Belkin Broadband Voice Modem/Router - wireless 4 port - F1PI242EGau multiple vulnerabilities

Multiple vulnerabilities exist in the Belkin F1PI242EGau (wireless 4 port) router distributed by Australian ISP iiNet which could allow an attacker complete control over the user's router if the user browses a malicious web page.

CSRF and XSS issues in the web administration interface lead to denial of service, information disclosure and DNS Hijacking.

The iiNet distribution uses a customized web interface, however other distributions of the same router may all so be vulnerable.

If the router has the default "admin" password, or a user has an authenticated session with the router, an attacker may gain access to sensitive information if the user browses a malicious web page. Also, with enough time, the password could possibly be brute-forced.

Both the user's ISP account and router could be hijacked. As a result, an attacker could remotely manage the device and hijack user's web requests by hijacking DNS.

Device

Router Model Name: F1PI242EGau (Distributed by iiNet)
Runtime Code Version: 1.00.002 (Aug 6 2008)
http://www.belkin.com/au/support/article/?lid=ena&pid=F1PI242EGau&aid=10259

Model Specific: Other models and ISP distributions are likely to be vulnerable.

Manufacturer site: http://www.belkin.com.au/

Default IP: http://10.1.1.1/
Default Host: http://iinet.iad/
Default Password: admin
Default session timeout: 0 minutes (no timeout)

CSRF without authorized session

CSRF with authorized session

Once authorized the following CSRF are possible: (more testing required however the entire control panel seems vulnerable)

XSS with authorized session

Once authorized the following XSS are possible:

Information Disclosure

Once authorized iinet_wizard.stm discloses VOIP and ADSL username and password in javascript function dhcp_renew() and html body, as follows:

function dhcp_renew():

html:

Authentication Bruteforce

Passwords can be brute forced due to a combination of factors:

* The hostname is predictable [http://iinet.iad/] if the user has DNS set to the router [10.1.1.1 by default]
* /cgi-bin/login.exe?pws= paramater is vulnerable to CSRF
* There is no account lockout for incorrect login attempts by default
* A user session is not logged out if an incorrect password is passed to the "pws" paramater

With enough time an attacker could brute force the user's password, using a method similar to the following:

It is also possible to bruteforce the router password once authorized using /cgi-bin/setup_pass.exe

http://iinet.iad/cgi-bin/setup_pass.exe?userOldPswd=admin2&userNewPswd=admin&userConPswd=admin
this will return different results depending on userOldPswd being correct or incorrect

Solution

Vendor : Belkin & iiNet

Notified :
2009-01-01 - iiNet & Belkin - No response
2009-01-20 - US CERT - No response from vendor

Fix : None at this time

Suggested Fix:

* Provide routers with a better default password, such as the MAC address
* Advise users to always log out and to change the default password, not just in the remote management page, but also in the help guides:
https://iihelp.iinet.net.au/Setting_up_an_iiNet_Belkin_router
https://iihelp.iinet.net.au/setting_up_a_broadband_modem_or_router
* set default timeout to less than 10 minutes

Reference

OWASP: Cross Site Request Forgery

OWASP: Cross Site Scripting

OWASP: Default Passwords

OWASP: Denial of Service

OWASP: Information Disclosure

Appendix

[H]iiJack : http://attacker/hiijack.html

Remote Javascript : http://attacker/a.js