ISE SOHO Vulnerability Catalog Published - Independent Security ...

More documents

Recommendations

Info

Recommendations to the Vendor ♦ Confirm that the web page used in the redirect is a page that is part of the same domain as the web server. ♦ If possible, avoid using URL redirects. ♦ Additional information for vendors regarding immediate and long term fixes for these issues can be found here: http://www.securityevaluators.com/content/casestudies/routers/#recommendationsVendors Solution ♦ There currently is not a solution to this problem. Proof of Concept Exploit POST /goform/setSysLang HTTP/1.1 Host: 192.168.10.1 User-‐Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-‐Language: en-‐US,en;q=0.5 Accept-‐Encoding: gzip, deflate DNT: 1 Referer: http://192.168.10.1/wizard/wizard.asp Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-‐alive Content-‐Type: application/x-‐www-‐form-‐urlencoded Content-‐Length: 56 langSelection=EN&redirect_url=http://192.168.10.100:1337 Disclosure Timeline ♦ 4/11/2013 - Notified TRENDnet ♦ 7/26/2013 - Public Disclosure References ♦ Advisory/Video: http://infosec42.blogspot.com ♦ http://securityevaluators.com/content/case-studies/ Credit ♦ Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators ♦ Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators 14
Vulnerability: Multiple Buffer Overflow CVE: CVE-2013-3100 CVE: CVE-2013-4659 Description The TRENDnet TEW-812DRU router contains several software packages that are susceptible to multiple Buffer Overflow attacks, and when triggered, can result in Denial of Service or Remote Code Execution. Vulnerable Software: KC_FTP, KC_SMB, RC Network Utility, and Broadcom ACSD. Attack Requirements ♦ The attacker needs access to FTP, SMB, ACSD or HTTP network services in order to launch the overflow attacks. ♦ Authentication is required to exploit the overflow present in the RC network configuration binary accessible by the HTTP network service. Details ♦ Other firmware versions were not tested and could be vulnerable. ♦ Vulnerable Commands (Not all commands were tested) ♦ KC_FTP: USER ♦ ACSD: autochannel&param, autochannel&data, csscan&ifname ♦ RC: wan_pptp_username, wan_pptp_password (From web application) ♦ KC_SMB: SMB Negotiation Request Impact ♦ These vulnerabilities can lead to a denial-of-service or a total compromise of the affected router. Recommendations to the Vendor ♦ Perform bounds checking on user input that is copied into fixed length buffers. ♦ Avoid using functions such as strcpy() or sprintf() that don't perform bounds checking. ♦ Additional information for vendors regarding immediate and long term fixes for these issues can be found here: http://www.securityevaluators.com/content/casestudies/routers/#recommendationsVendors Solution ♦ There currently is not a solution to this problem. ♦ Restrict access to WAN services to prevent an attacker from gaining access if an 15
Page 1 and 2: Vulnerability Catalog Revision 1 SO
Page 3 and 4: Vulnerability: Cross-‐Site Sc
Page 5 and 6: Summary ISE has performed extensiv
Page 7 and 8: Solution ♦ There currently is not
Page 9 and 10: ♦ Advisory/Video: http://infosec4
Page 11 and 12: TRENDnet TEW-‐812DRU Vulnerab
Page 13: Disclosure Timeline ♦ 4/11/2013
Page 17 and 18: JavaScript or HTML code in the vict
Page 19 and 20: ♦ There currently is not a soluti
Page 21 and 22: } function _enable23(){ document
Page 23 and 24: TRENDnet TEW-691GR and TEW-692GR
Page 25 and 26: Proof of Concept Exploit TP-
Page 27 and 28: Details ♦ The router will need to
Page 29 and 30: ♦ 3/20/2013 - Contacted TP-Link
Page 31 and 32: Netgear WNDR4700 Vulnerability:
Page 33 and 34: all files stored on the external st
Page 35 and 36: References ♦ Advisory/Video: http
Page 37 and 38: Attack Requirements ♦ The attacke
Page 39 and 40: Figure 2 - WNDR4700 XSS #1 39
Page 41 and 42: Figure 4 -‐ WNDR4700 XSS #
Page 43 and 44: Linksys WRT310v2 Vulnerability:
Page 45 and 46: function PwN() {doc
Page 47 and 48: ♦ Advisory/Video: http://infosec4
Page 49 and 50: Figure 7 - EA6500 Malicious Co
Page 51 and 52: Solution ♦ There is no solution t
Page 53 and 54: Figure 9 - EA6500 DOM XSS Disc
Page 55 and 56: Content-‐Type: application/jso
Page 57 and 58: D-‐Link DIR-‐865L Vulnera
Page 59 and 60: document.DLINK.submit() Disc
Page 61 and 62: Description The D-Link DIR-865L rou
Page 63 and 64: ♦ Additional information for vend
Page 65 and 66:
♦ 7/26/2013 - Public Disclosure R
Page 67 and 68:
these issues can be found here: htt
Page 69 and 70:
♦ Validate HTTP Basic Authenticat
Page 71 and 72:
Vulnerability: Authentication Byp
Page 73 and 74:
Impact If an unauthenticated attack
Page 75 and 76:
these issues can be found here: htt
Page 77 and 78:
attacker from gaining access if an
Page 79 and 80:
var wan_type=0; var wan_mac_addr
Page 81 and 82:
attacker from gaining access if an
Page 83 and 84:
Solution ♦ There currently is not
Page 85 and 86:
Disclosure Timeline ♦ 2/11/2013 -
Page 87 and 88:
var bEncPassword=1; var auto_che
Page 89 and 90:
Solution ♦ There is no solution t
Page 91 and 92:
studies/routers/#recommendationsVen
Page 93 and 94:
Solution ♦ There is no solution t
Page 95 and 96:
studies/routers/#recommendationsVen
Page 97 and 98:
# The ASUS RT-‐AC66U contai
Page 99 and 100:
try: print """ [*] Attempting
Page 101 and 102:
Disclosure Timeline ♦ 7/26/2013 -
show all

ISE SOHO Vulnerability Catalog Published - Independent Security ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?