VIGOR 2130 Command Injection / Cross Site Request Forgery

`VIGOR 2130 (firmware < 1.5.4.9)  
  
1.1. Command injection in traceroute functionality  
  
A user can execute arbitrary commands (RCE) on the router by abusing the  
traceroute functionality. The interface expects an IP address as input,  
but does not validate the input. Just provide the input:  
; id  
The above outputs the current user id.  
  
1.2. CSRF (Cross-Site Request Forgery)  
  
No anti-CSRF measurements in place. This means that an attacker can  
setup a web page which, when visited by a victim who is logged in into  
the VIGOR 2130 web-interface, can perform operations onto the  
web-interface  
  
1.3. Service runs as root  
The web service is running as root.  
  
Timetable:  
  
2014-09-26 : Vender released patches (private and unverified) to their customers  
2014-07-22 : Vendor states that most of the vulns. are patched  
2014-07-08 : Vendor notified customers with large deployments  
2014-06-30 : Response of Vendor  
2014-06-24 : Notified Vendor  
  
Researchers:  
Victor van der Veen ([email protected]) / Erik-Paul Dittmer  
([email protected])  
  
- - - - - - - - - - - - - - - - - - - - - - - - -  
Digital Misfits does not accept any liability for any errors,  
omissions, delays of receipt or viruses in the contents of this  
message which arise as a result of e-mail transmission.  
`