CSRF in my home router and how I closed it
In continuation of the publication, “Access to thousands of personal data of Beeline Wired Internet users was obtained” .
As you have already learned, quite a lot of interesting things are hidden in this small box.
There is such a completely obvious and at the same time relatively innocent mistake, CSRF . It is noteworthy that it is located in those routers, in which there is nothing from a recent article. However, unlike those bugs, it can be exploited not only by your neighbors, but by anyone, like an insidious interlocutor in a chat or once visited site.
')
CSRF works like this: in some way, ask the victim's browser to download the url that was written, and the target site, having learned your browser, will do something as if you wanted it.
Something like this will look like an address from a person collecting a botnet for a bold icmp attack on ya.ru:
There is something that protects the owners of typical CSRF-vulnerable routers, this is most likely absent from the victim at the time of the attack an authorized session, which negates any successfully generated on its behalf request.
Did you know that Safari does not have the habit of forgetting * once the http authentication data entered? I did not know, but for several weeks I’ve entered the web interface without entering a password, although I never asked to save it. And, surprisingly, I can't even do anything about it. In other words, if the router at login shows such a system window with a proposal to authenticate, and you have Safari, then it will not be so easy to end the session. At this point, I realized the need to do something with all this.
* Safari, it seems, considers the parameters of basic access authentication in http to be something long-term like cookies, but they are not in the list of cookies or in the list of memorized passwords, and therefore it is not clear how to get rid of them. It may be worthwhile to enter them in private mode.
The web interface of the router, with a cursory glance, is a fairly large number of pages of unknown code quality with suffixes .asp, so the choice was not very difficult ...
... close port 80 in FIG. Iptables. Read the wl500g firmware guide and run the ssh fix Problem ...
I learned from the firmware manual that the interface of the local initialization system consists in user scripts in / usr / local / sbin / with the correct names; / sbin / flashfs - the ability to save changes to the file system after a reboot (specifically, it adds the tar from the files it manages to / dev / mtd4 and pulls it out when it is loaded).
I did not know the difference between what was seen in / sbin / flashfs mtd4 from mtdblock4 and from nvram, in the last of which other user settings are stored as key-value.
But, it already works correctly. How to enter the web interface now? Understandably, manually opening iptables every time would be very ugly ..?
It is possible to forward the 80th port of the router through the ssh tunnel to the 8080th port on the working localhost.
... and discover the web interface at http: // localhost: 8080 . The connection to httpd will be established from the local (for the router) sshd and will not get stuck in the input chain of the ip tables. It remains to start the browser and enjoy the work of technology.
These are some simple actions, and our small household router no longer shines with the 80th port, just like a very big one. Beauty. :]
As you have already learned, quite a lot of interesting things are hidden in this small box.
There is such a completely obvious and at the same time relatively innocent mistake, CSRF . It is noteworthy that it is located in those routers, in which there is nothing from a recent article. However, unlike those bugs, it can be exploited not only by your neighbors, but by anyone, like an insidious interlocutor in a chat or once visited site.
')
CSRF works like this: in some way, ask the victim's browser to download the url that was written, and the target site, having learned your browser, will do something as if you wanted it.
Something like this will look like an address from a person collecting a botnet for a bold icmp attack on ya.ru:
yy
At the end of the article there will be a solution to the problem itself, also nothing.
http://192.168.1.1/apply.cgi? current_page=Main_AdmStatus_Content.asp& next_page=Main_AdmStatus_Content.asp& next_host=192.168.1.1& sid_list=FirewallConfig%3B& group_id=& modified=0& action_mode=+Refresh+& first_time=& action_script=& SystemCmd=nohup+ping+ya.ru+%26& action=Refresh At the end of the article there will be a solution to the problem itself, also nothing.
There is something that protects the owners of typical CSRF-vulnerable routers, this is most likely absent from the victim at the time of the attack an authorized session, which negates any successfully generated on its behalf request.
Did you know that Safari does not have the habit of forgetting * once the http authentication data entered? I did not know, but for several weeks I’ve entered the web interface without entering a password, although I never asked to save it. And, surprisingly, I can't even do anything about it. In other words, if the router at login shows such a system window with a proposal to authenticate, and you have Safari, then it will not be so easy to end the session. At this point, I realized the need to do something with all this.
* Safari, it seems, considers the parameters of basic access authentication in http to be something long-term like cookies, but they are not in the list of cookies or in the list of memorized passwords, and therefore it is not clear how to get rid of them. It may be worthwhile to enter them in private mode.
But, to the point
The web interface of the router, with a cursory glance, is a fairly large number of pages of unknown code quality with suffixes .asp, so the choice was not very difficult ...
... close port 80 in FIG. Iptables. Read the wl500g firmware guide and run the ssh fix Problem ...
$ pwd /usr/local/root $ mkdir /usr/local/sbin $ vi /usr/local/sbin/post-firewall #!/bin/sh iptables -I INPUT -p tcp --dport 80 -j DROP # , , accept established, # - : -I INPUT 4 . iptables -vL INPUT . # , . $ chmod +x /usr/local/sbin/post-firewall $ flashfs save && flashfs commit && flashfs enable $ reboot I learned from the firmware manual that the interface of the local initialization system consists in user scripts in / usr / local / sbin / with the correct names; / sbin / flashfs - the ability to save changes to the file system after a reboot (specifically, it adds the tar from the files it manages to / dev / mtd4 and pulls it out when it is loaded).
I did not know the difference between what was seen in / sbin / flashfs mtd4 from mtdblock4 and from nvram, in the last of which other user settings are stored as key-value.
But, it already works correctly. How to enter the web interface now? Understandably, manually opening iptables every time would be very ugly ..?
It is possible to forward the 80th port of the router through the ssh tunnel to the 8080th port on the working localhost.
$ ssh -N -L 8080:192.168.1.1:80 admin@192.168.1.1 # ... and discover the web interface at http: // localhost: 8080 . The connection to httpd will be established from the local (for the router) sshd and will not get stuck in the input chain of the ip tables. It remains to start the browser and enjoy the work of technology.
These are some simple actions, and our small household router no longer shines with the 80th port, just like a very big one. Beauty. :]
Source: https://habr.com/ru/post/248917/
All Articles