Belkin Broadband Voice Modem/Router - wireless 4 port - F1PI242EGau multiple vulnerabilities
Multiple vulnerabilities exist in the Belkin F1PI242EGau (wireless 4 port) router distributed by Australian ISP iiNet which could allow an attacker complete control over the user's router if the user browses a malicious web page.
CSRF and XSS issues in the web administration interface lead to denial of service, information disclosure and DNS Hijacking.
The iiNet distribution uses a customized web interface, however other distributions of the same router may all so be vulnerable.
If the router has the default "admin" password, or a user has an authenticated session with the router, an attacker may gain access to sensitive information if the user browses a malicious web page. Also, with enough time, the password could possibly be brute-forced.
Both the user's ISP account and router could be hijacked. As a result, an attacker could remotely manage the device and hijack user's web requests by hijacking DNS.
Device
Router Model Name: F1PI242EGau (Distributed by iiNet)
Runtime Code Version: 1.00.002 (Aug 6 2008)
http://www.belkin.com/au/support/article/?lid=ena&pid=F1PI242EGau&aid=10259
Model Specific: Other models and ISP distributions are likely to be vulnerable.
Manufacturer site: http://www.belkin.com.au/
Default IP: http://10.1.1.1/
Default Host: http://iinet.iad/
Default Password: admin
Default session timeout: 0 minutes (no timeout)
CSRF without authorized session
CSRF with authorized session
Once authorized the following CSRF are possible: (more testing required however the entire control panel seems vulnerable)XSS with authorized session
Once authorized the following XSS are possible:
Information Disclosure
Once authorized iinet_wizard.stm discloses VOIP and ADSL username and password in javascript function dhcp_renew() and html body, as follows:
function dhcp_renew():
html:
Authentication Bruteforce
Passwords can be brute forced due to a combination of factors:
* The hostname is predictable [http://iinet.iad/] if the user has DNS set to the router [10.1.1.1 by default]
* /cgi-bin/login.exe?pws= paramater is vulnerable to CSRF
* There is no account lockout for incorrect login attempts by default
* A user session is not logged out if an incorrect password is passed to the "pws" paramater
With enough time an attacker could brute force the user's password, using a method similar to the following:
It is also possible to bruteforce the router password once authorized using /cgi-bin/setup_pass.exe
http://iinet.iad/cgi-bin/setup_pass.exe?userOldPswd=admin2&userNewPswd=admin&userConPswd=admin
this will return different results depending on userOldPswd being correct or incorrect
Solution
Vendor : Belkin & iiNet
Notified :
2009-01-01 - iiNet & Belkin - No response
2009-01-20 - US CERT - No response from vendor
Fix : None at this time
Suggested Fix:
* Provide routers with a better default password, such as the MAC address
* Advise users to always log out and to change the default password, not just in the remote management page, but also in the help guides:
https://iihelp.iinet.net.au/Setting_up_an_iiNet_Belkin_router
https://iihelp.iinet.net.au/setting_up_a_broadband_modem_or_router
* set default timeout to less than 10 minutes
Reference
OWASP: Cross Site Request Forgery