CVE-2013-3568
published 2020-02-06CVE-2013-3568: Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have…
PriorityP179high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.13%
97.7th percentile
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; startswith; endswith; http.request_body; content:"pingstr="; startswith; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:6; metadata:attack_target IoT, created_at 2019_03_19, cve CVE_2013_3568, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
- →Detect exploitation attempts by matching HTTP POST requests to /ping.cgi with a body starting with 'pingstr=' followed by a semicolon (0x3b) within 25 bytes — the semicolon is the shell command injection separator injected via the ping field.
- →Check for HTTP GET requests to /HNAP1/ as a fingerprinting/check step used by the exploit to confirm the target is a vulnerable WRT110 device before launching the attack. ↗
- →The exploit targets Linux MIPS little-endian (mipsel) architecture; payloads delivered will be MIPS LE ELF binaries staged via an echo command stager over the ping CGI injection point. ↗
- →The exploit authenticates using HTTP Basic Auth with default credentials (admin:admin) before injecting commands; alert on Basic Auth attempts to router management interfaces from external networks. ↗
- ·The Snort/Suricata rule (ET sid:2027097) targets traffic flowing from EXTERNAL_NET to HOME_NET; ensure your network zone variables ($HOME_NET) correctly include the router's management IP, otherwise the rule will not fire on internal-only deployments.
- ·The CVE is described as a CSRF vulnerability in NVD, but the exploit abuses a command injection in the ping CGI endpoint; detection should cover both the CSRF vector (forged authenticated requests) and direct authenticated command injection via /ping.cgi. ↗
- ·The exploit module also covers the WRT100 model in addition to WRT110; detection rules and asset inventories should include both device models. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6349-5866-q3ff: Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests tha
ghsa_unreviewed·2022-05-05
CVE-2013-3568 [MEDIUM] GHSA-6349-5866-q3ff: Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests tha
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
VulnCheck
Cisco linksys_wrt110_firmware Cross-Site Request Forgery (CSRF)
vulncheck·2013·CVSS 8.8
CVE-2013-3568 [HIGH] Cisco linksys_wrt110_firmware Cross-Site Request Forgery (CSRF)
Cisco linksys_wrt110_firmware Cross-Site Request Forgery (CSRF)
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
Affected: Cisco linksys_wrt110_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
Suricata
ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)
suricata·2019-03-19·CVSS 8.8
CVE-2013-3568 [HIGH] ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)
ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; startswith; endswith; http.request_body; content:"pingstr="; startswith; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:6; metadata:attack_target IoT, created_at 2019_03_19, cve CVE_2013_3568, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
Exploit-DB
Linksys WRT110 - Remote Command Execution (Metasploit)
exploitdb·2013-09-23
CVE-2013-3568 Linksys WRT110 - Remote Command Execution (Metasploit)
Linksys WRT110 - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Linksys WRT110 Remote Command Execution',
'Description' => %q{
The Linksys WRT110 consumer router is vulnerable to a command injection
exploit in the ping field of the web interface.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev ', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3568'],
['BID', '61151'],
['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
],
'DisclosureD
Metasploit
Linksys Devices pingstr Remote Command Injection
metasploit
Linksys Devices pingstr Remote Command Injection
Linksys Devices pingstr Remote Command Injection
The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command injection exploit in the ping field of the web interface.
No writeups or analysis indexed.
2020-02-06
Published
Exploited in the wild