Hi there, welcome to my first post in my new blog 😄
Recently, while cleaning up at home I have found quite a few routers that used to manage my apartment's internet connection. My first thought was that they were obsolete and I should just get rid of them, but then a few friends suggested I give them another purpose in life - by using them for educational purposes. I thought that was a great idea and so here we are.
Let's dive into it, and of course we'll start by examining our attack surface.
Once powered up and connected we can find the default management interface at http://192.168.1.1
:
Now, let's assume we don't know the credentials to login to the router, and the defaults do not work ( for the sake of challenge 😉).
If so, this page isn't very helpful... Let's see what else we have to work with. Using nmap we can scan the ports of the router to find out any other possible entry points. After running
nmap -Pn -p1-65535 192.168.1.1
we get the following result:
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-13 22:34 IST
Nmap scan report for 192.168.1.1
Host is up (0.028s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
80/tcp open http
1780/tcp open dpkeyserv
1990/tcp open stun-p1
52000/tcp open unknown
That 52000 port seems kinda odd... Let's check it out:
Oh wow 😯
The admin panel just pops up, without any authentication!
Looks like we don't need any credentials after all... This opens up a whole world
of possible entry points, but let's check the classic one first.
Usually in routers like this one there is a ping feature which is almost always
vulnerable to some code injection. The ping feature in this router can be found
under Administration > Diagnostics
:
Here, the easiest guess would be that the backend of this webpage takes the provided IP address and just uses it as an argument in a command similar to
ping -c $count -s $packet_size $target_ip
In that case, if we manage to sneak in a pair of &
's after the IP address we could execute any command we'd like!
I would like to believe that the devs of this software have at least implemented client side input validation, but let's make sure:
As expected, this input did not pass the client side validations. To bypass those validations we can use a proxy tool, such as Burp Suite. Burp will allow us to intercept the request being sent from the client to the backend and modify it, as such:
Of course we use the URL encoded version of &
which is
%26
.
Once Forward
is clicked, the following window pops up:
We can't see the result of the command, but we also can't see any errors, which is
probably a good sign. Let's try a different command, one that will tell us for sure
we managed to execute it, reboot
for example. After modifying the request
the same way as we did above, just with reboot
instead of ls
as the injected command, the router indeed reboots 🎉