Cisco RVS 4000 vulnerabilities
About Cisco router
Cisco RVS 4000 is a small business class security router which offers such features as: Firewall, IPS, VPN. The router can be managed via web management console.
The vulnerabilities were tested on firmware: V184.108.40.206 (newest available at the time).
Image from Cisco.com
- After you made a backup of the router (using built in web management) system creates a file named 'Routercfg.cfg'. The file can be accessed through web management without authentication. If web management is open to WAN, then the config can be accessed remotely from WAN (Internet). Routercfg.cfg is hosted on the router until next reboot.
The file has all router configuration in plain text (including web management passwords, VPN PSK keys, etc). Click image below for details.
- When you are logged in to the web administration, simple injection in the underlaying web application leads to OS root access.
Many characters lead to injection, including at least:
- `` (backquotes)
- %0a (newline)
OS exec as root can be performed in two places:
- ping functionality (admnistration tab)
- traceroute functionality (admnistration tab)
Vendor's reaction / issue history
- The research was performed in late 2010.
- 31.01.2011 - full disclosure sent to the vendor
- 03.02.2011 - PSIRT ID assigned
- 11.04.2011 – got info that all vulnerabilities were reproduced on a newest „test” firmware „V220.127.116.11”
- 25.05.2011 - Cisco public announcement
- 25.05.2011 – public disclosure
Research / contact
- We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ firstname.lastname@example.org
- All the information is provided for educational use only.
- We strongly discourage to use the information for cracking / illegal purposes.
- We are not responsible for damages made to your router - play with your router carefully.