BugTraq
Linksys WRT54 GL - Session riding (CSRF) Jan 07 2008 09:40AM
tomaz bratusa teamintell com (3 replies)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 11 2008 10:54AM
Florian Weimer (fw deneb enyo de) (1 replies)
RE: Linksys WRT54 GL - Session riding (CSRF) Jan 14 2008 07:20AM
Tomaz (tomaz bratusa teamintell com) (2 replies)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 14 2008 06:58PM
Jan Heisterkamp (janheisterkamp web de) (1 replies)
> A malicious link executing unnoticed by the administrator may open the firewall.

The catch is that this exploit don't work unnoticed, because the admin
get notification in the browser that there has occured an error with the
cerificate ["Unable to verify the identity of Linksys as a trusted
site"] and he has explicity allow it. In other words first he has to
allow to be attacked...
Jan

Tomaz schrieb:
> Ok, and what does it change...there are still the same vulnerabilities in
> their equipment. Should we stop checking and publishing them just because
> somebody informed the vendor 2 years ago?
>
> -----Original Message-----
> From: Florian Weimer [mailto:info (at) plot (dot) uz [email concealed]]
> Sent: 11. januar 2008 11:54
> To: tomaz.bratusa (at) teamintell (dot) com [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: Linksys WRT54 GL - Session riding (CSRF)
>
> * tomaz bratusa:
>
>> Linksys WRT54GL is prone to an authentication-bypass
>> vulnerability. Reportedly, the device permits changes in its
>> configuration settings without requring authentication (CSRF).
>
> This specific attack scenario has been publicly documented for a long
> time (note the final paragraph):
>
> | Isn't your exploit somewhat complicated? Just put
> |
> | <img
> src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
> |
> | on a web page, and trick the victim to visit it while he or she is
> | logged into the Cisco router at 192.0.2.1 over HTTP. This has been
> | dubbed "Cross-Site Request Forgery" a couple of years ago, but the
> | authors of RFC 2109 were already aware of it in 1997. At that time,
> | browser-side countermeasures were proposed (such as users examining
> | the HTML source code *cough*), but current practice basically mandates
> | that browsers transmit authentication information when following
> | cross-site links.
> |
> | Such attacks are probably more problematic on low-end NAT routers
> | whose internal address defaults to 192.168.1.1 and which generally
> | offer HTTP access, which makes shotgun exploitation easier. So much
> | for the "put your Windows box behind a NAT router" advice you often
> | read.
>
> <http://article.gmane.org/gmane.comp.security.bugtraq/20579>
>
> Cisco PSIRT had been approached about this issue a couple of months
> before that BUGTRAQ posting, IIRC.
>
>
>

--
Grupo Ampersand S.A.
IT-Security Consultants & Auditors
Apdo. 924 Escazu 1250
Costa Rica C.A.
Phone: (506)588-0432
ceo_at_ampersanded.com [corp.]
janheisterkamp_at_web.de [priv.]

[ reply ]
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 15 2008 06:14PM
Valdis Kletnieks vt edu
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 14 2008 05:31PM
J. Oquendo (sil infiltrated net)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 07 2008 07:42PM
Jan Heisterkamp (janheisterkamp web de)
Re: Linksys WRT54 GL - Session riding (CSRF) Jan 07 2008 07:19PM
Jan Heisterkamp (janheisterkamp web de)


 

Privacy Statement
Copyright 2010, SecurityFocus