Vulnerability: Session riding - Is Tomato also affected?

Discussion in 'Tomato Firmware' started by unicorn02, Jan 11, 2008.

  1. unicorn02

    unicorn02 LI Guru Member

    Please see here:

    Are we also affected?

    Although we have a different firmware... Maybe it is also prone to the technique used in the attack...

    Probably one workaround could be to configure the router/watch Realtime-Graphs in IE and use a normal browser (Firefox/Opera) for surfing. Also not using the default IP-Address ( of the router is a better fix.
  2. Kiwi8

    Kiwi8 LI Guru Member

    From what I tested, Tomato does not have the file "apply.cgi", so that exact link cannot work. But I do not know whether there is a similar file that does the function.
  3. FRiC

    FRiC LI Guru Member

    Hmm, is this something new? This is why routers and stuff are always configured using a separate browser window/session different from the one you're browing the net with.
  4. bhlonewolf

    bhlonewolf LI Guru Member

    This is a potential vulnerability but it's a weak one. I wouldn't call it a serious exploit. The example on the wiki entry about withdrawing from a bank are obviously potentially huge, but it's completely theoretical in that example and assumes the site acceptss HTTP GETs instead of HTTP POSTs for form submission. At best, it's a complete shot in the dark, but no information is exchanged to the malicious site.

    Running another address, another port, etc., would help prevent this. Personally, and while this doesn't excuse any vulnerability, I don't feel the role of the router in my application is to be a firewall ... at the very least, a defense in depth measure is recommended -- so it's not like this exploit could suddenly allow a malicious ActiveX control to have access and control your local machine.

    Potentially worse, I think, would be if the URL could change the password with such a request (this may be possible, I don't know) and the attacker could then get remote control of your router.
  5. Elbart

    Elbart LI Guru Member

    Have fun logging out with IE7 then.
  6. Odin-60

    Odin-60 LI Guru Member

    Hey Jon! Jon? Jon! Jon!
  7. paped

    paped LI Guru Member

    I think that if you are serious about security or even at a common sense level that one line in the link on the original post says it all.....

    "Do not surf the web when you are configuring your router. "

    Also some of the Firefox plugins like "router status" may have a bit of an issue here as these can login to the router each time you start the browser.....
  8. Odin-60

    Odin-60 LI Guru Member

    1) Create a html file with the following contents:
    go to your <a href="">router</a>
    without a password 
    Replace with the actual address of your router.

    2) Monitor the Tomato bandwidth graph in your web browser.

    3) Open a new browser window or tab and open the above html file there;
    click on the link,

    4) ... and voilà: the site survey page will open without prompting
    for a password once again. (Tested with Safari and FF under MacOSX.)

    Thus, I suppose, a malicious page is also able to change the
    router configuration without having to ask you for the password.

    Unfortunately, this means that you cannnot even monitor the
    bandwidth or QoS graphs while browsing in the web.

    Still worse: Once you have opened any page of Tomato, you must
    close the browser or explicitly log out from Tomato to prevent
    foreign pages from accessing the router. It is not sufficient to
    just close the respective window or tab.
  9. Toxic

    Toxic Administrator Staff Member

    and if you use https (not http) to goto your routers webgui, does the same thing happen?
  10. der_Kief

    der_Kief Super Moderator Staff Member Member


    i contacted Jon about this ! I will reply when i get response.

  11. bhlonewolf

    bhlonewolf LI Guru Member

    That's not necessarily the case, but it happens to be true. _Only_ if the router accepts changes via HTTP GET requests where the parameters are passed in the URL ... otherwise, this is a non-issue.

    It's easy enough to test -- when I save my settings in tomato, it does an HTTP POST to tomato.cgi. This is good.

    The bad news is, it's easy enough to substitute the values in a GET -- for example:

    Now, go look at your SSL CN, it was changed to "gotcha" -- no reason you couldn't change the password or other values here.

    Having said this, it would require the attacker to know the address you are running on (which, they know the public address, so they could always use that and hope you are doing it via the default port or something). And, they'd need to know you are running tomato.

    Simply disallowing HTTP GETs would stop this issue.
  12. der_Kief

    der_Kief Super Moderator Staff Member Member

    Jon is informed an working on a solution.The next version will have a possible fix for that ;)

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice