Full Disclosure mailing list archives
Re: Remote Command Execution on Cisco WAG120N
From: Ulisses Montenegro <ulisses.montenegro () gmail com>
Date: Wed, 28 Nov 2012 11:17:27 -0200
On Tue, Nov 27, 2012 at 4:39 PM, Gary <gdriggs () gmail com> wrote:
On Mon, Nov 26, 2012 at 6:11 AM, Benji wrote:Command execution through Dynamic DNS setup is quite clearly notexpected functionality. Agreed but that's still not "remote command execution" per my explanation below.
Assuming it works as the original poster described (I don't have the hardware to check, but similar issues have been found on the firmware of various other home routers), then why not? Yes, it does require authentication, so you might want to call it "authenticated remote command execution", but you still get arbitrary commands executed through CSRF. There are some rather aggravating details about this happening on a device such as this: 1. Most home routers (again, I don't have the hardware so I must assume here) use HTTP basic authentication, which can be embedded in request URLs using the 'http://user:password@host/path?param' syntax, so forging an authenticated request does not require a login -> obtain a valid session -> submit with session, it can be done single-shot if the user and password are known, which brings us to... 2. Most home routers use default, known username/password combos which are available in public documentation. Since a large percentage of home users do not change these, and also use the default IP ranges, the chances of hitting a vulnerable router by using the ' http://user:password@192.168.0.1/action?params' URL (replacing relevant elements as required, of course) is rather good. 3. Finally, on many of those devices the HTTPd process is running as root. So, you can do pretty much anything you could do with a root shell. Yes, there are restrictions, and yes, I am assuming things work as described by the original poster, but I don't see the need to be authenticated as being the major issue here, but rather the possibility of arbitrary command execution through CSRF. Ulisses -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - Edsger Dijkstra
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Remote Command Execution on Cisco WAG120N Manu (Nov 22)
- Re: Remote Command Execution on Cisco WAG120N Gary Driggs (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Manu (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Julius Kivimäki (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Gary Driggs (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Benji (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Gary (Nov 28)
- Re: Remote Command Execution on Cisco WAG120N Ulisses Montenegro (Nov 28)
- Re: Remote Command Execution on Cisco WAG120N Gary Driggs (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N gremlin (Nov 27)