============================================================================================================================================= | # Title : WatchGuard IKE v2 Detection Scanner Metasploit Auxiliary Module | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://www.watchguard.com/ | ============================================================================================================================================= [+] Summary : This module provides a non-exploit detection scanner for identifying systems potentially vulnerable to CVE-2022-23176 affecting IKEv2 services in products from WatchGuard Technologies. The scanner sends a minimal IKE_SA_INIT probe over UDP (default port 500) and performs behavioral analysis of the response. It verifies: Presence of IKEv2 service Correct protocol version (0x20) Expected exchange type (IKE_SA_INIT) Abnormal response size patterns Indicators of irregular parsing behavior This module does not exploit the vulnerability. It performs safe, passive detection intended for defensive security assessments, exposure mapping, and threat intelligence enrichment. [+] POC : ## # WatchGuard IKEv2 CVE-2022-23176 Scanner # Non-exploit detection module ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::Udp include Msf::Auxiliary::Scanner def initialize(info = {}) super( update_info( info, 'Name' => 'WatchGuard IKEv2 CVE-2022-23176 Scanner', 'Description' => %q{ This module checks for potential vulnerability to CVE-2022-23176 in WatchGuard Fireware IKEv2 service by analyzing malformed IKE_SA_INIT responses. }, 'Author' => [ 'indoushka' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2022-23176' ] ], 'DisclosureDate' => '2022-02-22' ) ) register_options( [ Opt::RPORT(500), OptInt.new('TIMEOUT', [ true, 'UDP receive timeout', 5 ]) ] ) end def ike_header(ispi, rspi, next_payload, exchange, msg_id, flags = 0x08) length_placeholder = 0 [ispi, rspi, next_payload, 0x20, exchange, flags, msg_id, length_placeholder].pack('Q>Q>CCCCII') end def build_probe ispi = Rex::Text.rand_text(8) ispi = ispi.unpack1('Q>') msg_id = 0 hdr = ike_header(ispi, 0, 0, 34, msg_id) total_length = hdr.length hdr[24,4] = [total_length].pack('N') hdr end def run_host(ip) print_status("Checking #{ip}:#{rport}") connect_udp begin probe = build_probe udp_sock.put(probe) res = udp_sock.get_once(-1, datastore['TIMEOUT']) if res.nil? print_error("#{ip} - No response (service filtered or down)") return end if res.length < 28 print_warning("#{ip} - Short IKE response detected") return end version = res[17].ord exchange = res[18].ord if version == 0x20 && exchange == 34 print_good("#{ip} - IKEv2 detected") analyze_behavior(ip, res) else print_status("#{ip} - Non-IKEv2 service detected") end rescue ::Rex::ConnectionError print_error("#{ip} - Connection failed") ensure disconnect_udp end end def analyze_behavior(ip, response) if response.length > 400 print_warning("#{ip} - Abnormally large IKE response (possible vulnerable parsing)") elsif response.include?("\x29") print_status("#{ip} - AUTH payload present") else print_status("#{ip} - Standard IKE behavior") end end end Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================