Taking over the Belkin N900 and N300
- The N900 and N300 can be trivially taken over by any adversary on the LAN or WLAN.
- The N900 and N300 can be taken over by a remote adversary through CSRF attack.
- If remote management is enabled (not the default), the N900 and N300 can be trivially taken over by a remote adversary.
The Belkin N900 (F9K1104v1) and N300 (F7D7301v1) routers are susceptible to authentication bypass attacks. Any user with access to the web interface can execute administrative commands without providing a username or password. If remote management is enabled, this includes all users on the WAN. Administrators who have enabled remote management should disable it immediately.
Even if remote management is not enabled, the Belkin N900 and N300 routers are susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by any user on the (W)LAN side of these routers (including an attacker who may reside on the (W)LAN), changes the administrator credentials and enables remote management services.
Local Attack Requirements
- An attacker must have access to a machine on the local network, either by physically connecting, or by compromising a machine on the local network through other means (e.g., via malware).
Remote Attack Requirements
- Remote management must be enabled on the router.
- A victim on the (W)LAN must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.
All HTML forms present in the Belkin N900 and N300 are susceptible to Cross-Site Request Forgery.
The authentication bypass issue has been previously discovered and reported in other models of Belkin routers.
- Vulnerable Firmware is 1.00.06 on the N300.
- Vulnerable Firmware is 1.00.23 on the N900.
- The Belkin web site lists an available firmware update (3.00.05) for the N300, but this update appears to contain a different model number in its file name and was rejected by the router when we attempted to update.
- Other versions of the firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.
Recommendations to the vendor
- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
- In addition to HTML form tokens, HTTP "referer" checking should be enabled.
- Validate HTTP Basic Authentication Header for all HTTP requests.
- Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.
Recommendations to device administrators
- (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
At this point, the attacker can remotely administer, and thereby remotely control the N900 or N300.
- Belkin N150 Wireless Router Password Disclosure
- Belkin G Wireless Router Admin Exploit
- Belkin F5D7632-4V6 Authentication Bypass
- CVE-2013-3086: Cross Site Request Forgery (N900)
- CVE-2013-3087: Cross-Site Scripting (N900)
- CVE-2013-3088: Authentication Bypass (N900)
- CVE-2013-3089: Cross Site Request Forgery (N300)
- CVE-2013-3090: Cross-Site Scripting (N300)
- CVE-2013-3091: Authentication Bypass (N300)
- CVE-2013-3092: Failure to Validate HTTP Authorization Header (shared issue)
- Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at firstname.lastname@example.org
- Alternatively, for more general information on ISE, you can reach us using email@example.com