VIGOR 2130 (firmware < 1.5.4.9) 1.1. Command injection in traceroute functionality A user can execute arbitrary commands (RCE) on the router by abusing the traceroute functionality. The interface expectshttp://wiadomosci.onet.pl/tylko-w-onecie/najwazniejsze-informacje-dnia-7-pazdziernika-2014-r/090k9 an IP address as input, but does not validate the input. Just provide the input: ; id The above outputs the current user id. 1.2. CSRF (Cross-Site Request Forgery) No anti-CSRF measurements in place. This means that an attacker can setup a web page which, when visited by a victim who is logged in into the VIGOR 2130 web-interface, can perform operations onto the web-interface 1.3. Service runs as root The web service is running as root. Timetable: 2014-09-26 : Vender released patches (private and unverified) to their customers 2014-07-22 : Vendor states that most of the vulns. are patched 2014-07-08 : Vendor notified customers with large deployments 2014-06-30 : Response of Vendor 2014-06-24 : Notified Vendor Researchers: Victor van der Veen (vvdveen@cs.vu.nl) / Erik-Paul Dittmer (epdittmer@digitalmisfits.com) - - - - - - - - - - - - - - - - - - - - - - - - - Digital Misfits does not accept any liability for any errors, omissions, delays of receipt or viruses in the contents of this message which arise as a result of e-mail transmission.