2013

## Installing

```
1. git clone https://github.com/iveresk/cve-2022-31749.git
2. cd cve-2022-31749
3. chmod +x *.sh
4. ./setup.sh
```

## Usage

```
	echo "-------------------Welcome-to-CVE-2022-31749-by-1veresk----------------+";
	echo "+----------------------------------------------------------------------+";
	echo "+-------------------For-The-Help---------------------------------------+";
	echo "Example#1: ./cve-2022-31749.sh -h--------------------------------------+";
	echo "Example#2: ./cve-2022-31749.sh --help----------------------------------+";
	echo "+-------------------For-The-URL-Check----------------------------------+";
	echo "Example#1: ./cve-2022-31749.sh -u <IP> <PASSWORD> [Default is 'readonly'";
	echo "+-------------------For-The-File-Check---------------------------------+";
	echo "Example#1: ./cve-2022-31749.sh -f <FILENAME>-<PASSFILE>----------------+";
	echo "+----------------------------------------------------------------------+";
```

## Contact
You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details.
File Snapshot

 [4.0K]  /data/pocs/fc7638010494cf7c9ca28f4d4f689cab4e47c384
├── [2.1K]  cve-2022-31749.sh
├── [1.0K]  LICENSE
├── [  68]  passwords-example
├── [1.9K]  README.md
└── [  87]  setup.sh

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →