VIGOR 2130 (firmware < 1.5.4.9)

1.1. Command injection in traceroute functionality

A user can execute arbitrary commands (RCE) on the router by abusing the
traceroute functionality. The interface expects an IP address as input,
but does not validate the input. Just provide the input:
; id
The above outputs the current user id.

1.2. CSRF (Cross-Site Request Forgery)

No anti-CSRF measurements in place. This means that an attacker can
setup a web page which, when visited by a victim who is logged in into
the VIGOR 2130 web-interface, can perform operations onto the
web-interface

1.3. Service runs as root
The web service is running as root.

Timetable:

2014-09-26 : Vender released patches (private and unverified) to their customers
2014-07-22 : Vendor states that most of the vulns. are patched
2014-07-08 : Vendor notified customers with large deployments
2014-06-30 : Response of Vendor
2014-06-24 : Notified Vendor

Researchers:
Victor van der Veen (vvdveen@cs.vu.nl) / Erik-Paul Dittmer
(epdittmer@digitalmisfits.com)

- - - - - - - - - - - - - - - - - - - - - - - - -
Digital Misfits does not accept any liability for any errors,
omissions, delays of receipt or viruses in the contents of this
message which arise as a result of e-mail transmission.