lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Dec 2008 15:51:01 -0800
From: "David E. Thiel" <lx@...undancy.redundancy.org>
To: bugtraq@...urityfocus.com
Subject: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

On Wed, Dec 10, 2008 at 05:22:56AM -0700, s.gottschall@...wrt.com wrote:
> this is no security flaw since you must be already logged in
> within the webinterface of dd-wrt. otherwise this here will not
> work. we already fixed this issue in our sourcetree

It is a security flaw, you've neither fixed it nor understood it. The
whole point of CSRF is that it works by using the victim's active
session. An easy scenario in the case of DD-WRT is one where a victim
reads a malicious "HOWTO" site, which has step by step instructions on
how to say, boost signal strength. The user opens one tab to read the
howto, and another to log into the DD-WRT web interface. Javascript in a
tiny IFRAME on the malicious site performs repeated POSTs such as those
posted in the original advisory.

Your "fix" is simply checking the Referer header if it's present.
Referer is an optional header which is often omitted, either due to
firewalls/AV software removing it, or due to it being not sent by the
browser due to an HTTP/HTTPS site transition. 

http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

I suggest giving these a read:

http://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.isecpartners.com/files/CSRF_Paper.pdf

> as additional information. this is no dd-wrt specific issue. all
> other firmware like openwrt etc. would suffer from it too.

Even if this were true, that wouldn't make this less of a flaw.
Rooting your router through CSRF is pretty bad. Linksys has supposedly
fixed theirs, but I don't know how well. Other firmwares do have CSRF
problems, but they don't have the same entertainment value of DD-WRT's
httpd.c (I like line 963).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ