Source: cret@cert.org
Cross-site request forgery (CSRF) vulnerability on ReadyNet WRT300N-DD devices with firmware 1.0.26 allows remote attackers to hijack the authentication of arbitrary users.
ReadyNet WRT300N-DD routers with firmware 1.0.26 are vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to remotely hijack user sessions. This vulnerability enables attackers to execute unauthorized actions on the router, potentially leading to complete device compromise and network access. Successful exploitation can result in sensitive information disclosure, network manipulation, and denial-of-service conditions.
Step 1: Victim Logged In: The victim is logged into the ReadyNet WRT300N-DD router's web interface.
Step 2: Attacker Crafts Malicious Request: The attacker crafts a malicious HTTP request, typically containing a payload to change router settings (e.g., DNS server, admin password).
Step 3: Payload Delivery: The attacker delivers the malicious request to the victim, often through social engineering (e.g., a phishing email with a link or a malicious website).
Step 4: Request Execution: The victim's browser, while still authenticated to the router, automatically sends the crafted request to the router. The browser includes the victim's session cookies.
Step 5: Router Processes Request: The router receives the request and, due to the lack of CSRF protection, processes it as if it originated from the legitimate user.
Step 6: Action Taken: The router executes the attacker's payload, changing the router's configuration. This could include changing the DNS server to a malicious one, creating a backdoor account, or changing the admin password, leading to full compromise.
The root cause of CVE-2015-7281 is the lack of proper CSRF protection mechanisms within the ReadyNet WRT300N-DD router's web interface. Specifically, the router's web application fails to validate the origin of HTTP requests, allowing attackers to craft malicious requests that are executed by a logged-in user's browser. This flaw stems from the absence of CSRF tokens or other anti-CSRF measures, such as checking the Referer header or implementing a double-submit cookie pattern. The web application blindly trusts requests, leading to the execution of attacker-controlled actions.
Due to the age and nature of the vulnerability, it is unlikely to be directly associated with specific APT groups. However, any threat actor seeking to compromise home or small business networks could leverage this vulnerability. This vulnerability is not listed on the CISA KEV catalog.
Monitor HTTP traffic for suspicious POST requests to the router's web interface from unexpected origins.
Analyze router logs for unauthorized configuration changes, such as DNS server modifications or new user account creation.
Network Intrusion Detection Systems (IDS) can be configured to detect known CSRF attack patterns, although this is challenging without specific knowledge of the router's web interface.
Examine web server logs for requests lacking a Referer header (though this can be spoofed, it's a useful indicator).
Upgrade the router's firmware to a patched version (if available). Check the manufacturer's website for updates. Given the age of the device, updates may not be available.
If no firmware update is available, consider replacing the router with a more secure model.
Implement network segmentation to isolate the router from critical network resources.
Educate users about the risks of clicking on suspicious links or visiting untrusted websites.
Disable remote administration of the router if not required.
Change the default admin password to a strong, unique password.
Regularly audit router configurations for unauthorized changes.