CVE-2013-2678
published 2020-02-04CVE-2013-2678: Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or…
PriorityP277high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.87%
96.7th percentile
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | linksys_e4200_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=↗
url/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=↗
commandsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e101|&ping_times=5&traceroute_ip=↗
- →Monitor HTTP POST and GET requests to /apply.cgi containing the submit_type parameter with values such as 'start_ping' combined with shell metacharacters (%26, |) in the ping_size parameter, indicating OS command injection attempts against Linksys routers. ↗
- →Detect directory traversal attempts against /apply.cgi via the next_page parameter containing '../' sequences (e.g., next_page=../../proc/version), which can expose sensitive local files on the device. ↗
- →Alert on HTTP requests to /apply.cgi where submit_type=start_ping and ping_size contains URL-encoded shell operators (%26 for & or | characters), as these are the primary injection vectors for CVE-2013-2678. ↗
- →The PNScan trojan exploits CVE-2013-2678 to compromise Linksys routers and subsequently installs the Tsunami backdoor; detect for Tsunami backdoor indicators post-compromise on Linksys devices. ↗
- →CVE-2013-2678 is exploited alongside a vulnerability in HNAP (Home Network Administration Protocol) when targeting Linksys routers; monitor for anomalous HNAP requests in conjunction with apply.cgi exploitation attempts. ↗
- ·The OS command injection via ping_size requires the attacker to be authenticated to the device, or to chain with another vulnerability (e.g., CSRF) to inject commands without prior authentication. ↗
- ·The directory traversal via next_page also requires authentication or chaining with another access method; standalone unauthenticated exploitation of this specific vector is not confirmed. ↗
- ·Multiple Linksys firmware versions are affected across different models (E1500, E2500, WRT160Nv2); detections should not be scoped to a single firmware build. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-55f9-hxq3-grcx: Cisco Linksys E4200 1
ghsa_unreviewed·2022-05-05
CVE-2013-2678 [MEDIUM] GHSA-55f9-hxq3-grcx: Cisco Linksys E4200 1
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.
VulnCheck
Cisco linksys_e4200_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2013·CVSS 8.1
CVE-2013-2678 [HIGH] Cisco linksys_e4200_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Cisco linksys_e4200_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.
Affected: Cisco linksys_e4200_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/18/g/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities.html; https://www.researchgate.net/publication/348602660_An_analysi
No detection rules found.
Exploit-DB
Cisco Linksys E4200 - Multiple Vulnerabilities
exploitdb·2013-05-07·CVSS 8.1
CVE-2013-2684 [HIGH] Cisco Linksys E4200 - Multiple Vulnerabilities
Cisco Linksys E4200 - Multiple Vulnerabilities
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
XSS, LFI in Cisco, Linksys E4200 Firmware
URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html
January 30, 2013
Keywords
XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp
CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,
CVE-2013-2683, CVE-2013-2684
Summary
Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router
Firmware Version: 1.0.05 build 7 were discovered by our Researchers in
January 2013 and finally acknowledged by Linksys in April 2013. The Vendor
is unable to Patch the Vulnerability in a reasonable timeframe. This
docu
Exploit-DB
Linksys E1500/E2500 - Multiple Vulnerabilities
exploitdb·2013-02-11
CVE-2013-2678 Linksys E1500/E2500 - Multiple Vulnerabilities
Linksys E1500/E2500 - Multiple Vulnerabilities
---
Device Name: Linksys E1500 / E2500
Vendor: Linksys
============ Device Description: ============
The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.
The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.
Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...
============ Vulnerable Firmware Releases - e1500: ============
Firmware-V
Exploit-DB
Linksys WRT160N - Multiple Vulnerabilities
exploitdb·2013-02-11
CVE-2013-2678 Linksys WRT160N - Multiple Vulnerabilities
Linksys WRT160N - Multiple Vulnerabilities
---
Device Name: Linksys WRT160Nv2
Vendor: Linksys/Cisco
============ Device Description: ============
Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media
Features:
* Fast Wireless-N connectivity frees you to do more around your home
* Easy to set up and use, industrial-strength security protection
* Great for larger homes with many users
Source: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Router-Front-Page_stcVVproductId53934616VVcatId552009VVviewprod.htm
============ Vulnerable Firmware Releases: ============
Firmware Version: v2.0.03 build 009
============ Shodan Torks ============
Shodan Search: WRT160Nv2
=> 4072 results
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee Jul 13, 2018 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
# VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee
2018/07/13
Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee 2018/07/13 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Securelist
Honeypots and the Internet of Things
blogs_securelist·2017-06-19
Honeypots and the Internet of Things
Table of Contents
Threat to the end user
The main problems of smart devices
Firmware
Passwords, telnet and SSH
Statistics
Geography of infected devices
Geographical distribution of server IP addresses from which malware is downloaded to devices
Distribution of attack activity by days of the week
Conclusion
Authors
Vladimir Kuskov
Mikhail Kuzin
Yaroslav Shmelev
Denis Makrushin
Igor Grachev
## Analysis of data harvested by Kaspersky Lab’s IoT honeytraps
There were a number of incidents in 2016 that triggered increased interest in the security of so-called IoT or ‘smart’ devices. They included, among others, the record-breaking DDoS attacks against the French hosting provider OVH and the US DNS provider Dyn. These attacks are known to have been launched with the help of a mas
Securelist
Honeypots and the Internet of Things
blogs_securelist·2017-06-19
Honeypots and the Internet of Things
Table of Contents
- Threat to the end user
- The main problems of smart devices
- Passwords, telnet and SSH
- Statistics
- Geography of infected devices
- Geographical distribution of server IP addresses from which malware is downloaded to devices
- Distribution of attack activity by days of the week
- Conclusion
Authors
- Vladimir Kuskov
- Mikhail Kuzin
- Yaroslav Shmelev
- Denis Makrushin
- Igor Grachev
## Analysis of data harvested by Kaspersky Lab’s IoT honeytraps
There were a number of incidents in 2016 that triggered increased interest in the security of so-called IoT or ‘smart’ devices. They included, among others, the record-breaking DDoS attacks against the French hosting provider OVH and the US DNS provider Dyn. These attacks are known to have been launched with the help o
arXiv
HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
arxiv_fulltext·2019-05-03
HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
[HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices]HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
Dominik Breitenbacher
Singapore University of Technology and Design
[email protected]
Ivan Homoliak
Singapore University of Technology and Design
[email protected]
Yan Lin Aung
Singapore University of Technology and Design
[email protected]
Nils Ole Tippenhauer
0000-0001-8424-2602
CISPA Helmholtz Center for Information Security
[email protected]
Yuval Elovici
Singapore University of Technology and Design
[email protected]
## Abstract
Internet of Things (IoT) devices have become ubiquitous and are spread across many application domains including the industry, transportation
http://packetstormsecurity.com/files/121551/Cisco-Linksys-E4200-Cross-Site-Scripting-Local-File-Inclusion.htmlhttp://www.exploit-db.com/exploits/25292http://www.securityfocus.com/bid/59710https://exchange.xforce.ibmcloud.com/vulnerabilities/84072http://packetstormsecurity.com/files/121551/Cisco-Linksys-E4200-Cross-Site-Scripting-Local-File-Inclusion.htmlhttp://www.exploit-db.com/exploits/25292http://www.securityfocus.com/bid/59710https://exchange.xforce.ibmcloud.com/vulnerabilities/84072
2020-02-04
Published
Exploited in the wild