lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Aug 2006 13:35:56 -0700
From: "Shawn Merdinger" <shawnmer@...il.com>
To: "Ginsu Rabbit" <ginsurabbit@...mail.com>, full-disclosure@...ts.grok.org.uk
Cc: 
Subject: Re: linksys WRT54g authentication bypass

Nice find.  But probably not a big deal since these are just home-use
routers, right?

Well, maybe not.

1.  Sandia nuclear plant scada network recommended gear doc (October, 2005):
http://www.sandia.gov/scada/documents/NSTB_NSIT_V1_2.pdf

You'll see when you read the doc that the crux of the testing was to
get the SCADA protocols through a couple of PIXs...that didn't work
b/c of NAT problems, so they threw in a couple Linksys routers to
handle the NAT.  OK, so a PIX and Linksys scada deployment is bad,
right?  Well it gets worse.  Look on page 6 of the PDF and you'll see
this:

"The Pix firewalls were upgraded to the latest PixOS (6.3). They were
not identical in that one had a crypto card and license while the
other was in a stock configuration. The two Linksys firewalls were a
BEFVP41 v1 with firmware version 1.41.1 and a BEFVP41 v2 with firmware
version 1.01.04."

Both of those versions of Linksys router software had known, published
vulnerabilities at the time this document was published.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-0426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-1312

2.  EPA Water and Wastewater Security Product Guide located at
http://cfpub.epa.gov/safewater/watersecurity/guide/productguide.cfm?page=wirelessdatacommunications

This EPA "Water and Wastewater Security Product Guide" has a picture
of a Linksys WRT54G AP on the page.  The network diagram illustrates
the Linksys AP connected directly into the SCADA management network.
At the bottom of the page you'll see the following statement:

"Cost
The cost of a wireless LAN using 802.11 can be under $50 each for a
WAP and a wireless card. A small system can be securely set up in a
few hours by a knowledgeable computer technician."

Gee, didn't the EPA get GAO's "A+" rating in the CyberSecurity Report
Card?  Perhaps they got the "A+" because they simply have a product
security guide webpage?

3. California Energy Commission report "Focus II Monitoring Final
Report" mentions a Linksys router used in monitoring operations – see
appendix, page E-3.
http://www.energy.ca.gov/2005publications/CEC-500-2005-009/CEC-500-05-009.PDF

There's plenty more...left as an exercise to the reader.

Btw, can anyone here find on Linksys.com a list of product vulns and fixes?

Thanks,
--scm

On 8/4/06, Ginsu Rabbit <ginsurabbit@...mail.com> wrote:
> I'm having some trouble believing this hasn't been reported before.  If you
> have a linksys router handy, please check to see whether it is vulnerable to
> this attack.  It's possible that all of the linksys router web UIs have the
> same bug.  Hopefully the problem is isolated to one particular model or
> firmware revision.
>
> I. DESCRIPTION
>
> Tested product: Linksys WRT54g home router, firmware revision 1.00.9.
>
> Problem #1: No password validation for configuration settings.
>
> The WRT54g does not attempt to verify a username and password when
> configuration settings are being changed.  If you wish to read configuration
> settings, you must provide the administrator ID and password via HTTP basic
> authentication.  No similar check is done for configuration changes.
>
> This request results in a user-id and password prompt:
> GET /wireless.htm
>
> This request disables wireless security on the router, with no password
> prompt:
> POST /Security.tri
> Content-Length: 24
>
> SecurityMode=0&layout=en
>
> Problem #2: Cross-site request forgery
>
> The web administration console does not verify that the request to change
> the router configuration is being made with the consent of the
> administrator.  Any web site can force a browser to send a request to the
> linksys router, and the router will accept the request.
>
>
> II. Exploitation
>
> The combination of these two bugs means that any internet web site can
> change the configuration of your router.  Recently published techniques for
> port-scanning and web server finger printing via java and javascript make
> this even easier.  The attack scenario is as follows:
>
> - intranet user visits a malicious web site
> - malicious web site returns specially crafted HTML page
> - intranet user's browser automatically sends a request to the router that
> enables the remote administration interface
> - the owner of the malicious web site now has complete access to your router
>
> I'm not going to share the "specially crafted HTML page" at this time, but
> it isn't all that special.
>
>
> III. DETECTION
>
> If your router is vulnerable, the following curl command will disable
> wireless security on your router.  Tests for other router models and
> firmware revisions may be different:
>
> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
>
> IV. MITIGATION
>
> 1) Make sure you've disabled the remote administration feature of your
> router.  If you have this "feature" enabled, anybody on the internet can
> take control of the router.
>
> 2) Change the IP address of the router to a random value, preferably in the
> range assigned to private networks.  For example, change the IP address to
> 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive.  This
> makes it more difficult for an attacker to forge the request necessary to
> change the router configuration.  This mitigation technique might not help
> much if you have a java-enabled browser, because of recently published
> techniques for determining gateway addresses via java applets.
>
> 3) Disable HTTP access to the administration interface of the router,
> allowing only HTTPS access.  Under most circumstances, this will cause the
> browser to show a certificate warning before the configuration is changed.
>
> V. VENDOR NOTIFICATION
>
> Linksys customer support was notified on June 24, 2006.
> Full disclosure on August 4, 2006.
>
> --
> GR
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee(r)
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists