DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 )

[carlos_perez at darkoperator.com (Carlos Perez)]

Only thing I can say You ROCK!!!!!' dude

Sent from my iPhone

On Jul 25, 2009, at 5:35 PM, Adrian Crenshaw <irongeek at irongeek.com>  
wrote:

> I heard Carlos talk about it, so I started to work on a writeup,  
> which I'll post to my site shortly. Carlos, thanks for the idea.
>
>         I was interested in giving a reall  world example of a CSRF  
> attack, similar to the ones I mentioned in my OWASP Top 5 video, and  
> maybe use it against a piece of internal equipment that is behind a  
> NAT box. Then I heard about Carlos Perez write-up on using  
> Metasploit against a vulnerability in the DD-WRT v24-sp1 firmware. I  
> thought this would be a great way to demo the concept of using CSRF/ 
> XSS against hardware behind a NAT, especially since I've done a  
> video on installing DD-WRT before. Some people thing it's not a big  
> deal since the attack request has to come from an internal source,  
> but they don't think about the fact that CSRF can make the attack  
> come from an internal source. Granted, this may not be considered a  
> true CSRF from the stand point that you don't have to have  
> authenticated against your DD-WRT v24-sp1 router, but it works much  
> the same way. Carlos' demo shows using Metasplot to open a shell on  
> the router, then do some other messing around, I'll just show how  
> this vulnerability could be used to reboot the router just using  
> html (there are far more deviant things you could do). For the most  
> part this attack essentially amounts to pointing the browser at http://ip-of-router/cgi-bin/;some-command 
>  . Since the default IP for most home NAT routers is 192.168.1.1,  
> this is a pretty easy attack that could be pulled off against people  
> who browse a page that the attacker controls.  The attacker would  
> not have to explicitly have the victim go to http://ip-of-router/cgi-bin/;some-command 
>  to pull off the attack, there are plenty of ways to make a browser  
> automatically make the reques, for example:
>
> IMG get:
> <img src="http://192.168.1.1/cgi-bin/;reboot";>
>
> Post method:
> <form name="csrfform" method="post" action="http://192.168.1.1/cgi-bin/;reboot 
> "> <input type='hidden' name='input_from_form' value="Test of of  
> auto submitted form."> </form> <script> document.csrfform.submit() </ 
> script> ?
>
> IFRAME Get:
> <iframe src="http://192.168.1.1/cgi-bin/;reboot"; style="width:0px;  
> height:0px; border: 0px"></iframe>
>
> If you would like to test this code against your DD-WRT v24-sp1  
> click the link below:
>         DD-WRT test page, only click if you want your router to reboot
>
> For information on the fix:
>         http://www.dd-wrt.com
>
> Guess its time to patch.
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090725/ca463c46/attachment.htm