Re: Re: - Cisco IOS HTTP Server code injection/execution vulnerability-
>Isn't your exploit somewhat complicated? Just put
><img src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
>on a web page, and trick the victim to visit it >while he or she is
>logged into the Cisco router at 192.0.2.1 over >HTTP.
That's what makes this vulnerability so fun. There's no need of trick the
victim, and you don't need to know the private address of the router,
etc,etc... you only must wait until he/her visits the buffers dump page.
>This has been
>dubbed "Cross-Site Request Forgery" a couple of >years ago, but the
>authors of RFC 2109 were already aware of it in >1997. At that time,
>browser-side countermeasures were proposed (such >as users examining
>the HTML source code *cough*), but current >practice basically mandates
>that browsers transmit authentication information >when following
>cross-site links.
Maybe this was the expected behaviour of a browser some years ago, but I think
nowadays this is not always true...
>Such attacks are probably more problematic on >low-end NAT routers
>whose internal address defaults to 192.168.1.1 >and which generally
>offer HTTP access, which makes shotgun >exploitation easier. So much
>for the "put your Windows box behind a NAT >router" advice you often
>read.
I think what makes this vulnerability so "funny" is that the attacker doesn't
need to coordinate for the victim to be logged on the router, and then trick
him/her to follow a link, etc. The attacker can leave a tool sending crafted
packets to thousands of target routers with SPOOFED ip's and simply wait...