In short: If you still have the default password on your router then go and change it now. Don't stop to read this post before you change it.

This post describes an attack that combines CSRF with an older technique - Pharming (see particularly the section on "Pharming vulnerability at home").

CSRF allows an attacker to script an attack on a foreign website, this could potentially be used against a user's home router to change DNS settings, and affect a pharming attack by DNS poisoning. Having altered the DNS settings for a victim, they are at heightened risk of man-in-the-middle attacks, phishing and cookie theft.

CSRF Pharming makes use of the fact that a large number of home routers have the default passwords unchanged. However default passwords are easy to find. There are several lists of default passwords in home routers published on the internet. Google ranks one at phenoelit.de highly. My guess is that something like 25% of home users have default passwords set on their routers.

Exploiting the Flaw

The victim of a CSRF Pharming attack visits a web page that has been created or manipulated by an attacker to include some Javascript that uses CSRF to pass the default admin username and password to the default IP address of a number of common home routers. Sometimes the attack is simple enough that Javascript is not required and a single iframe resource is all that is needed.

Having altered the DNS settings to query an alternative DNS server, the attacker can provide accurate IP addresses for most queries, but fake IP addresses for banking and other important services. The users are then at heightened risk of man-in-the-middle attacks, phishing and cookie theft.

The attacker can use a number of CSS based techniques to detect routers or it can simply cycle through all known vulnerable routers since each attack is fairly quick.

There are 2 methods of authentication used in most home routers: http-auth and form/cookie.

http-auth

Routers using http-auth are vulnerable to attacks from older browsers that allow URLs with the following style: http://<username>:<password>@<address>/ This allows scripted access to http-auth protected resources.

Routers from the following manufacturers use http-auth: DLink, Modern Netgear and Linksys.

For some routers a single line of HTML is all that is required:

<iframe src="http://admin:@192.168.0.1/cgi-bin/prim?attack-params-here"></iframe>

form/cookie

Using CSRF it is possible to script a sequence of URLs, although it is not possible to read the responses. Routers using form/cookie authentication are susceptible attacks from almost any web browser with Javascript enabled.

Routers from the following manufacturers use form/cookie authentication: Belkin, Buffalo, SMC, Asante, Zyxel and reportedly Older Netgear and Linksys routers.

Issues for the Attacker

An attacker wishing to exploit this problem must discover a URL sequence which affects each model of home router. Frequently sets of routers from a manufacturer will use similar firmware, so often an attack will work across a large number of router models. Knowledge of the attack URL sequences can be easily shared.

An attacker must also persuade a user to view some attack HTML. There are a number of mechanisms by which this may happen. Spyware vendors have had significant success placing spyware in many websites around the internet. Since this attack does not require the website to host binaries it may also be possible to host the attack-HTML on bulletin boards.

Protection

The only side effect of the attack is altered DNS settings in the router, so detecting the attack is hard. Detection probably involves making assumptions about the correct IP settings and comparing with those found from a lookup.

Patching home routers to protect them from CSRF attacks is unlikely to be successful since it is generally too complex a task for many users.

Altering browsers to not allow URL based http-auth will not protect against all CSRF attacks, and has been done in most common browsers.

The best current solution is for users is to change the password on their router. Since many users will know less about their routers than their attackers, this is still tricky.

It may be possible for trusted websites to detect default passwords on vulnerable routers by attempting to read a protected resource like an image, using Javascript and CSS to read image attributes like 'clientWidth', and then using the reported values to infer if the image read was successful. A trusted website could then re-direct the user to a page with instructions on how to change the router password. This technique, whist technically possible does come with some legal challenges - could this be classed as 'hacking'?

Website owners can provide some extra protection by using HTTPS. An attacker may be able to redirect web traffic using this attack, however they are theoretically not able to provide SSL certificates to match the spoofed URL. This protection does rely on user's ability to recognize correct HTTPS connections. This would be a shaky reliance.

The credit for applying these techniques to pharming should really go to Mark Goodwin who had the original idea, although Jeremiah Grossman wrote about using CSRF against network devices first; he comes very close to it in this paper without actually mentioning it specifically.

Responses[4]

Posted by Joe Walker on 08 February 2007 09:14:56 GMT #