Information Security Think Tank
We move on with the 3rd kind of authentication bypass bug. You may want to familiarize yourself with the previous two entries here and here, before you continue.
Unchecked HTTP methods
A device that is vulnerable to this issue, only performs an authentication check (i.e.: is the password being submitted with a request via basic authentication?) when the request is performed using a certain HTTP method. [...]
Usually, when accessing a web interface of an appliance, the user is prompted to enter a password if not authenticated already. This could be done via a HTML form on the login page or a basic HTTP authentication prompt (among other methods).
Let’s call the authentication stage: A. Once, the admin user enters a username/password combination, the device checks the provided combination against credentials stored in its internal configuration. [...]
Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet! [...]
Embedded devices usually offer different types of services or interfaces so they can be configured by administrators remotely either from the Internet or over the LAN. Some of the most common examples include Telnet, FTP, SSH, HTTP (web console), HTTPS and SNMP.
Provided that such services are allowed to be accessible from the Internet, the embedded device could be configured by an administrator who could be located anywhere on the planet. [...]
This type of vulnerability is similar to IP address-based session management holes which has been discussed in my previous post. It is similar in the sense that the web browser of the admin user who is currently logged into the vulnerable device doesn’t send any auth data such as session IDs or passwords. [...]
Devices that implement IP address-based session management follow the algorithm described by the pseudocode shown below:
The implications are obvious: devices located in environments in which different users share the same proxy are vulnerable to administrative session hijacking attacks. Please note that this session hijacking attack has nothing to do with the classic TCP hijacking attack in which sequence numbers are predicted by the attacker. [...]
OK, this is a bit of a funny attack – although it could also be used for criminal purposes! After playing with the BT Home Hub for a while (again!), pdp and I discovered that attackers can steal/hijack VoIP calls. Let me explain …
In summary, if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub’s web interface. [...]
Leaving your WiFi network open is not a good idea. Bruce Schneier does not agree and wrote an interesting article. The following is an extract of it:
Although Bruce is making some good points regarding the smaller likelihood of being attacked via wifi at home as opposed to a public place, he makes one mistake: he assumes the attack will be an attempt to compromise his PC/laptop or eavesdrop his traffic. Of course these are valid attacks, but how about attacking his router? [...]
It’s known that UPnP is inherently insecure for a very simple reason: administrative tasks can be performed on a Internet Gateway Device (IGD) without needing to know the admin password whatsoever! This on its own is quite scary and I personally feel that although there is some research in the public domain, there is much more attention that needs to be paid to UPnP.
UPnP allows you to perform administrative functions. Some functions are very standardized and supported by most devices. [...]
So now countries like the UK have converted most of their POS terminals to Chip and PIN. The idea is that if somone skimmed your magnetic stripe, they won’t be able to make a purchase without your PIN. Of course, in reality most of the skimmed magstripes are simply being shipped to countries where Chip-and-PIN-like systems haven’t been rolled out yet, which means that criminals will be able to make purchases without knowing your PIN. [...]