One entry at SecuriTeam caught my eye and brought up memories. The entry was about getting persistent XSS via SNMP to different routers web interface. When people began talking about hacking small ADSL/WLAN routers some years ago I also decided to take a look at my old D-Link WLAN router.
I noticed that when you had DHCP clients, the device actually listed the hostname on the web interface. I don't remember if it was static or dynamic client but that is not so important. I was able to provide a custom hostname which of course contained some Javascript code and it was happily rendering on the web interface. I also noticed during my testing that you can actually crash the device by providing a too long hostname, so while working on one issue I actually found two. Also depending on the HTML you inject, you can render that particular part of the web interface unusable, causing a persistent denial of service situation. It was possible to fix it but it required a hard reset of the device to get back on track.
As I nice guy I of course informed D-Link about the problems found. But anyways, as embedded devices mostly use a web interface to present data from other enabled protocols, using these other protocols to attack the web interface is definitely possible if there is no proper input/output validation in place.
Nothing new, just good ol' memories :)
October 23, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment