Weballow

broken image


Dawid Czagan, Founder and CEO at Silesia Security Labs and author of Bug Hunting Millionaire, is listed in HackerOne's Top 10 Hackers. In a recent article on his website, Czagan disclosed the details of a vulnerability combining both Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE) on routers, that led him to discover and gain access to the machines within the network of the router.

  1. Weballowothers
  2. H2database Weballowothers
  3. Weballowothers Enable
  4. Telecharger Weballow

WebAllow is an internet access control utility that restricts access to all but 'approved' websites or a single web page. If WebAllow is installed and activated on a PC only certain selected sites can be viewed in Internet Explorer and everything else will be blocked. Blocksi Parental Control, Web Filter & Youtube Filtering extension for Chrome & Chromebooks Offered by Blocksi @ www.blocksi.net Since 2011, Blocksi extension free edition is the #1 rated extension for Web Filtering,Youtube Filtering and Internet Access Time control. As the exclusive retailer of the BSA, 35% of every Scout Shop purchase supports the future of Scouting, our mission, and programs. I notice weballow is a simple parental control program much like k9. If you are not comfortable with network topology and protocols and configurations then i would recommend you don't modify the network itself else you will need an IT guy when it breaks. Note: 'X.Y.Z.W' is the IP address of the attacker's device. Cross-Site Request Forgery in Routers. Now that we understand the logic behind the attack, we can observe the details that make the.

During his discovery, Czagan found out that the web interface of D-Link DIR-600 routers were vulnerable to a CSRF vulnerability. While CSRF is no longer listed in OWASP's Top 10, it is still a significant problem.

Taking a Look at the Exploit Code

The exploitation of a CSRF vulnerability requires user interaction. This means that attackers have to trick their victims into clicking on a malicious link, whose HTML code will make the victim's browser issue requests on their behalf.

We should take a closer look at the two compulsory requests made from the target's browser to understand the vulnerability. Let's name these REQ 1 and REQ 2 respectively.

Weballowothers

Here is REQ 1:

Let's begin analyzing the first request. The emboldened line is the crucial point in the vulnerability. But first, we have to find out the purpose of the entire request. Two admin accounts are added in the request. The first admin is the default administrator account with the password 'OoXxGgYy', which is readily present. There are no changes made to that account. admin2 with the password 'pass2' is the new administrator account added due to the vulnerability. Additionally, remote access control authentication was allowed through port 2228 in the attack.

Here is REQ2:

In the second request, the URL encoded SETCFG, SAVE, ACTIVATE action commands sent in REQ2 allow the activation of the settings in REQ1.

The Role of Routers in the CSRF Attack

The next step the attacker has to take is to discover the IP address of the target machine with the admin account and remote access port they obtained. The attacker does this by pinging the server it owns over the router interface using this code:

Note: 'X.Y.Z.W' is the IP address of the attacker's device.

Cross-site Request Forgery in Routers

H2database Weballowothers

Now that we understand the logic behind the attack, we can observe the details that make the Cross-site Request Forgery vulnerability unique in this case. The REQ1 has an important role in the exploit of the vulnerability because the request generates a new admin account and configures the remote control access port. You should note that the payload has the XML format but the emboldened line in REQ1 states that the request type is set as text/plain instead of application/xml:

Had the system developers enforced a content-type compatible with the data type they expect, such as XML, the exploitation of this vulnerability would be not be possible.

Weballow

This is because in AJAX/XHR requests, the browsers send a preflight request using the OPTIONS method to control whether the request is accepted or not in the recipient server, before sending the main request. This request is sent in the following circumstances:

  1. If the request uses a method other than GET, HEAD, and POST
  2. If the Content Type is set to something other than application/x-www-form-urlencoded, multipart/form-data, text/plain types in POST requests
  3. If a custom header was set in the request

This control and detection mechanism is known as the CORS Preflight Request. Since the router wouldn't send a positive response to REQ1, the CSRF request wouldn't go through and the attack would fail.

The details on Same-origin Policy (SOP) and Cross Origin Resource Sharing (CORS) can be found on our whitepaper titled The Definitive Guide to Same-origin Policy.

Content-Type Header in Security

Weballowothers Enable

Setting the Content-Type header properly is very critical. This header is added to request and response headers since HTTP 1.0. Ford true code software download. You can manipulate the way the server will interpret the request by setting Content-Type in request headers. Similarly, you can choose how the program will process the response using Content-Type in response headers.

For example, in an HTTP response if the Content-Type is text/html, the HTML tags are rendered in the browser, displaying the result of the rendered HTML tags on the webpage.

Telecharger Weballow

In fact, to avoid Content Type Sniffing attacks, you must set the Content-Type header properly in the HTTP response.

Make sure to give the required emphasis on the Content-Type header in all HTTP requests and responses. Do not accept the formats other than expected. The HTTP Security Headers Whitepaper can help you set the necessary headers to establish the security of your websites.

Further Reading

You can read more about the vulnerability in Czagan's article, From CSRF to Unauthorized Remote Admin Access.





broken image