Today im going to show you how a series of vulnerabilities in a web Application could be creatively exploited through routers
Product Description:
The product which i had my hands on is this UTSTARCOM router,
It is one of the most common ADSL Modem cum Router which was rolled out by BSNL to their customers a year ago, when the number of internet subscribers was reaching the peak. This little devices runs a webserver which serves the web based router configuration application.Further it has a Telnet service running on it.
The So Called BuiltIn Security Features :
* Remote Web Access to the router is blocked by Default [so you can't access a victim's router by using his public IP]
* Remote Telnet Access is also blocked
After a little playaround with the device, i've found that there are 3 different users that can login into the router.
viz admin,user,support
The Documentation Provided by BSNL neither states that there are 3 different users that could access the device nor forces/asks/shows the users to change their default password for accessing the router [Note: Im not mentioning the PPoE Password]
http://www.chennai.bsnl.co.in/BBS/UT300R2U.htm
User Description:
As the name suggests, admin user has the ablility to do all configuration changes to the router, whereas the user privileged user could not do any changes in the configuration of the router.
Logged in as Admin:
Logged in as User:
Vulnerablility Description:
On a closer examination of the source code,i got hold of a javascript menuBCM.js
menuBCM.js:
function menuAdmin(options) { // All the options are displayed for ADMIN
var std = options[MENU_OPTION_STANDARD];
var proto = options[MENU_OPTION_PROTOCOL];
var firewall = options[MENU_OPTION_FIREWALL];
var nat = options[MENU_OPTION_NAT];
var ipExt = options[MENU_OPTION_IP_EXTENSION];
var wireless = options[MENU_OPTION_WIRELESS];
var voice = options[MENU_OPTION_VOICE];
var snmp = options[MENU_OPTION_SNMP];
var ddnsd = options[MENU_OPTION_DDNSD];
var sntp = options[MENU_OPTION_SNTP];
.
.
if ( user == 'admin' ) //this piece of code calls the respective menu to be displayed
menuAdmin(options);
else if ( user == 'support' )
menuSupport(options);
else if ( user == 'user' )
menuUser();
}
so it is pretty obvious from the code that the user privilege management is handled by this javacript by displaying all menu's to Admin and hides configuration menu's to the user.-------------code truncated
so it is possible to navigate to the configurations page by a user if he knows the URL
The default username password combination is
admin:admin
user:user
Since we know that the user privilege management is handled by a javascript, it has got nothing to do in a telnet session, so when we telnet as either a admin or as a user, we get full access [privilege] to the router.
Further adding fuel to the fire, CSRF is present in the webbased configuration application
Exploiting Methods:
First and foremost point is we can't access the victim's router from WAN,
As CSRF vulnerability is present on the router, this script will do the job
http://user:user@192.168.1.1/scsrvcntr.cmd?
action=save&http=1&http=3&icmp=1&snmp=1&snmp=3&telnet=1&telnet=3&tftp=2&tftp=0
Since there user:user account is some sort of hidden/undisclosed account, the possiblity of its default password being changed is very less.1)index.html
we could send this link to a victim either in a email or by some SE techniques, what this does is, it changes the router configuration and allows Remote Web access, Remote Telnet access on the router.
The entire Exploit looks like this
2)config.html
So after the user visits this page, we will have his IP in our database or somewhere depending upon the IP logger script.
Now we can login into his router either by telnetting or by logging into the webapplication.
Even though the victim changes the admin password for the device, we could log in as user:user and navigate into password.html page and viewing source --Kabboomm Plain text passwords in javascripts
passwords.html
So now we got admin access on both TELNET service and webservice, now here comes a variety of exploitation techniques
Possible Attacks:
1.Denial of Service:
1.The attacker might implement MAC filtering or other IP restriction on the victim’s router.
2.Specifying a unreachable Static Route
3.Killing the httpd server process of the router repeatedly by telneting into the victim’s router.
2)Sniffing
1.The attacker could specify a static route passing through his network for the victim’s router and sniff the traffic from the victim. [SSL Strip + Ettercap + Wireshark]
3.Phishing:
This is the attack of our special interest as it is one of the stealthiest attack when combined with routing attacks.
The attacker could specify a fake DNS server for the victim router and could carry out phishing attacks.
XX.XX.XX.XX = Attackers DNS serverhttp://192.168.1.1/dnscfg.cgi?dnsPrimary=XX.XX.XX.XX&dnsSecondary=XX.XX.XX.XX&dnsDynamic=0&dnsRefresh=1
This changes the primary & secondary DNS servers of the victim’s router
Now the victim's network is like this
So we can specify our phishing sites IP address as A Records for famous websites like facebook,orkut,banking sites etc etc in our DNS server.
You can download the whitepaper here
Peace.. Similar vulnerablility is found in Nokia-Simens and many other Home Routers
Fairly long post, isn't it ?
Comments and Suggestions are Welcomed.
credits : Boris
Hi,
ReplyDeleteVery good write up. The way you tried to exploit the home based router is superb. Many time we have port forwarding and dmz in these routers which we can use to compromise other devices on the network.
Reards,
Safenet