Linksys WRT54g Authentication Bypass
Using the technique for probing networks, Ginsu Rabbit just came up with a new technique to bypass Linksys routers using cross site request forgeries to internal interfaces. Pretty clever, and exactly the problem that security experts are now up against. A single request can completely turn off your home security. That’s bad!
Of course this is also relying on the fact that the router has some pretty atrocious security anyway, allowing a user to change settings without being properly authenticated. This is probably the first of many vulnerabilities over the next few months that explains why intranet security is now heavily at risk because of this cross domain issue. Expect more to follow. Patch up!
August 7th, 2006 at 4:35 pm
I was told that 1.00.6 is not vulnerable to this but I cannot confirm this (1.00.9 is what the article talks about). Odd if they managed to later implement a security flaw.
According to http://www.linksys.com/servlet/Satellite?blobcol=urldata&blobheadervalue2=inline%3B+filename%3Dwrt54gv5_ver%252C7.txt&blobkey=id&blobtable=MungoBlobs&blobwhere=1130830253752
They actually added security in 1.00.9:
Resolves issue with Access Restriction
Someone should make something I could boot up in VMware which could simulate various routers/accesspoints. I suppose their firmware is too varied to have one simulator be able to simulate them all.
August 7th, 2006 at 5:04 pm
I wouldn’t make an assumption that companies don’t regress in security posture.
But yah, that doesn’t sound right to me either.
I’d love to see something like your router boot loader. Unfortunately I think the hardware on a lot of those are custom and it wouldn’t work. I know the companies have them though, because I’ve talked with some of the QA folks from Cisco about how they test the routers. But yah, it would great to have, because there has been a half dozen times or so I would have loved to have a few dozen routers to test various functions against.
I’m not even talking about XSS, but some of the TCP fingerprinting attacks would be interesting to try against some of the firewalls out there. I’ve been off and on interesting in trying to confuse stateless routers by getting them to broadcast to their own subnets and by using something like idlescan calculating what is behind them. It’s a crazy idea, and probably won’t work, but without the lab, I can’t even toy with it and there’s no way I’m spending 10k on that setup just to have it fail.
August 8th, 2006 at 12:26 am
This is unf4cking belivable, I have one of those at home:P
It seems that until now nobody researched these kind of devices because they were not reachable from outside. But now, with the new XSS tricks people will start auditing network devices also.
August 8th, 2006 at 2:20 am
well.. it shouldn’t be too hard to make yourself a bit more secure. change the IP it works from (if you can), that’s some obscurity.
Setting your browser to use a proxy, even for the 192.168.x.x range will help against anything attacking you through your browser as your browser cannot access the router itself.
Of course praying for a firmware upgrade works too.
August 8th, 2006 at 10:37 am
You could always find an older copy of the firmware and see if you can pull off a rollback. Ahaha.
August 8th, 2006 at 11:45 am
Not a bad idea. Also a terrible idea. Alllll at the same time.
August 8th, 2006 at 5:54 pm
Consider using a third-party firmware like the popular DD-WRT (the exploit does not seem to work). It’s open source and allows you, among other things, to run the device in client mode (usefull if you add an external antenna to it and connect to a Wireless Metropolitan Network) and adjuct Transmit Power. Default is about 70mW and is enough for the whole neighborhood to get a signal. Put it down to 1-5mW and the signal will be very quite outside your own house (security++).
Changing the IP won’t do any good (you should know better than this) as I’ve seen code in Java Applets that can discover your gateway and general network topology.
August 9th, 2006 at 2:09 am
I didn’t think that changing the IP would do much, but it’d be something very simple to implement and possibly ward off the simple attacks. Though I suppose that someone going to the trouble to use this flaw would also go to the trouble of making sure the attack will work.
In a way I feel depressed that I can’t find a flaw on my router. Though I will keep looking.