Anatomy of an exploit - Linksys router remote password change hole

Filed Under: Featured, Vulnerability

A security researcher from San Jose in California has published a how-to guide detailing a number of vulnerabilities in various Linksys routers.

Phil Purviance, who goes by the handle of SUPER.EVR (EVR stands for Exploitation Vulnerability Research), reported the holes privately on 05 March 2013:

Hello Cisco PSIRT, I would like to report several vulnerabilities in Linksys network equipment. A public advisory regarding these issues may be released 30 days after sending this report.

And Purviance certainly lived up to his threat, publicly releasing the gory details on 05 April 2013 on his blog.

I don't want to get sidetracked into a discussion about the disclosure process here - whether 30 days was long enough, whether it was fair to expect a reply after emailing Cisco, which no longer owns the Linksys brand, or whether explicitly documenting the holes was wise.

You'll have to make your own mind up on those issues, because the purpose of this article to zoom in on one of the holes to see what we can learn from it.

Understanding CSRF

The vulnerability we'll be looking at is:

Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability

Imagine that you are trying to penetrate a network inside a building that is monitored by security guards, offers no remote computer access, and is surrounded by an electric fence and motion detectors.

You're not going to get inside, but now imagine yourself holding up a placard outside one of the office windows saying, "Kindly enable remote login on port 5128 and change the password to b4nana," and waiting a while.

Imagine if it worked!

That's a simile for one of the bugs that Purviance found.

It gets the tag CSRF, for Cross Site Request Forgery, because it lets you embed, in an external web page (that's the placard outside the window), a URL that refers to a configuration script that will run on your router (that's the list of instructions on the placard).

So the Cross Site Request isn't a demand from an angry web server, but rather a web page that deliberately takes you to site B via site A.

In this case, visiting an otherwise innocent-looking external site can cause your browser to initiate internal actions on your router.

And if the router assumes that you are authorised simply on the basis that you are issuing the request from inside the network, an external attacker can easily use you as his "inside proxy" to violate security.

The unprotected configuration page found by Purviance permitted just the sort of silent reconfiguration jokingly shown on our placard: enabling external router admin (something you should never be tempted to do by choice), changing the password, and more.

So much for the metaphorical electric fence, the security guards and the motion detectors.

Of course, for this attack to work, the criminal needs to know what internal URL to embed in his external web page, which means he needs to know the internal name or IP number of your router:

That's so that when your browser processes the dodgy URL, the malicious reconfiguration request goes to the right web page on the right router, and produces the right HTTP request, as in the example above.

In Purviance's example, as above, he chose 192.168.1.1, which is a good guess for many networks.

→ Private IP address ranges for your home or business network run from 10.0.0.0 to 10.255.255.255, from 172.16.0.0 to 172.31.255.255, and from 192.168.0.0 to 192.168.255.255. Advocates of security through obscurity suggest choosing randomly from the available private spaces, and as long as you don't rely on this as a security measure in its own right, you might as well do just that.

By the way, the problem of internal command-and-control URLs embedded into external websites (the Cross Site Request part) is why many web services require you to enter your password again to authorise key operations, even if you are already logged in.

That not only prevents curious (or malevolent) colleagues from making long-term changes to your configuration if you inadvertently leave your screen unlocked, but also makes attempted alterations caused by CSRF more obvious.

Requiring re-authentication not only makes the CSRF fail, but also draws your attention to the attempt because an unexpected password dialog pops up.

Lessons to learn

So, the lessons to learn from this bug are:

  • Don't gripe at websites that ask for your credentials again when performing configuration or security-related tasks. The inconvenience is a small price to pay for the additional safety.
  • Keep your eye open for firmware updates for your routers and other network hardware. Security patches don't just apply to desktop operating systems and applications.
  • When writing web services that are worth password-protecting, don't just protect access to the URL of the relevant starting page. Make sure that the individual URLs that accept and process commands (whether by GET or POST requests) are all authenticated, too.
  • Logout from web services when you aren't using them. Don't needlessly leave yourself in the position that accidental or unexpected clicks can have unintended side-effects.

→ Yes, the last point above includes logging out routinely from Facebook, Twitter and your webmail, too. It's much more convenient to stay logged in all day, but much less safe, and very much less secure.

What to do next

As for closing this hole if you have a Linksys EA2700 router, Dan Goodin of Ars Technica reports that:

A statement issued by officials from Belkin, which recently acquired the Linksys brand, said the vulnerabilities documented by Purviance had been fixed in the Linksys Smart Wi-Fi Firmware that was released in June.

And according to Linksys, the June 2012 firmware release was itself superseded in July, October and November last year:

Purviance didn't make it clear, in his vulnerability disclosure, which firmware version he used during his research.

But if you aren't on the latest firmware version, you probably ought to grab it anyway.

After all, this isn't the first time we've written about vulnerabilities in, and the external misuse of, SoHo routers.

And if you're really keen, you can use the hacking-by-numbers tool Metasploit to do a penetration test against your own router, as exploit modules for Purviance's holes are already available online.

, , , , , , , , ,

You might like

8 Responses to Anatomy of an exploit - Linksys router remote password change hole

  1. Ajs · 476 days ago

    "Security through obscurity" is a negative value judgement that typically is used to indicate a borderline pointless activity. "Defense in depth" is the positive version you could have used in your comments about randomising the selection of a private IP. Forcing an attacker to search a space rather than going straight to a particular location is a useful tool in general and apparently also in this case. If you we're designing a system from scratch forcing a search of 16 million possibilities wouldn't make the system secure, but we're dealing with existing systems, so let's take what we can get.

    • Paul Ducklin · 476 days ago

      Ahem, but I think the "negative value judgement" activity going on here is yours :-) You're reading an awful lot into my use of the words "security through obscurity", don't you think?

      (If I had meant to suggest that randomising your IP addresses was a pointless activity, I'd hardly have gone on to say that you might as well do it, would I?)

      I stand by what I say: by all means, randomise your IP numbers, just don't rely on this as a security measure in its own right. Unlike passwords, IP numbers were never intended to be secret, so in my opinion, referring to their randomisation as "defence in depth" would be overstating the security benefit, and that's why I didn't choose those words.

      So, yep, I'm happy with my use of "security through obscurity."

  2. I have the EA6500 router. About a month the servers that allow router control via the Linksys Smart WiFi were down. If Smart WiFi is set you can't manually log in unless you disconnect the feed into the router. The night of the server issue I was trying to access my router to install a network printer. I couldn't get logged in and reset the router to set everything up again, including a new account. When the setup window opened I found the page was filled out with someone else's network information. Everything was there including all the passwords and access keys. It was displayed as it was written- no masking of characters. I was stunned because here were the keys to someone's kingdom!

  3. Jessica · 476 days ago

    um yeah this is all over my head, let them hack me I guess.

  4. Bart · 476 days ago

    As the young people say, TMI.

    Which Linksys routers are vulnerable?

    • Paul Ducklin · 476 days ago

      This article is about a vulnerability explicitly designated by its discoverer as affecting the EA2700 router. (That's explicitly mentioned in the article, early on, and again twice at the end in the section that is headlined "What to do next" and which starts with the words "As for closing this hole if you have a Linksys EA2700 router...")

      If you want to explore all the vulns found by this bloke in his research (which sounds as though it really will be TMI), and to investigate whether other models are potentially at risk, you will need to read his blog for the details. The link is in the fourth paragraph...

      HtH.

  5. Good thing I always check for the latest firmware updates for my routers, well updating the firmware could be a big help for security purpose.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog