Fantastic router security



  • I just got a new 100Mbps internet connection, from the largest ISP here. The installation was surprisingly painless (only a couple hours without internet), included a new shiny ISP-provided router, and everything seemed to work great afterwards.

    Naturally I immediately tried to log in to the router to configure things, and change the 20-character random alphanumeric WPA password to the one I used with the previous router. After figuring out the router's IP address (192.168.1.1) I was greeted with a standard "Username and password" prompt. None of the usual combinations (admin, 1234...) seemed to work so I did a bit of googling. Turns out you have to ask the ISP to enable local administration for the router, and they provide you with a password. OK, that's annoying, but at least they let me do it. After navigating through their slow, bloated, confusing, poorly-designed, inaccessible, and ridden with obsolete or unrecommended web practices like frames and javascript-only links website, I managed to sign in and enable that "feature", and proceeded to configure my router to an usable state.

    But another thing piqued my curiosity. One of the google search results read "grave vulnerability in <ISP> routers". I checked the date: published >1 year ago. Surely MY router would not be affected? Well guess again...

    I visited 192.168.1.1 again, with a different browser. When the same login prompt came up, I just canceled and added "/password.cgi" to the URL:

    OH FOR FUCK'S SAKE YOU'VE GOT TO BE KIDDING ME. They are not checking your credentials when you access the password change page?

    But wait, that's not really a vulnerability is it? You need the old password to set a new password so surely it's not that grave...

    [URL=http://imgur.com/wVAQeWj][IMG]http://i.imgur.com/wVAQeWj.png[/IMG][/URL]
    Yep, that's the authentication code and the admin password, in Javascript, sent to anyone who visits /password.cgi.

    The curious thing is that the other router pages I checked (each of which ended in a different extension: .cgi, .cmd, .html...) DID ask for password. Did they intentionally leave this one open, or was it accidental? I'm not sure which is worse.

    And no, it doesn't allow connections from the outside to access the interface, thank god, so it's not really a fatal flaw in itself unless you enable remote administration... but the router DOES have other remote access protocols, like TR-069, and if the programmers of something as common as a web interface managed to make two of LITERALLY THE SIMPLEST, MOST WELL-KNOWN SECURITY MISTAKES I don't want to think about how the rest of the thing is programmed.



  • That is truly abysmal. It should count as criminal negligence on the part of the ISP imo.

    Get your own router ASAP!


  • Trolleybus Mechanic

     What's your problem?  They clearly hide the code. Did you not see:

    @BWHAHAHAHA! said:


    <!-- hide

    // done hiding -->

    It's not their fault you hacked your browser to see the hidden code, you hacking hacker.



  • You do realize that the javascript code could just be there for userfriendlyness and that the server can still do the real check on submit right?


  • Trolleybus Mechanic

    @henke37 said:

    You do realize that the javascript code could just be there for userfriendlyness and that the server can still do the real check on submit right?
     

    You do realize the javascript code that does the "is old password correct" check contains the PLAINTEXT ADMIN PASSWORD, right?

    I'll wait while that sinks in.


  • Considered Harmful

    @Lorne Kates said:

     What's your problem?  They clearly hide the code. Did you not see:

    @BWHAHAHAHA! said:


    <!-- hide

    // done hiding -->

    It's not their fault you hacked your browser to see the hidden code, you hacking hacker.

    Everyone knows if you want to guard against view source attacks you have to add a screenful of whitespace to the top of your HTML, and alert an obnoxious message when someone right-clicks.



  • I'm trying to count the wtfs, but I keep losing track every time I see another one.
    It's horrible in every way it is possible to be horrible.


  • Trolleybus Mechanic

    @joe.edwards said:

    Everyone knows if you want to guard against view source attacks you have to add a screenful of whitespace to the top of your HTML, and alert an obnoxious message when someone right-clicks.
     

    INT. IT WORKSPACE

    Two co-workers, BOB and FRANK, both IT Professionals in proper uniform-- white workshirt, black tie, pocket protector, pressed suit-- nod with satisfaction at their screens. They sit beneath a sign similar to an anti-accident poster. It reads "387 DAYS SINCE LAST HACK". All seems well in the world. And then

    F.X.: Klaxon, phone ringing

    A red, glowing phone rings. Both BOB and FRANK, startled and horrified, look at the phone, then at each other. BOB, the more senior Computer Programmer, answers the phone, standing straight at attention.

    BOB: Sir? [beat] I-- yes, sir. How did-- I see. Sir. Yes. Yes, sir. I understand.

    BOB, with shaking hands, hangs up the phone. He slumps down into his seat.

    FRANK: Bob? What is it? [beat, no response] Bob?

    BOB finally looks up, face ashen, eyes wide.

    BOB: It's the code, Frank. They-- they got at the code.

    FRANK is in shock and disbelief.

    FRANK: No, that can't be. It's protected. Protected, Bob, I tell you.

    BOB: Not protected enough.

    FRANK: Then it's a fake. A hoax.

    BOB: No, Frank, this is real.

    FRANK: No, no, no, Bobby. It's just a drill from the big boys upstairs, they're--

    BOB slams his fist down on the desk, face now completely flush, angry.

    BOB: IT'S ON THE INTERNET!  [Stares down FRANK]  They found it, and put it-- they put it right up there on the Internet.

    FRANK: No, it just can't be. It's protected. We tested it. You and I, Bob, we saw it with our own two eyes! Whitespace, top to bottom of the screen. We protected it!

    BOB: We didn't protect it enough, Frank. They were just too damn clever for us, and now they have it.

    FRANK: How, Bob? Did the big boys say? How'd they manage to snag it, Bob?

    BOB stares off in the distance, lost in the shock. FRANK slaps him.

    FRANK: Don't lose it Bob. Tell me, how did they do it?

    BOB: They-- they turned their monitors sideways, Frank. What was once wide was now tall and then it was all there, spread out before them. The code.

    FRANK: No, Bob. Monitors can't do that, can they?

    BOB: They can now, Frank. God help us all, they can now. If only we'd thought-- if only we'd listened-- and use TWO screens of whitespace rather than one. We'd be safe. We'd all be sitting pretty and going home to the little lady. But there was never the time for that much whitespace. Never the budget. It's good enough, we said. It's good enough!

    FRANK: The bastards. Now they have the code. Because of us.

    BOB:  We've become Shiva, destroyer of worlds.

    Both men state listlessly, yet stoic. They know what must be done.  BOB draws his sidearm, holding it in his hands.

    BOB: I'll go first. It's been nice knowing you, Frank.

    FRANK: You too, Bob.

    BOB closes his eyes, puts the gun in his mouth. The camera quickly pans towards FRANK, just in time for the bang. FRANK flinches. Quick cut to the floor, closeup of the base of BOB's chair. His limp hand falls into frame, dropping the gun. The gun slides across the floor and stops at FRANK'S feet. Continuous show of FRANK picking up the gun, and slowly drawing it to his face. He puts it under his chin. FRANK looks down, zoom out to show picture of WIFE and DAUGHTER on his desk. Back up to FRANK.

    FRANK: I'm sorry, babydolls. I-- I hope when the angry mob comes for justice, this will be enough for them. Stay safe.

    He knows he's failed everyone. He turns the picture around, unable to bear looking at the beloved women whom he's failed and probably condemned to a horrific painful death at the hands/weapons/etc of an angry, vengeful mob.

    Cut to close shot of photo. In background, we can see an out-of-focus FRANK place the gun against his temple. There's a brief pause, then a FLASH and a BANG. Out-of-focus FRANK slumps in his chair. Blood and brain splatter across the desk, but the picture frame is safe. It has escaped the metaphorical bloodshed, but will the innocents in that picture escape the real bloodshed to come?



  • @joe.edwards said:

    and alert an obnoxious message when someone right-clicks.
     

    No need. Just blanking the context menu should be enough...



  • Well, for the record, the router is a Comtrend.


  • Considered Harmful

    You should be writing the front page articles, sir.



  • @Lorne Kates said:

    @joe.edwards said:

    Everyone knows if you want to guard against view source attacks you have to add a screenful of whitespace to the top of your HTML, and alert an obnoxious message when someone right-clicks.
     

    INT. IT WORKSPACE

    ...



  • @spamcourt said:

    here

    Where is "here"? I can't properly do nationalist trolling if I don't know what nation you're in.



  • @joe.edwards said:

    Filed under: I've actually seen script kiddies befuddled by these techniques.

    What about a (firefox only) website that doesn't use any html at all?



  • @joe.edwards said:

    Filed under: I've actually seen script kiddies befuddled by these techniques.

    What about a (firefox only) website that doesn't use any html at all?


  • Considered Harmful

    HTTP header. Tricky.



  • @Ben L. said:

    @joe.edwards said:
    Filed under: I've actually seen script kiddies befuddled by these techniques.

    What about a (firefox only) website that doesn't use any html at all?

    What a delightful oddity; very nicely done.

    Worked fine in Opera too, btw.



  •  I've seen exactly this before, in live production code, on publicly-accessible e-commerce sites.

    A lot of the time, the code is written by interns or high-school students who will work for free, or outsourcers working for pennies an hour. Since they aren't getting paid, they don't care about the quality of the work, and they most certainly don't care to learn how to do the work properly. Or, sometimes, they're just plain lazy.

    What usually happens is, the developer gets assigned a task.

    "Login form for router interface".

    "how do I make a password protected web page?" gets punched into Google.

    Developer goes to first result, probably W3Schools, and copies the first block of code into the page they are working on.

    It doesn't work, so the developer repeats (generally, leaving the non-working bits behind) until they get bored and go ask in a forum.

    The forum is populated mostly with other people doing the same thing, and they give widely conflicting suggestions on what lines of code to change, and what to change them to.

    The developer tries all of these, until either one works, or they've tried them all and go to another forum.

    Eventually, the product is delivered, the manager tests it once in whatever browser he was using at the time, and it appears to work.

    The product is then deployed and forgotten.

     

    Throughout this entire process, abstract thinking is never involved. The developer does not know what any part of the code does, nor has any willingness to learn. Javascript, HTML, CSS, PHP, etcetera are all little more than a big concoction of magic incantations.The developer is simply unaware that some code runs on the server, and some on the browser, and is not aware of the "view source" functionality at all, as their development methodology does not use it. No thought whatsoever is given to security, or the possibility that the end-user might enter something other than what is expected.

     

    This, natch, leads to some truly spectacular WTFs. Some of this code is maintained this way for periods of years, by dozens of different cargo-cult developers. The end result is beautiful in its own way. Like genetic code, there are large sections that are entirely vestigial. Others include such rampantly convoluted processes that could only have been produced by pure natural selection — dozens of developers mutating the code at random, inserting sections from foreign organisms, deleting others at random, tirelessly, until the result finally starts to function. Needless to say, it is typically somewhat dicey to make even the slightest alteration, as it may have unforseen consequences.


  • Discourse touched me in a no-no place

    With that many links, your post is looking like a Wikipedia or TVTropes article…


  • Discourse touched me in a no-no place

    @Ben L. said:

    @joe.edwards said:
    Filed under: I've actually seen script kiddies befuddled by these techniques.

    What about a (firefox only) website that doesn't use any html at all?
    Cute.
    [pjh@thinkpad-pjh ~]$ curl http://mathiasbynens.be/demo/css-without-html -li
    HTTP/1.0 200 OK
    Date: Fri, 26 Apr 2013 09:04:10 GMT
    Server: Apache
    Link: <css-without-html.css>;rel=stylesheet
    X-UA-Compatible: IE=Edge,chrome=1
    Vary: Accept-Encoding
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
    X-Cache: MISS from admin.office
    X-Cache-Lookup: MISS from admin.office:3128
    Via: 1.0 admin.office:3128 (squid/2.6.STABLE21)
    Connection: close

    [pjh@thinkpad-pjh ~]$ curl http://mathiasbynens.be/demo/css-without-html.css -li
    HTTP/1.0 200 OK
    Date: Fri, 26 Apr 2013 09:04:29 GMT
    Server: Apache
    Last-Modified: Fri, 25 Feb 2011 11:34:46 GMT
    Accept-Ranges: bytes
    Content-Length: 320
    Cache-Control: max-age=31536000
    Expires: Sat, 26 Apr 2014 09:04:29 GMT
    Vary: Accept-Encoding
    Content-Type: text/css; charset=utf-8
    X-Cache: MISS from admin.office
    X-Cache-Lookup: MISS from admin.office:3128
    Via: 1.0 admin.office:3128 (squid/2.6.STABLE21)
    Connection: close

    html { background: #666; padding: 1em; }
    body { border: 5px dashed #eee; color: #fff; font: 3em/1.5 sans-serif; padding: 1em; width: 30em; margin: 0 auto; }
    body::after { content: 'O HAI! Have a look at my source code :)'; /* This needs to be on the ::after (and not just on body) for it to work in Firefox 3.6.x. */ }
    [pjh@thinkpad-pjh ~]$



  • @dkf said:

    With that many links, your post is looking like a Wikipedia or TVTropes article…
     

    It's not a copypaste from one such site. I checked.



  • @dkf said:

    With that many links, your post is looking like a Wikipedia or TVTropes article…

    More like spambot output...



  • My ISP’s provided router has apparently a slightly higher security level, but... When I go to their website, it detects that I’m coming from inside their network and [i]automatically logs me in to my account[/i].

    So if someone connects to my home network, they can access my account details, and access the ISP’s webmail and voicemail interface, simply by going to the ISP website without any login or password.

    Even better: the auto-login system can not be disabled (AFAIK) and [i]when auto-logged, you cannot log out[/i]. So if someone using the same ISP connects to my network, they will not be able to access their webmail, only mine. Nice, isn’t it?



  • @PJH said:

    Server: Apache
    Link: <css-without-html.css>;rel=stylesheet
    X-UA-Compatible: IE=Edge,chrome=1
    Wait, HTTP headers can have stylesheet links? ... !!!


  • @Lorne Kates said:

    We didn't protect it enough, Frank. They were just too damn clever for us, and now they have it.



  • @Medinoc said:

    Wait, HTTP headers can have stylesheet links? ... !!!

    Sure, why not?



  • @dkf said:

    With that many links, your post is looking like a Wikipedia or TVTropes article…

    Or classic Adequacy.org


  • Considered Harmful

    @Nexzus said:

    Adequacy.org



  • @eViLegion said:

    That is truly abysmal. It should count as criminal negligence on the part of the ISP imo.

    Get your own router ASAP!

    Oh, give me a break. Maybe you should let Sheriff Andy handle this one, Barney.


  • Trolleybus Mechanic

    @joe.edwards said:

    @Nexzus said:
    Adequacy.org
     

    It's the internet circa 2001, when pages contained useful content rather than image macros.



  • @Lorne Kates said:

    @joe.edwards said:

    @Nexzus said:
    Adequacy.org

     

    It's the internet circa 2001, when pages contained useful content rather than image macros.


    I'm waiting for someone to post "Cool story, bro" so I can hunt him down and assassinate him with a rusty butter knife.



  • [IMG]http://i.imgur.com/11d2eY2.png[/IMG]



  • @Salamander said:

    I'm not hallucinating that eval doing a variable assignment am I?

    The assignment to location instructs the browser to open password.cgi?adminPassword=THENEWPASSWORD.

    TRWTF: Since password.cgi does not check credentials on access, that means you don't even need the old password to set a new one!


Log in to reply