Taking over the TRENDnet TEW-812DRU
- The TEW-812DRU can be taken over by a remote adversary through CSRF attack.
The TRENDnet TEW-812DRU router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, changes the administrator credentials and enables remote web management services.
- The victim must have an active management session with the Actiontec router.
- The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.
All HTML forms present in the TRENDnet TEW-812DRU are susceptible to Cross-Site Request Forgery.
- Vulnerable Firmware is 220.127.116.11.
- Other versions of firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.
Recommendations to the vendor
- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
- In addition to HTML form tokens, HTTP refferer checking should be enabled.
- Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.
Recommendations to device administrators
- (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
In the following proof of concept attack, we assume that a device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the router, the form submissions are processed.
The first form (Figure 1) is pre-filled out with the information required to change the administrative credentials required to configure the router. The form is automatically submitted, and the victim's browser is then redirected to a second page.
This second page (Figure 2) is pre-filled with the information required to enable remote management. Again, the form is automatically submitted on behalf of the victim.
At this point, the attacker can remotely administer, and thereby remotely control the router.
- Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at firstname.lastname@example.org
- Alternatively, for more general information on ISE, you can reach us using email@example.com