Crafted web site switches off router firewall

Once again, a vulnerability in the popular Linksys WRT54GL router has demonstrated how session riding and cross-site request forgery (CSRF) work. An attacker can disable the firewall from outside with a single crafted link on a web site. Other changes to the configuration are equally possible.

During the attack, however, the owner of the router must be logged into the user interface and be surfing a manipulated web site. But this is not an infrequent situation, because users often search the internet for instructions on configuring certain parts of the device, and are logged into the router at the same time. If the site contains a link like this:

https://192.168.1.1/apply.cgi?submit_button=Firewall&change_action=&action=Apply&block_wan=1&block_l
oopback=0&multicast_pass=0&ident_pass=0&block_cookie=0&block_java=0&block_proxy=0&block_activex=0&fi
lter=off&_block_wan=1&_block_multicast=0&_ident_pass=1

security has been blown (provided the standard IP address was retained).

The cause of the problem is implicit authentication by the cookie. According to the vulnerability report on the Bugtraq security mailing list, firmware version 4.30.9 is affected. The manufacturer was informed on 14 August 2007, but has no solution to the problem yet. Cisco, however, to which Linksys has belonged since 2003, is reported to be working on an update. Until then, users should follow the recommendation not to call up any other sites while configuring the router. Another recent example of session riding has been provided by Google mail.

The WRT54GL is the successor version of the WRT54G, which is now based on Linux again. In the interim period, the manufacturer had changed over to VxWorks as the operating system for the WRT54G.

See also:

• Linksys WRT54 GL - Session riding (CSRF), vulnerability report by Tomaz Bratusa

(mba)