We decided to take part to the whole router insecurity buzz, by conducting a research to assess the security of ADB (former Pirelli Broadband) P.RG A4201G, a router/VoIP gateway provided by a popular Greek ISP. During our investigation a few interesting facts about routers and their firmware came to light and will be described in this article.
1. Multiple CSRF vulnerabilities in the router’s web interface.
2. Insecure permissions on CGI scripts
The router’s interface has known CSRF vulnerabilities initially found in an Arcadyan router interface, suggesting that the deployed firmware has probably been re-used, with the appropriate modifications, by multiple models.
An example request disabling the router’s firewall is shown below :
POST /cgi-bin/fire_eb.exe HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/firewall_main.stm Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 39 fire_enable=0&savesetting=SAVE+SETTINGS
In order for this request to work, a user must be authenticated. Does this provide enough protection? The answer is no.
Although administrative panel webpages are not accessible by simple users (attempts will result to an 404), the scripts that configure various router options in these pages can be executed with simple user privileges. This appears to be a wrongly mitigated vulnerability discovered in Belkin F5D7230-4 .
Two scenarios of DNS Hijacking attack
Although we can assume that users rarely change their default passwords, we won’t, because in this case changing the password will not prevent such attacks. The reason is the existence of the administrator account which is managed by the ISP. The credentials can be easily retrieved using trivial reverse engineering techniques on the firmware image and they are common for all subscribers. Also they are rarely changed by the ISP (e.x. until a recent firmware update, they remained unchanged for more than a year).
The first approach is changing the DNS server of the router. To simplify the attack we provide a simple python script which generates the appropriate iframes.
The second approach, which is more stealthy but less effective, is changing the options in the DNS Forwarding page (by the way, this page is available to non-administrative accounts although it doesn’t appear on the non-administrative menu). The interface pretty much explains the functionality
You can assign a DNS Server for URL. When query this URL, dns proxy will query it from prior assigned DNS Server.”
Exploitation and Impact
The exploitation of the above vulnerabilities in the contect of a social engineering attack, can also lead to :
• Unwanted service exposure
• DNS Hijacking
• VoIP Denial of Service
• Disabling wireless security
• Disabling of the remote support provided by the ISP
• User/Admin account password change
This whole firmware reuse/rebrand raised some issues requiring closer attention :
a) It seems that router firmware reuse (with minor changes) is popular among router manufacturers. A bit of google search revealed that similar firmware has been used in Pirelli, Arcadyan, Sagem, Belkin, T-Sinus and BuffaloTech routers. However due to various reasons (contracts, 3rd parties involved etc.), vulnerability patches are not applied to all firmware variations. A Belkin CSRF vulnerability found in 2008, was never correctly mitigated on an Arcadyan router and still exists on P.RG A4201G, whose latest firmware update was applied on 20th October 2013.
b) ISPs worldwide seem to deploy this tactic of having exclusive rights to the administrative account “for support and updates”. Even if support is the only reason they maintain such accounts they should at least do it without exposing their clients to such serious dangers.
Vendor Informed : 26/11/2013
ISP Informed: 5/12/2013
Vendor Replied: 9/12/2013
Vendor confirmed (known!) vulnerabilities : 17/12/2013
A firmware update will be released in the following weeks. Until the issue is fixed, users are advised to avoid using the DNS server of their router ( howto)