Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18817
HistoryJan 08, 2008 - 12:00 a.m.

Linksys WRT54 GL - Session riding (CSRF)

2008-01-0800:00:00
vulners.com
44

====================================================================================
Team Intell Security Advisory TISA2008-01

Linksys WRT54 GL - Session riding (CSRF)

Release date: 07.01.2008
Severity: High
Remote-Exploit: yes
Impact: Session riding
Status: Official patch not available
Software: Linksys WRT54 GL
Tested on: firmware version 4.30.9
Vendor: http://www.linksys.com/
Vendor-Status: informed on 14.08.2007
Disclosed by: Tomaz Bratusa (Team Intell)[TISA-2008-01]

Introduction

The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless
Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B
(802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to
connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches
to create as big a network as you need. Finally, the Router function ties it all together and lets your
whole network share a high-speed cable or DSL Internet connection.

Security Risk

Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits
changes in its configuration settings without requring authentication (CSRF).

Technical Description

Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a
victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit
this vulnerability to bypass authentication and modify the configuration settings of the device.

If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email
with the same browser, he is subject to attacks.
Imagine the worst case, where the administrator is constantly logged into his firewall appliance because
he needs to configure changes throughout
the day. A malicious link executing unnoticed by the administrator may open the firewall.

This issue is reported to affect firmware version 4.30.9; other firmware versions may also be affected.

PoC

https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply&block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&block_cookie=0&block_java=0&block_proxy=0&block_activex=0&filter=off&_block_wan=1&_block_multicast=0&_ident_pass=1

Folowing the previous link will disable the firewall on 192.168.1.1 on your LAN.

Workaround:

1.No official patch yet.

2.Do not surf the web when you are configuring your router.

References:

http://en.wikipedia.org/wiki/Cross-site_request_forgery

History/Timeline

14.08.2007 discovery of the vulnerability
14.08.2007 contacted the vendor
14.08.2008 Response from Cisco - They are working on it
22.10.2007 Request for status
30.10.2007 Response from Cisco - They will include the patch in the next firmware upgrade
07.01.2008 advisory is written
07.01.2008 Vulnerability is made public


Contact:

Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
www.varnostne-novice.com
e-mail: info(at)teamintell.com


Disclaimer:

The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o.
shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of
this information. Any use of information in this advisory is entirely at user's own risk.