Full Disclosure mailing list archives
Re: Remote Command Execution on Cisco WAG120N
From: andfarm <andfarm () gmail com>
Date: Tue, 27 Nov 2012 09:33:31 -0800
On 2012-11-22, at 07:08, Gary Driggs <gdriggs () pdx edu> wrote:
How is this a vulnerability if it's behind an authentication wall? I've seen several SOHO routers and APs that include some kind of "hidden" web page that allows one to tweak settings. How does this differ & how is it remotely exploitable without authentication?
Through cross-site request forgery. Consider the following on a publicly accessible web site: <form action="http://192.168.0.1/admin.cgi" method="post"> ... </form> <script>document.forms[0].submit();</script> (If the form is accessible via GET, the attack becomes even easier, as an attacker can cause the form to be "submitted" without the involvement of a script -- by using an <img> tag, for example.) If the user already has a valid session on the router, the request will typically go through, unless the router firmware supports some form of XSRF protection. (Most do not.) If no session is active, but the router uses HTTP authentication, the browser will simply pop up an HTTP authentication dialog, and many users will simply submit the authentication form without realizing what it is that they're authorizing. (It doesn't help that some browsers may even autofill the username and/or password on this dialog!) For routers that make use of non-HTTP login sessions, but which do not use XSRF protection, and which have default passwords, it may additionally be possible to "prime" the main attack with an XSRF submission to the login form. There are ways to ensure that you get the timing of the two submissions right, but I'll leave them to the reader's imagination. :) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Remote Command Execution on Cisco WAG120N Manu (Nov 22)
- Re: Remote Command Execution on Cisco WAG120N Gary Driggs (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Manu (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Julius Kivimäki (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Gary Driggs (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Benji (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N Gary (Nov 28)
- Re: Remote Command Execution on Cisco WAG120N Ulisses Montenegro (Nov 28)
- Re: Remote Command Execution on Cisco WAG120N Gary Driggs (Nov 26)
- Re: Remote Command Execution on Cisco WAG120N gremlin (Nov 27)