SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Linksys Router Vendors:   Linksys
Linksys WRT54g Router Lets Remote Users Modify the Configuration
SecurityTracker Alert ID:  1016638
SecurityTracker URL:  http://securitytracker.com/id/1016638
CVE Reference:   CVE-2006-5202   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 4 2006
Impact:   Modification of system information
Exploit Included:  Yes  
Version(s): model WRT54g; firmware 1.00.9
Description:   A vulnerability was reported in Linksys WRT54g Router. A remote user can modify the configuration.

The 'Security.tri' script does not require authentication for HTTP POST requests. A remote user can submit a specially crafted request to modify the configuration on the target device.

A demonstration exploit curl command to disable wireless security on the device is provided:

curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

The vendor was notified on June 24, 2006.

Ginsu Rabbit reported this vulnerability.

Impact:   A remote user can modify the configuration.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.linksys.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] linksys WRT54g authentication bypass

I'm having some trouble believing this hasn't been reported before.  If you 
have a linksys router handy, please check to see whether it is vulnerable to 
this attack.  It's possible that all of the linksys router web UIs have the 
same bug.  Hopefully the problem is isolated to one particular model or 
firmware revision.

I. DESCRIPTION

Tested product: Linksys WRT54g home router, firmware revision 1.00.9.

Problem #1: No password validation for configuration settings.

The WRT54g does not attempt to verify a username and password when 
configuration settings are being changed.  If you wish to read configuration 
settings, you must provide the administrator ID and password via HTTP basic 
authentication.  No similar check is done for configuration changes.

This request results in a user-id and password prompt:
GET /wireless.htm

This request disables wireless security on the router, with no password 
prompt:
POST /Security.tri
Content-Length: 24

SecurityMode=0&layout=en

Problem #2: Cross-site request forgery

The web administration console does not verify that the request to change 
the router configuration is being made with the consent of the 
administrator.  Any web site can force a browser to send a request to the 
linksys router, and the router will accept the request.


II. Exploitation

The combination of these two bugs means that any internet web site can 
change the configuration of your router.  Recently published techniques for 
port-scanning and web server finger printing via java and javascript make 
this even easier.  The attack scenario is as follows:

- intranet user visits a malicious web site
- malicious web site returns specially crafted HTML page
- intranet user's browser automatically sends a request to the router that 
enables the remote administration interface
- the owner of the malicious web site now has complete access to your router

I'm not going to share the "specially crafted HTML page" at this time, but 
it isn't all that special.


III. DETECTION

If your router is vulnerable, the following curl command will disable 
wireless security on your router.  Tests for other router models and 
firmware revisions may be different:

curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri


IV. MITIGATION

1) Make sure you've disabled the remote administration feature of your 
router.  If you have this "feature" enabled, anybody on the internet can 
take control of the router.

2) Change the IP address of the router to a random value, preferably in the 
range assigned to private networks.  For example, change the IP address to 
10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive.  This 
makes it more difficult for an attacker to forge the request necessary to 
change the router configuration.  This mitigation technique might not help 
much if you have a java-enabled browser, because of recently published 
techniques for determining gateway addresses via java applets.

3) Disable HTTP access to the administration interface of the router, 
allowing only HTTPS access.  Under most circumstances, this will cause the 
browser to show a certificate warning before the configuration is changed.

V. VENDOR NOTIFICATION

Linksys customer support was notified on June 24, 2006.
Full disclosure on August 4, 2006.

--
GR

_________________________________________________________________
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC