Framed (Mis)Security Madness

bdew

Here's some javascript i found in the (dynamic-generated) pages, from the web-interface of a router i have....

(And because TRWTF is this forum and i can't get the code past the WYSIWYG editor/parser without totaly fucking up i'll post it as a picture)

this goes on for a couple of pages. I did not test if it is posible to actualy load frames that you are not supposed to access (or is there something server-side that actually checks), but even if it isn't seems like a major WTF.

============[ EDIT ]=============

And some more:

if("dGJtMzMzMw==" == "")
 document.writeln('<input type="text" name="pppPassword" size="40" maxlength="64" onfocus="startPause()" onblur="startReload()" value="">');
else
 document.writeln('<input type="password" name="pppPassword" size="40" maxlength="64" onfocus="startPause()" onblur="startReload()" value="">');

error

"dGJtMzMzMw==" == base64_encode( "tbm333" )

Definite WTF. All this logic belongs server-side, especially if the router allows remote administration. Even if it doesn't, if someone gets on your wireless network (WEP is trivial to crack), they can just view source to get the admin username, and find other interesting (probably not secured) URLs.

On a side-rant, I'm sick of seeing <script language="javascript">. The type attribute of the script element is required. HTML really isn't that complicated; why is tag-soup so prevalent?

tdittmar

 Oh you clueless noobs. Don't you know that frames SECURELY mediate by design?

zlogic

What brand is this router?

Most routers have horrible web UIs, the worst is probably D-link's hardware in the silver-and-green chassis (the black-and-orange seem to have some improvements). First, they have 2 megs of ROM that have to store everything, including the OS, services and every HTML page. Well, to save space these guys decided to store every link as a highly-compressed JPEG image (instead of CSS-styled links and buttons which look nicer and need less storage!) The DHCP server's IP address assigment form is often completely broken in Firefox, but a reboot sometimes fixes this bug. Every single action needs a reboot, meaning that configuring network access, adding 3 firewall rules and 4 DHCP clients needs EIGHT REBOOTS!

Asus routers have UIs that look horrible, with a pink background and a highly compressed JPEG logo and folder-icons stolen from Windows 95, but at least they work better than D-link's.

The only non-WTF router interfaces I've used are openwrt and dd-wrt.

bdew

@zlogic said:

What brand is this router?

 It's a beige box without any identifying marks on it, except for the logo of the provider.

All of it's MAC addresses belong to "ASKEY COMPUTER CORP."
And the web interface says:

Firmware:  3.102d2
ADSL2+ :  A2pB021g.d20h
Wireless :  4.150.10.5

for what it's worth
================================

And here some more military-grade security right there in the JS:

var tr69AcsUrl = 'http://rms.bezek.com/';
var tr69cAcsPwd = '[BASE64 PASSWORD HERE]';
var tr69cConnReqPwd = '[BASE64 PASSWORD HERE AGAIN]';
var tr69cAcsUser = 'bezeq69';
var tr69cConnReqUser = 'bezeq69';

TR69 probably refers to http://en.wikipedia.org/wiki/TR-069

alegr

@bdew said:

@zlogic said:

What brand is this router?

 It's a beige box without any identifying marks on it, except for the logo of the provider.

All of it's MAC addresses belong to "ASKEY COMPUTER CORP."
And the web interface says:

Firmware:  3.102d2
ADSL2+ :  A2pB021g.d20h
Wireless :  4.150.10.5

I wonder if that piece of shit uses GET to submit configuration changes. As ridiculous as it sounds, a reference design by certain conpany that starts with C and ends with T, was doing that.

 

codeman38

@zlogic said:

Most routers have horrible web UIs, the worst is probably D-link's hardware in the silver-and-green chassis (the black-and-orange seem to have some improvements). First, they have 2 megs of ROM that have to store everything, including the OS, services and every HTML page. Well, to save space these guys decided to store every link as a highly-compressed JPEG image (instead of CSS-styled links and buttons which look nicer and need less storage!) The DHCP server's IP address assigment form is often completely broken in Firefox, but a reboot sometimes fixes this bug. Every single action needs a reboot, meaning that configuring network access, adding 3 firewall rules and 4 DHCP clients needs EIGHT REBOOTS!

I have one of those D-Link routers. I got it cheap. After using the admin app, I can see why I got it so cheap. :-p

The Javascript is seriously broken. They use getElementById to try to access elements for which only the name attribute is defined. Guys, it's called getElementById for a reason...

(And because of this, the only browser it actually works with on Linux and Mac OS is Opera, because its quirks mode actually takes this particular quirk into account. Though it can be hacked into submission with Firebug on Firefox.)

PeriSoft

@alegr said:

I wonder if that piece of shit uses GET to submit configuration changes. As ridiculous as it sounds, a reference design by certain conpany that starts with C and ends with T, was doing that.

Ahh, Cunt Corporation. Figures they'd be up to these kind of tricks.

Vempele

@zlogic said:

Every single action needs a reboot, meaning that configuring network access, adding 3 firewall rules and 4 DHCP clients needs EIGHT REBOOTS!

You're lucky. My router resets everything on reboot.

Guest

@bdew said:

(And because TRWTF is this forum and i can't get the code past the WYSIWYG editor/parser without totaly fucking up i'll post it as a picture)

And yet you posted it as a JPEG, thereby totaly fucking up.

Weng

 TRWTF is that you failed to read the dates.

Guest

@Weng said:

 TRWTF is that you failed to read the dates.

Aw, shucks. And here I thought I would never fall for this trick.