
CSRF in my home router and how I closed it
In continuation of the publication, “Access to thousands of personal data of Beeline Wired Internet users” was obtained . ”
As you already learned, quite a lot of interesting things are hidden in this small box.
There is such a completely obvious and at the same time relatively innocent mistake, CSRF . It is noteworthy that it is located in those routers in which there is nothing from a recent article. However, unlike those bugs, it can be exploited not only by your neighbors, but by anyone, like an insidious chat companion or a site you visited once.
CSRF works like this: in some way ask the victim’s browser to load the composed url, while the target site recognizes your browser and does something as if you wanted it.
The address from a person collecting a botnet for a daring icmp attack on ya.ru will look something like this:
There is something that protects the owners of typical CSRF-vulnerable routers, it is most likely that the victim does not have an authorized session at the time of the attack, which negates any request that was successfully generated on her behalf.
Did you know that Safari has no habit of forgetting * once entered http authentication data? I didn’t know, but for several weeks now I’ve been entering the web interface without entering a password, although I never asked to save it. And, surprisingly, I can’t even do anything about it. In other words, if the router at login shows such a system window with a request to authenticate, and you have Safari, then it will not be so easy to end the session. At this point, I realized the need to do something with all this.
* Safari, it seems, considers the basic access authentication parameters in http something long-term like cookies, but at the same time they are neither in the list of cookies nor in the list of stored passwords, and therefore it is not clear how to get rid of them. Perhaps you should enter them privately.
The web interface of the router, with a cursory glance, is a rather large number of pages of unknown code quality with suffixes .asp, so the choice was not very difficult ...
... close the port through iptables in Fig. 80. We read the wl500g firmware guide and run ssh to fix the Problem ...
From the firmware manual, I learned that the interface of the local initialization system consists of user scripts in / usr / local / sbin / with the correct names; / sbin / flashfs - the ability to save changes to the file system after reboot (specifically, it adds the tar from the files it manages to / dev / mtd4 and pulls it out at boot).
I did not find out how the ones seen in / sbin / flashfs mtd4 differ from mtdblock4 and from nvram, in the latter of which other user settings are stored in the form of key-value.
But, it is already working correctly. How to enter the web interface now? Of course, it would be very ugly to open iptables manually each time ..?
You can forward the 80th port of the router through the ssh tunnel to the 8080th port on the working localhost.
... and discover the web interface at http: // localhost: 8080 . The connection to httpd will be established from the local (for the router) sshd and will not get stuck in the input chain of ip tables. It remains to launch the browser and enjoy the technology.
These are simple actions, and our small household router no longer shines with the 80th port, just like a very large one. Beauty. :]
As you already learned, quite a lot of interesting things are hidden in this small box.
There is such a completely obvious and at the same time relatively innocent mistake, CSRF . It is noteworthy that it is located in those routers in which there is nothing from a recent article. However, unlike those bugs, it can be exploited not only by your neighbors, but by anyone, like an insidious chat companion or a site you visited once.
CSRF works like this: in some way ask the victim’s browser to load the composed url, while the target site recognizes your browser and does something as if you wanted it.
The address from a person collecting a botnet for a daring icmp attack on ya.ru will look something like this:
oooh
At the end of the article there will be a solution to the problem, also nothing
http://192.168.1.1/apply.cgi?
current_page=Main_AdmStatus_Content.asp&
next_page=Main_AdmStatus_Content.asp&
next_host=192.168.1.1&
sid_list=FirewallConfig%3B&
group_id=&
modified=0&
action_mode=+Refresh+&
first_time=&
action_script=&
SystemCmd=nohup+ping+ya.ru+%26&
action=Refresh
At the end of the article there will be a solution to the problem, also nothing
There is something that protects the owners of typical CSRF-vulnerable routers, it is most likely that the victim does not have an authorized session at the time of the attack, which negates any request that was successfully generated on her behalf.
Did you know that Safari has no habit of forgetting * once entered http authentication data? I didn’t know, but for several weeks now I’ve been entering the web interface without entering a password, although I never asked to save it. And, surprisingly, I can’t even do anything about it. In other words, if the router at login shows such a system window with a request to authenticate, and you have Safari, then it will not be so easy to end the session. At this point, I realized the need to do something with all this.
* Safari, it seems, considers the basic access authentication parameters in http something long-term like cookies, but at the same time they are neither in the list of cookies nor in the list of stored passwords, and therefore it is not clear how to get rid of them. Perhaps you should enter them privately.
But, to the point
The web interface of the router, with a cursory glance, is a rather large number of pages of unknown code quality with suffixes .asp, so the choice was not very difficult ...
... close the port through iptables in Fig. 80. We read the wl500g firmware guide and run ssh to fix the Problem ...
$ pwd
/usr/local/root
$ mkdir /usr/local/sbin
$ vi /usr/local/sbin/post-firewall
#!/bin/sh
iptables -I INPUT -p tcp --dport 80 -j DROP
# На самом деле, я вставляю это правило не в начало таблицы, а после accept established,
# где-то так: -I INPUT 4 . Проконсультируйтесь с вашим iptables -vL INPUT .
# Стоит заметить, без номера оно более универсально и легче переживет апдейт прошивки.
$ chmod +x /usr/local/sbin/post-firewall
$ flashfs save && flashfs commit && flashfs enable
$ reboot
From the firmware manual, I learned that the interface of the local initialization system consists of user scripts in / usr / local / sbin / with the correct names; / sbin / flashfs - the ability to save changes to the file system after reboot (specifically, it adds the tar from the files it manages to / dev / mtd4 and pulls it out at boot).
I did not find out how the ones seen in / sbin / flashfs mtd4 differ from mtdblock4 and from nvram, in the latter of which other user settings are stored in the form of key-value.
But, it is already working correctly. How to enter the web interface now? Of course, it would be very ugly to open iptables manually each time ..?
You can forward the 80th port of the router through the ssh tunnel to the 8080th port on the working localhost.
$ ssh -N -L 8080:192.168.1.1:80 admin@192.168.1.1 # на рабочей машине
... and discover the web interface at http: // localhost: 8080 . The connection to httpd will be established from the local (for the router) sshd and will not get stuck in the input chain of ip tables. It remains to launch the browser and enjoy the technology.
These are simple actions, and our small household router no longer shines with the 80th port, just like a very large one. Beauty. :]