Router Hacking Challenge
We want you to hack your router! Yes, You. We want you to hack your router and make your findings public on this very same page, the sla.ckers forum or at hackerwebzine[at]gmail[dot]com. The best and most interesting hacks will receive credit, a lot of attention and good media coverage.
The challenge is supposed to run from 2nd February until 29th February, though it is something that is yet to be clarified because we know that there is a lot to be found.
The reason why we do this is because we want you to help the community to map the current state of embedded devices vulnerabilities. GNUCITIZEN members have been actively involved with finding vulnerabilities in routers in the past. We believe that embedded devices hacking is a huge topic that is yet to be explored in depth. Your submissions will be included in numerous presentations and research materials and will be credited appropriately.
The rules are very flexible, every kind of exploit is allowed. From buffer overflows to CSRF issues that plague many routers.
Comments
i have cisco 2514 and im willing to open it for public via telnet.
please comment.
udi, this is an interesting proposal but we are interested in you hacking your own appliance. send us your findings and we will publish them among the best hacks.
MoRB (Month of Router Bugs) eh! :)
Bipin, I guess so although it is kind of more distributed and slightly more playful. The main idea is to get a good picture of what’s going on at the moment when it comes to router hacking. Feel free to advertise it as MoRB :) just to get people to join our friendly challenge although make sure that people should not expect having one vulnerability per day. The more people participate with their router hacks the more vulnerabilities we will be able to outline.
loftgaia, 10x for participating. so basically the router is vulnerable to one of these IP-based session management attacks, Adrian was talking about.
dzman has submitted the following entry:
Come on guys, keep the hacks coming! There are literally MANY issues affecting embedded devices, many of which do *not* require low-level reverse engineering skills to be discovered.
loftgaia, that sounds like a IP-based session management vulnerability. It’s really concerning how many devices blindly trust the admin’s source IP address after logging in, for authentication state reasons! Corporate networks sharing proxies are definitively at risk on this one.
Also guys, we need to remember that the definition “consumer grade” devices is becoming very blurry these days as these “home” devices are also used by companies in SOHO networks. Exciting topic indeed!
@loftgaia: I have the same one and I noticed that the password is not encrypted. If you go to the systems settings and open the source, search for “http_passwd”. It’s a hidden input field. The password is stored in plaintext and you can easily change it without knowing it. You need to be logged in to view it, but since you can now hijack the session you can easily take control.
Check out my blog on the latest post. Basically there is a design flaw in CISCO firewall products.
@loftgaia - that auth bypass reminds me of the one found by Ginsu Rabbit on Linksys WRT54g home router, firmware revision 1.00.9: http://www.securityfocus.com/a.....0/threaded
This is what I like to call an “unprotected requests” authentication bypass vulnerability which I discussed on my “Cracking into embedded devices and beyond!” presentation:
http://www.gnucitizen.org/blog.....beyond.pdf
However, way more material on this topic, including new tools and techniques will be presented at HITB Dubai: http://conference.hackinthebox.....age_id=186
I’m still working on this stuff so I’ve changed the URL I’ve supplied you (HackerWebzine).
You may now find it here: http://kinqpinz.info/lib/wrt54g/own.txt
I’ve also now got live demos running at: http://kinqpinz.info/lib/wrt54g/
If you’re running the same router or know someone who does, have them try these submissions and post their results.
Greets,
meathive
meathive, 10x for participating
meathive, submission follows:
marios’s submission follows:
I wonder if the XSS will appear on our next phone bill ;)
I am not sure about this one but here is an idea: what if you fill it with space for padding and write your own phone bill :) I am not sure what you are going to use it for but still…
Nice .mario! That is just badass incredible! hehe… good stuff so far.
Or maybe some ascii art :)
yep, that too… :)
@Adrian - it’s amazing the flaws that one can find in these routers.That 2 years old, linksys flaw, is basically the same as this router’s.
It’s alarming actually,to know that anyone can write an html page and obtain TOTAL control of my router.
I hope this router-hacking challenge and your presentation at Dubai make people aware of how insecure some routers are.
@meathive - that auth bypass issues appears to be the exact same finding published by Ginsu Rabbit which I mentioned on a previous comment: http://www.securityfocus.com/a.....0/threaded
GS posted the “disable wireless setting” request which matches yours:
However, I must say that you documented your finding very nicely! Good job meathive!
@.mario - I’m wowed by your VoIP calls theft finding! wayyy cool stuff. you should find out if the IP phone responds to a certain domain name. i.e.: snom.phone
also, please correct me if I’m wrong, but isn’t there an infamous Snom IP phone model that comes with a built-in sniffer that can be accessed via the web console? I remember seeing it on these VoIP security slides somewhere but can’t get hold of them. The slides even had a screenshot of the sniffing feature of the web console. Anyone seen this?
mutax, 10x for submitting this entry!
forgot to add :)
if the Snom IP phone does respond to a certain domain name, then the attacker doesn’t need to predict the IP address of the device on the malicious page that causes the phone to call an arbitrary number!!!
Gareth Heyes has submitted the following entry:
I apologize for those of you unable to access my demo. My hosting provider has indefinitely shut down kinqpinz.info due to my router hacking post.
I’ve asked on Ronald’s forum but would also like to here, if someone can recommend a hosting provider that doesn’t censor its members. I’d like to get back online as soon as possible.
Thank you.
posted by beford on sla.ckers.org:
@loftgaia - you’re so right. The vulnerabilties you can find are amazing. Many of these issues wouldn’t be foudn on regular web apps these days. However, because embedded devices are very primitive in regards to limited hardware, security is very often sacrificed.
Changing DNS server settings without password! WOW! Through away your Belkin F5D7230-4 ASAP!
I bet you can find many more issues, although at this point you owned your router completely since you proved any webpage can make any changes to it!!! :-)
HTTP and related protocols such as UPnP really are the how hanging fruit of embedded devices security. I can’t believe that a router hacking challenge like this one hasn’t happened before.
the router hacking challenge is going pretty well, don’t you think :)
meathive, I went through the same experience as well. The best you can do is to get some VPS or a proper server hosting solution, or maybe even consider the options to host things yourself. You might want to check Amazon’s Simple Storage service, as it is very reliable and very, very cheap.
@pdp - the challenge really is going great! However, I think it’d be cool to think of it as an “embedded devices hacking challenge”, rather than focusing on *routers* only.
Take .mario’s super cool VoIP theft hack. It’s a great finding but it’s on an IP phone rather than a router. We should definitely also promote hacking IP phones, cameras, printers and so on! The more variety, the more colorful the hacks will be!
http://blog.v-wall.co.uk/?p=60 - though I would direct any possible readers of my site into the game
10x, v-wall
http://pastebin.com/m5ad456b3
@Adrian: The Snom phone can be configured to listen on a domain - but won’t by default.
A little hint for those of you who don’t know where to start.. Try running a thorough Nessus scan, once from inside your private network and once from the outside and see what you get.
Usually the results are shocking..
@tokumei:
nmap -sP 192.168.0.0/24also does the job and won’t take as long a nessus scan ;)Nothing as fast as ARP scans when you are inside the LAN.
My favorite nmap arp scan command:
nmap -n -T5 -sP -PR 192.168.0.0/24In Cain: Sniffer/Hosts/(Right-click) Scan MAC Addresses
@Adrian: Indeed - twice as fast. Nice!
Kender, 10x for submitting this finding.
hello pdp,
I found a way to bypass any authentication in one of most used WiMax antenna made by Airspan, It’s possible to access it without configuring a specific iprange, so depending on how your wimax network is setuped, you may be able to access others antenna.
may I post it right there or it’s not considered like a ‘router’ ? :-)
peace, nex.
nexact, absolutely. feel free to post that info :)
@Kender - damnit, you mentioned one of the issues I’ve covered on a ZyXEL gateway hacking paper I’ve been working on for some time! :) Although I found the issue in particular on other models. It seems that there is a lot of source code reuse among many ZyXEL models.
Keep the research coming guys!
Yeah, they almost all run ZyNOS. Stupid thing is that the RomPager embedded webserver they use does support basic auth. I’d like to dig in to the firmware as well, but can’t figure out how to load it in IDA :( The telnet interface is interesting as well, even has packet capture abilities.
@desl0w - very nice auth bypass vulnerability. Perhaps it was reported longer ago than in 2007. These guys published the following advisory in 2006. The only difference in their advisory is that they make the request to the .cfg file under the ‘/cgi-bin/’ directory:
http://www.intruders.org.br/adv0206en.html
Nice find indeed! If you find a XSS, then you can steal that info even if the web console is only enabled on the LAN interface (rather than WAN), by having the victim user visit your evil page!
Just make the XSS payload use the XHR() function to scrape ‘/blah.cfg’ and send it to the attacker’s site.
@Adrian Pastor - Very Nice! I never shined to much light on this but that is definitely an idea worth expressing. I have another ZyXel AP and Linksys Wifi Cam I have been playing with. I noticed the Linksys Cam has telnet open. Is this normal? I have never nmap’d a linksys product until yesterday and noticed it was open.
@diesl0w - some devices come with telnet on by default. i.e.: zyxel prestige gateways. IP cameras-wise I’ve played with Axis IP cameras, which although support telnet (you need to edit the ‘inittab’ file), do not have it enabled by default.
I guess all the bugs in the WRT54G are known, but I have just tested this device myself. I have version 7.As it is with other routers, I can change all the device settings without password prompt using post requests.
http://router_ip/Config.binhas all the passwords and keys in a plain text but you have to be logged in to get that, since the router doesn’t allow GET requests without authorization.One more thing I have found out is that port 21 is open and whether you change the router password or not, the ftp password is always the same: admin and no login. There are some files like nvram.cfg that has the router settings (no passwords), one file with the list of all html pages, one ELF executable which I failed to disassemble - IDA crashes with the following error: “the processor module is prohibited by the key”, and few other files. Maybe somebody has more knowledge and can help me with disassembling it.
I can also make DoS and force the router to restart if I login to ftp with very long username and password.
I have a WRT54GS with firmware v1.52.0.
I can send POST requests to *.tri but the settings won’t be changed. Even though the settings are not modified, I get a Status OK - 200 after the POST request.
I did some tests and so far you must have the Authorization header with the right value to successfully change the settings.
I noticed the same thing on another WRT54G model without wifi…POST requests were similar but no changes succeeded. I also don’t have any of the CFG files al1us is talking about, making the attack avenue slim until some code injection is found.
hey ap,
can you post some details here so we keep a log of all these issues :) cheers
@loftgaia - Googling for
/cgi-bin/setup_dns.exereveals that the exact same auth bypass was reported on a Philips router in Feb 2007: https://bugzilla.mozilla.org/show_bug.cgi?id=371598I guess both devices, even though they’re different brands, they’re sharing the same firmware?
@Adrian -Dunno,anyway here’s the link to the firmware im using:
http://www.belkin.com/support/......01.10.bin
btw guys, Kender has been working on a quite neat ZyXEL reverse engineering project. He wrote a tool that allows you to read the admin password from the config file (rom-0) in the clear, which is not possible by default. Sweet!
I’m hoping we will post the details soon!
10x ikki
Here is a quick summary, in no particular order, of the types of
vulnerabilities we are exhibiting:
laurent, it is never too late to submit your findings on this page. thanks for the info. btw, have you JTAGed the device?
No Netgear router hacks yet?
Adrian you wrote: “Just make the XSS payload use the XHR() function to scrape ‘/blah.cfg’ and send it to the attacker’s site.” How is it possible?
I got a few Netgear router hax innit, will post more info at some point. kthnx.
10x, that will be very, very helpful.
Thanks to everyone for their contributions on this. As a lowly sys-admin I’m a bit shocked by the implications here. At first I wondered if the attacks were only possible from the private side but once I slapped my forehead I realized it didn’t really matter. Has anyone tabulated the results submitted so far? I’m always asked about what model router I would recommend and it is clear I have to dig through these results and make some comparisons before I can recommend any of them.
My finding: http://vx.netlux.org/wargamevx.....fi_PoC.zip
WarGame, can you post a quick summary of your findings. That way more people will be interested to see what is behind this ZIP file :)
As we can all see, there are MANY SOHO routers vulnerable to authentication bypass issues. For those who have no clue how to find them, check out the following GNUCITIZEN posts:
http://www.gnucitizen.org/blog.....pass-pt-1/
http://www.gnucitizen.org/blog.....pass-pt-2/
http://www.gnucitizen.org/blog.....pass-pt-3/
http://www.gnucitizen.org/blog.....pass-pt-4/
hy, i am in spain. I have 1 wireless unlocked. and other 10 locked. How can i unlock them? i think some rooter have key at back, if i know the mac can somebody tell me the password?
I want to hack JAzztel and Moviestar.
http://i119.photobucket.com/al.....86/mac.jpg
This isn’t new and it isn’t necessarily a hack for Netgear routers but it does provide a backdoor to certain newer Netgear routers. Netgear has an internal program for developers that has been leaked to the public to allow a “Telnet Console” for developers. This opens up the router for someone to telnet into the router with a default username and password. What is scary is that it allows admin privileges to the router and the ability to view the username and password of the web interface in plain text. I have found that the “Telnet Console” is disabled every time a new change is made via the web interface or a router reboot. I have personally done this on my own Netgear router.
Here are some links for the info:
http://www.seattlewireless.net.....gearWGR614
http://wiki.openwrt.org/OpenWr.....netConsole
http://blog.ktdreyer.com/2008/.....gr614.html
be really careful when you report a vulnerability, there’s a chance that someone else steal your credit by reporting it to SecurityFocus… Arthur Lashin just stole mine.
http://www.securityfocus.com/bid/28122/info
http://www.kb.cert.org/vuls/id/248372
The vendor is aware since 2007-10-15 and issued me a ticketnumber.
that kind of sux, can you prove it. you could either send a response to his email or leave it be as you might not find it worthed to fight things like that.
i can prove it. i send an email to USCERT / Securityfocus / him. waiting for news.. thats why i’m never publishing 0days, ppl ripping credits. hehe.
it really depends what your intentions are :)
woot. my name has been added into credits. i guess i won.
excellent news, glad that this has been resolved.
i dont have a wireless router all i want to do is hack my neighbours router i need the password to his router
what I believe it was happening is that you have crashed the a CGI script or the actual HTTP server which upon exit informed the system to reboot. this is a very common behavior among embedded devices. when you see an embedded device rebooting it is definitely because you caused something to do what it was not supposed/designed to - mostly stack, heap overflows. it is not very clear from your post but are you saying that the payload has to be 298+ characters long?
exploiting buffer overflows for these devices is as trivial as it can get but the only thing that is a problem is to either login into the device and observe any strange messages appearing in the log files which could indicate what the problem is, or attach yourself directly to the device motherboard via JTAG. the second is a bit more complicated. Once we have this information we can verify the exploitability of the problem by mangling with the address space and if passes all test we can sit down and spend time writing payload/shellcode for the affected architecture if there isn’t one yet.
“…it is not very clear from your post but are you saying that the payload has to be 298+ characters long?”
Yeah, for example, a 299 characters long username, or 149 char. long username with 150 char. password. All characters were in the ASCII range.
I basically came across this “http://secunia.com/advisories/29366/” and wanted to see if the DI-624 is also affected.
I forgot to mention the hardware revision is C3.
It seems like the source code for the device is available at “ftp://ftp.dlink.co.uk/GPL/DI-624_E1_GPL.tgz” but I haven’t had time to look over it yet…
bug: once you have a XSS vulnerability on the router, all you have to do is use the XMLHttpRequest() function in the JavaScript which is executed in the XSS attack:
http://www.quirksmode.org/js/xmlhttp.html
Check out exploit #2 for the BT Home Hub for a real example on how to do this: http://www.gnucitizen.org/blog.....ome-hub-4/
Regarding the DI-624 issue: yes, it could be a memory corruption bug (i.e: buffer overflow) but we shouldn’t ignore the possibility of a resource exhaustion issue, since the hardware of some embedded devices is very limited.
hello
is it possible to hack router enable password.?
I have router but i can’t logging enable mode.
so give me tips how can i loging enable mode.
without rommon mode.
I Have a config.bin for decrypt password. so possible? http://rapidshare.com/files/11.....g.bin.html
Tks.. ;)
how to hack netgear ad