Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: tb12443.htm

Buffalo AirStation WHR-G54S CSRF vulnerability



Buffalo AirStation WHR-G54S CSRF vulnerability
Buffalo AirStation WHR-G54S CSRF vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                          Louhi Networks Oy
                       -= Security Advisory =-


      Advisory: Buffalo AirStation WHR-G54S Web Management CSRF
                vulnerability
  Release Date: 2007-09-07
 Last Modified: 2007-09-07
       Authors: Henri Lindberg, Associate of (ISC)=B2
                [henri d0t lindberg at louhi d0t fi]

   Application: Buffalo AirStation Web Management

       Devices: WHR-G54S Ver.1.20, possibly other Buffalo products
      Severity: Cross site request forgery in management interface
          Risk: Moderate
 Vendor Status: No response from vendor.
References: http://www.louhi.fi/advisory/buffalo_070907.txt 


Overview:

    During cursory inspection of WHR-G54S it was discovered that a cross
    site request forgery vulnerability exists in the management
    interface. Thus, it is possible for an attacker to perform any
    administrative action in the management interface. These include
    e.g. changing administrative password or adding new firewall rules.


Details:

    Buffalo AirStation WHR-G54S Ver.1.20 device management interface
    does not validate the origin of an HTTP request. If attacker is able
    to make user visit a hostile web page, a  device can be controlled
    by submitting suitable forms. It is possible to add new users for
    example.

    Successful attack requires that the attacker knows the management
    interface address for the target device. As authentication is done
    using HTTP Basic authentication, exploiting this vulnerability
    requires more effort compared to forms authentication.


Proof of Concept:


  
    
action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=ap.html "style="display:none">
Note: ropass value is reversed edit_ropass value.
action="http://192.168.11.1/cgi-bin/cgi?req=inp&res=filter_ip.html" style="display:none">
1.1.1.1 = attacker's IP address Workaround: Do not browse untrusted websites while using the management interface. Log out after administering the device. More information http://en.wikipedia.org/wiki/Cross-site_request_forgery Disclosure Timeline: XX July 2007 - Discovered the issue 15. August 2007 - Contacted Buffalo 17. August 2007 - Contacted Buffalo again. 7. September 2007 - No response from Vendor. 7. September 2007 - Advisory released Copyright 2007 Louhi Networks Oy. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iEYEAREIAAYFAkbhNJIACgkQ3TZNEGeZkm50SACcCHiOtcfCycfYcxr3lsQPh/J3 Aa8AoKVr6BmKMamG3a7mQCAvO0FV+6y6 =+E8f -----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH