Bugtraq mailing list archives

Re: Linksys WRT54 GL - Session riding (CSRF)

From: Jan Heisterkamp <janheisterkamp () web de>
Date: Mon, 07 Jan 2008 13:19:13 -0600

Hi Tomaz,

this is not correct, you will be warned that "There is a problem withthis website's security certificate." IE7, you will receive a similarwarning with Mozilla 2.0.0.11.The Router/ Firewall remains running and stable until you don't acceptthe certificate.

If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same 
browser, he is subject to attacks.


He should be fired...

Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to 
configure changes throughout


He should be fired too...

Regards,
Jan

tomaz.bratusa () teamintell com wrote:

====================================================================================

Team Intell Security Advisory TISA2008-01

------------------------------------------------------------------------------------

Linksys WRT54 GL - Session riding (CSRF)

====================================================================================





Release date:    07.01.2008

Severity:        High

Remote-Exploit:  yes

Impact:          Session riding

Status:          Official patch not available

Software: Linksys WRT54 GL

Tested on:       firmware version 4.30.9

Vendor:          http://www.linksys.com/

Vendor-Status:   informed on 14.08.2007

Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2008-01]





Introduction

============



The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which 
lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. 
There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs 
directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all 
together and lets your whole network share a high-speed cable or DSL Internet connection.





Security Risk

=============

Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its 
configuration settings without requring authentication (CSRF).







Technical Description

=====================

Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user 
visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to 
bypass authentication and modify the configuration settings of the device.



If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same 
browser, he is subject to attacks.

Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to 
configure changes throughout

the day. A malicious link executing unnoticed by the administrator may open the firewall.



This issue is reported to affect firmware version 4.30.9; other firmware versions may also be affected.





PoC

===

https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply&block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&block_cookie=0&block_java=0&block_proxy=0&block_activex=0&filter=off&_block_wan=1&_block_multicast=0&_ident_pass=1



Folowing the previous link will disable the firewall on 192.168.1.1 on your LAN.

Workaround:

============

1.No official patch yet.



2.Do not surf the web when you are configuring your router.





References:

-------------------------------------------------

http://en.wikipedia.org/wiki/Cross-site_request_forgery



History/Timeline

================

14.08.2007 discovery of the vulnerability

14.08.2007 contacted the vendor

14.08.2008 Response from Cisco - They are working on it

22.10.2007 Request for status

30.10.2007 Response from Cisco - They will include the patch in the next firmware upgrade

07.01.2008 advisory is written

07.01.2008 Vulnerability is made public



---------

Contact:

---------



Maldin d.o.o.

Trzaska cesta 2

1000 Ljubljana - SI



tel: +386 (0)590 70 170

fax: +386 (0)590 70 177

gsm: +386 (0)31 816 400

web: www.teamintell.com

www.varnostne-novice.com

e-mail: info(at)teamintell.com





------------

Disclaimer:

------------



The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event 
be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of 
information in this advisory is entirely at user's own risk.



--
Grupo Ampersand S.A.
IT-Security Consultants & Auditors
Apdo. 924  Escazu 1250
Costa Rica C.A.
Phone: (506)588-0432
ceo_at_ampersanded.com  [corp.]
janheisterkamp_at_web.de [priv.]

Current thread:

Linksys WRT54 GL - Session riding (CSRF) tomaz . bratusa (Jan 07)
- Re: Linksys WRT54 GL - Session riding (CSRF) Jan Heisterkamp (Jan 07)
- Re: Linksys WRT54 GL - Session riding (CSRF) Jan Heisterkamp (Jan 07)
- Re: Linksys WRT54 GL - Session riding (CSRF) Florian Weimer (Jan 11)
  - RE: Linksys WRT54 GL - Session riding (CSRF) Tomaz (Jan 14)
    - Re: Linksys WRT54 GL - Session riding (CSRF) J. Oquendo (Jan 14)
    - Re: Linksys WRT54 GL - Session riding (CSRF) Jan Heisterkamp (Jan 15)
    - Re: Linksys WRT54 GL - Session riding (CSRF) Valdis . Kletnieks (Jan 15)
- <Possible follow-ups>
- Re: Linksys WRT54 GL - Session riding (CSRF) Daniel Weber (Jan 15)