ChinkInArmour presented a script which could be used to manipulate the router in case the user leaves an authenticated browser session open.
The so called "exploit" required that the user logs on to the routers webif via http not https, keeps the browser open and surfs to a website that includes malicous code.
Not all browser combos are affected by this as they protect users through ABE mechanism.
There are several ways to use an open browser session to manipulate a router, e.g. by surfing to a site in another tab, that includes malicous code in order to access the routers webif. Another way is, that you leave your pc unattended while still have the browser open and some dude plays with it. Also possible, a malicous software on a client computer that will use the browsers session and send commands to the browser while hidding a browser window.
In order to make it more difficult for such an attack newer builds will now require a re login for config changes after some inactivity.
To completely avoid such attacks you:
-access the webif either through https or an ssh tunnel
-or close the browser after you have configured the router
-run antivirus/firewall software on the client computer (that is used for configuring the router) ,that can detect message hooks to a browser _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Wed Mar 05, 2014 16:38 Post subject:
and this script must be run locally since cross site attacks will not work in that way. the dd-wrt webserver does detect cross site actions _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
The webserver only detects cross site attacks by checking the referer field. That's what the "norefere" and "about:blank" parts were all about. But hey, the devs said this isn't an issue.
As for the reason why I gave it the standard 192.168.1.1, it was a proof of concept, not the end all be all of exploitation.
If you want to keep beating a dead horse, feel free and keep posting here why my code was worthless. It really helps my self esteem.
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Fri Mar 14, 2014 10:01 Post subject: Re: On another note...
Newbrain wrote:
I'm currently more worried about GnuTLS...
/NewBrain
thats good. dd-wrt does not use gnutls in any way _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
The webserver only detects cross site attacks by checking the referer field. That's what the "norefere" and "about:blank" parts were all about. But hey, the devs said this isn't an issue.
As for the reason why I gave it the standard 192.168.1.1, it was a proof of concept, not the end all be all of exploitation.
If you want to keep beating a dead horse, feel free and keep posting here why my code was worthless. It really helps my self esteem.
Although the sample code given wasn't very sofisticated it is still possible to improve it and then it would cause trouble:-)