Cisco routers with the HTTP administration interface enabled are vulnerable to an CSRF (Cross-Site Request Forgery) vulnerability that can yield remote command execution with level 15 privileges.
An attacker can execute ANY command on the router with level 15 (root, same as enable) privileges (usually level 15 user by default) by getting a target user (administrator or etc) to view a web page that has the exploit embedded. The exploits can be modified to, on loading of the page with the exploits embedded, to execute both exec and configure commands on the Cisco router. These exploits have been tested on a Cisco 871 router running IOS 12.4 but are assumed to work universally on any router configured to use the HTTP interface.
These exploits have been tested in the following situations:
- Tab of Router HTTP Administration Interface is open somewhere on the browser.
- The session is still active @ Router HTTP Admin Interface.
- The browser used has the credentials saved (No prompts /w Safari).
- Nearly any situation where the target visits the page (But if not 1, 2, or 3 a prompt will usually pop up asking for credentials)