JavaScript Attack on Routers

Thursday, June 21, 2012 @ 04:06 PM gHale


Online attackers could use a technique for sending requests to devices on an internal network to compromise home and small-business routers, researchers said.

By using a combination of JavaScript and cross-site request forgery to send requests to devices on an internal network from an external Web site, the attackers will be able to send a compromised binary to an internal router, reflashing the router’s memory with the malicious firmware, said researchers Phil Purviance and Joshua Brashars of AppSec Consulting. They will show their attack method at the Black Hat conference in July.

RELATED STORIES
Google Fixes XSS Gmail Hole
DDoS Makes Product Improvement
DoS Tool Takes Out Web Host
Google Rolls Out Attack Warning

“With this attack, you can actually start compromising network devices with little to zero user intervention,” said Brashars, a senior security consultant at AppSec. “At that point, once a network device is compromised, you are no longer reliant on a user keeping their Web browser open.”

At the Black Hat security conference in 2006, and again in 2007, Web security experts Jeremiah Grossman and Robert Hansen showed that cross-site request forgery (CSRF) could force browsers to send requests from a malicious website to devices on the internal network.

Grossman and Hansen, though, never refined the technique to allow binaries to communicate through the CSRF channel. Instead, the attacker would have to social engineer victims into entering in their usernames and passwords for internal devices.

“There was quite a bit of social engineering that had to be done in order to make it work,” Purviance said. He and Brashars brought the attack to a new level.

“The advantage of this attack is that there is no social engineering required,” Purviance said.

While the pair of researchers declined to give details of the technique, their attack will allow fully automated infection of devices on the network, they said. Because the attack makes use of HTML 5 and other new browser technologies, more modern browsers are more susceptible to the attack, Purviance said.

After the attacker conscripts the browser, the second part of the attack is uploading the rogue firmware to the router. The two researchers have found ways to get past the requirement of authenticating to the router. Purviance and Brashars would not discuss details, but there are three possibilities, Grossman said. You can bypass the device authentication, you can guess the password, or there could be a vulnerability in the router you could exploit.

The internal interfaces of routers make perfect targets. While they are inside the network, they present a Web interface just like any other site on the Internet and buggier than most, said Grossman, who is chief technology officer of Whitehat Security.

While enterprise routers may not be easy to compromise, home and small-office routers could suffer compromise at the firmware level with an attacker’s software, making recovery extremely difficult.



Leave a Reply

You must be logged in to post a comment.