|
Brought to you by:
Suppliers of:
|
|
|
| |
The Linksys Wireless-G Broadband Router is "really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection".
Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requiring authentication (CSRF). |
| |
Credit:
The information has been provided by Tomaz Bratusa.
|
| |
Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.
If the administrator of Linksys WRT54GL is logged into the device and opens a malicious website or email with the same browser, he is subject to attacks. Imagine the worst case, where the administrator is constantly logged into his firewall appliance because he needs to configure changes throughout the day. A malicious link executing unnoticed by the administrator may open the firewall.
This issue is reported to affect firmware version 4.30.9; other firmware versions may also be affected.
PoC
https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply& block_wan=1&block_loopback=0&multicast_pass=0&ident_pass=0&block_cookie=0& block_java=0&block_proxy=0&block_activex=0&filter=off&_block_wan=1& _block_multicast=0&_ident_pass=1
Following the previous link will disable the firewall on 192.168.1.1 on your LAN.
History/Timeline
14.08.2007 discovery of the vulnerability
14.08.2007 contacted the vendor
14.08.2008 Response from Cisco - They are working on it
22.10.2007 Request for status
30.10.2007 Response from Cisco - They will include the patch in the next firmware upgrade
07.01.2008 advisory is written
07.01.2008 Vulnerability is made public
|
| Subject:
|
fails on firmware 4.30.11 |
Date: |
8 Jan. 2008 |
| From: |
anonymous |
| tested poc on firmware 4.30.11 and test failed |
|
| Subject:
|
csrf tech is possible on many sites, isnt it |
Date: |
8 Jan. 2008 |
| From: |
ww0jeffgmail.com |
An attacker can exploit any kind of requests such as, append mac filtering item in the list, disable wep auth and so on.
I was wondering why this (simple) csrf tech is treated as a (big) vulnerability.
You know, most requests we can imagine is possible to convert csrf call.
Up to now, all the website are vulnerable to csrf, if they don't have further auth mecanism like capcha or off line token.
How do you think? Is it a real valuable vulnerability?
Thanks.
Sorry to my bad English :-)
ww0jeff
|
|
| Subject:
|
Firmware update released Jan 10 by Linksys |
Date: |
24 Feb. 2008 |
| From: |
Egeezer |
Per Linksys web site - follow path >> Home/Technical Support/Choose A Product/Wireless Routers/WRT54GL/Downloads/Firmware/version info
Quote from version info text;
Linksys, A division of Cisco Systems, Inc.
Product: WRT54GL
Classification: Firmware Release History
Firmware Date: 12/20/2007
Release Date: 1/10/2008
Last Firmware Version: 4.30.12
__________________________________________________________________________
Firmware 4.30.12
- Resolves issue with saving DHCP settings when using PPTP as Internet connection type.
- Resolves security issues found by Tomaz Bratusa (Team Intell) related to session riding. Adds HTTP session timeout.
- Updated PPTP Internet connection functionality
- Resolves issue with setting management port when https is selected. |
|
|
|
|
|
|
