A security researcher from San Jose in California has published a how-to guide detailing a number of vulnerabilities in various Linksys routers.
Phil Purviance, who goes by the handle of SUPER.EVR (EVR stands for Exploitation Vulnerability Research), reported the holes privately on 05 March 2013:
Hello Cisco PSIRT, I would like to report several vulnerabilities in Linksys network equipment. A public advisory regarding these issues may be released 30 days after sending this report.
And Purviance certainly lived up to his threat, publicly releasing the gory details on 05 April 2013 on his blog.
I don’t want to get sidetracked into a discussion about the disclosure process here – whether 30 days was long enough, whether it was fair to expect a reply after emailing Cisco, which no longer owns the Linksys brand, or whether explicitly documenting the holes was wise.
You’ll have to make your own mind up on those issues, because the purpose of this article to zoom in on one of the holes to see what we can learn from it.
The vulnerability we’ll be looking at is:
Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability
Imagine that you are trying to penetrate a network inside a building that is monitored by security guards, offers no remote computer access, and is surrounded by an electric fence and motion detectors.
You’re not going to get inside, but now imagine yourself holding up a placard outside one of the office windows saying, “Kindly enable remote login on port 5128 and change the password to b4nana,” and waiting a while.
Imagine if it worked!
That’s a simile for one of the bugs that Purviance found.
It gets the tag CSRF, for Cross Site Request Forgery, because it lets you embed, in an external web page (that’s the placard outside the window), a URL that refers to a configuration script that will run on your router (that’s the list of instructions on the placard).
So the Cross Site Request isn’t a demand from an angry web server, but rather a web page that deliberately takes you to site B via site A.
In this case, visiting an otherwise innocent-looking external site can cause your browser to initiate internal actions on your router.
And if the router assumes that you are authorised simply on the basis that you are issuing the request from inside the network, an external attacker can easily use you as his “inside proxy” to violate security.
The unprotected configuration page found by Purviance permitted just the sort of silent reconfiguration jokingly shown on our placard: enabling external router admin (something you should never be tempted to do by choice), changing the password, and more.
So much for the metaphorical electric fence, the security guards and the motion detectors.
Of course, for this attack to work, the criminal needs to know what internal URL to embed in his external web page, which means he needs to know the internal name or IP number of your router:
That’s so that when your browser processes the dodgy URL, the malicious reconfiguration request goes to the right web page on the right router, and produces the right HTTP request, as in the example above.
In Purviance’s example, as above, he chose 192.168.1.1, which is a good guess for many networks.
→ Private IP address ranges for your home or business network run from 10.0.0.0 to 10.255.255.255, from 172.16.0.0 to 172.31.255.255, and from 192.168.0.0 to 192.168.255.255. Advocates of security through obscurity suggest choosing randomly from the available private spaces, and as long as you don’t rely on this as a security measure in its own right, you might as well do just that.
By the way, the problem of internal command-and-control URLs embedded into external websites (the Cross Site Request part) is why many web services require you to enter your password again to authorise key operations, even if you are already logged in.
That not only prevents curious (or malevolent) colleagues from making long-term changes to your configuration if you inadvertently leave your screen unlocked, but also makes attempted alterations caused by CSRF more obvious.
Requiring re-authentication not only makes the CSRF fail, but also draws your attention to the attempt because an unexpected password dialog pops up.
Lessons to learn
So, the lessons to learn from this bug are:
- Don’t gripe at websites that ask for your credentials again when performing configuration or security-related tasks. The inconvenience is a small price to pay for the additional safety.
- Keep your eye open for firmware updates for your routers and other network hardware. Security patches don’t just apply to desktop operating systems and applications.
- When writing web services that are worth password-protecting, don’t just protect access to the URL of the relevant starting page. Make sure that the individual URLs that accept and process commands (whether by GET or POST requests) are all authenticated, too.
- Logout from web services when you aren’t using them. Don’t needlessly leave yourself in the position that accidental or unexpected clicks can have unintended side-effects.
→ Yes, the last point above includes logging out routinely from Facebook, Twitter and your webmail, too. It’s much more convenient to stay logged in all day, but much less safe, and very much less secure.
What to do next
A statement issued by officials from Belkin, which recently acquired the Linksys brand, said the vulnerabilities documented by Purviance had been fixed in the Linksys Smart Wi-Fi Firmware that was released in June.
And according to Linksys, the June 2012 firmware release was itself superseded in July, October and November last year:
Purviance didn’t make it clear, in his vulnerability disclosure, which firmware version he used during his research.
But if you aren’t on the latest firmware version, you probably ought to grab it anyway.
And if you’re really keen, you can use the hacking-by-numbers tool Metasploit to do a penetration test against your own router, as exploit modules for Purviance’s holes are already available online.