|
Feeds -
Blogs
|
|
Written by Jeremiah Grossman
|
|
Saturday, 12 April 2008 20:01 |
http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin
http://192.168.1.254/xslt?PAGE=A02_POST&PASSWORD=admin&THISPAGE=J38&NEXTPAGE=J38_SET&ADDR=127.0.0.1&NAME=ww.example.com
First URL appears to set the users password to “admin”, probably if none exists (I didn’t double check). The second takes over a domain name by hard coding in an arbitrary IP Address. The attacker could easily put in a ton of these for the websites of banks, webmail, retailers, payment gateways, social networks, etc. and all your traffic would flow to them. Talk about owned. Pure CSRF, doesn’t even require XSS or JavaScript malware.
This type of intranet CSRF hack is super easy to pull off since you only need to place specially-crafted URLs inside of an HTML image tag and post it to any public website. MySpace, WebMail, blogs, message boards, etc. all would make great avenues for snare the unsuspecting. Who knows where the victims in this case were originally exploited. The first person to notice only did so by using ping and spotted an odd IP address.
If we get a third event in rapid succession, I’d say that’s the start of a trend. Perhaps we should start advocating a new best practice, host-based egress rules. Little Snitch works great on OS X. In fact, I’ve already started implicitly blocking intranet connections from my browser specifically to my DSL router IP. Hopefully the browser vendors will give the remaining 99.99% something soon by default.
>> Read on
|
