VIGOR 2130 (firmware < 1.5.4.9)
1.1. Command injection in traceroute functionality
A user can execute arbitrary commands (RCE) on the router by abusing the
traceroute functionality. The interface expectshttp://wiadomosci.onet.pl/tylko-w-onecie/najwazniejsze-informacje-dnia-7-pazdziernika-2014-r/090k9 an IP address as input,
but does not validate the input. Just provide the input:
; id
The above outputs the current user id.
1.2. CSRF (Cross-Site Request Forgery)
No anti-CSRF measurements in place. This means that an attacker can
setup a web page which, when visited by a victim who is logged in into
the VIGOR 2130 web-interface, can perform operations onto the
web-interface
1.3. Service runs as root
The web service is running as root.
Timetable:
2014-09-26 : Vender released patches (private and unverified) to their customers
2014-07-22 : Vendor states that most of the vulns. are patched
2014-07-08 : Vendor notified customers with large deployments
2014-06-30 : Response of Vendor
2014-06-24 : Notified Vendor
Researchers:
Victor van der Veen (vvdveen@cs.vu.nl) / Erik-Paul Dittmer
(epdittmer@digitalmisfits.com)
- - - - - - - - - - - - - - - - - - - - - - - - -
Digital Misfits does not accept any liability for any errors,
omissions, delays of receipt or viruses in the contents of this
message which arise as a result of e-mail transmission.