Date: 29 Nov 2005 02:10:19 -0000
From: picardos@...ra.es
To: bugtraq@...urityfocus.com
Subject: Re: Re: - Cisco IOS HTTP Server code injection/execution
 vulnerability-


>Isn't your exploit somewhat complicated? Just put

><img src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>

>on a web page, and trick the victim to visit it >while he or she is
>logged into the Cisco router at 192.0.2.1 over >HTTP. 
That's what makes this vulnerability so fun. There's no need of trick the victim, and you don't need to know the private address of the router, etc,etc... you only must wait until he/her visits the buffers dump page.

>This has been
>dubbed "Cross-Site Request Forgery" a couple of >years ago, but the
>authors of RFC 2109 were already aware of it in >1997. At that time,
>browser-side countermeasures were proposed (such >as users examining
>the HTML source code *cough*), but current >practice basically mandates
>that browsers transmit authentication information >when following
>cross-site links.
Maybe this was the expected behaviour of a browser some years ago, but I think nowadays this is not always true...


>Such attacks are probably more problematic on >low-end NAT routers
>whose internal address defaults to 192.168.1.1 >and which generally
>offer HTTP access, which makes shotgun >exploitation easier. So much
>for the "put your Windows box behind a NAT >router" advice you often
>read.

I think what makes this vulnerability so "funny" is that the attacker doesn't need to coordinate for the victim to be  logged on the router, and then trick him/her to follow a link, etc. The attacker can leave a tool sending crafted packets to thousands of target routers with SPOOFED ip's and simply wait...

Powered by blists - more mailing lists