mailing list archives
Re: Remote Command Execution on Cisco WAG120N
From: andfarm <andfarm () gmail com>
Date: Tue, 27 Nov 2012 09:33:31 -0800
On 2012-11-22, at 07:08, Gary Driggs <gdriggs () pdx edu> wrote:
How is this a vulnerability if it's behind an authentication wall?
I've seen several SOHO routers and APs that include some kind of
"hidden" web page that allows one to tweak settings. How does this
differ & how is it remotely exploitable without authentication?
Through cross-site request forgery. Consider the following on a publicly accessible web site:
<form action="http://192.168.0.1/admin.cgi" method="post">
(If the form is accessible via GET, the attack becomes even easier, as an attacker can cause the form to be "submitted"
without the involvement of a script -- by using an <img> tag, for example.)
If the user already has a valid session on the router, the request will typically go through, unless the router
firmware supports some form of XSRF protection. (Most do not.)
If no session is active, but the router uses HTTP authentication, the browser will simply pop up an HTTP authentication
dialog, and many users will simply submit the authentication form without realizing what it is that they're
authorizing. (It doesn't help that some browsers may even autofill the username and/or password on this dialog!)
For routers that make use of non-HTTP login sessions, but which do not use XSRF protection, and which have default
passwords, it may additionally be possible to "prime" the main attack with an XSRF submission to the login form. There
are ways to ensure that you get the timing of the two submissions right, but I'll leave them to the reader's
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Remote Command Execution on Cisco WAG120N andfarm (Nov 27)