Tuesday, May 2, 2017

4 - Detecting alterations at a patched TP-LINK router firmware to prevent a CSRF attack


- Layout for this exercise:

1 - Introduction

- This exercise is based on the CSRF (Cross Site Request Forgery) vulnerability described here:


- According to the web author's comment,  "when a user visits a compromised website, the exploit tries to change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks."

- One of the affected devices is the firmware corresponding to the router TP-Link TL-MR3020:

 - Actually, the specific file affected by the vulnerability is the LanDhcpServerRp.htm, located into the folder /web/userRpm of the web root:

2 - Extracting the original and modified firmwares

- Now, what we are going to do in this exercise is compare two different firmwares. One corresponds to the original and vulnerable firwmare of the TP-LINK router, and the other corresponds to an modified or patched firmware.

- Both firmwares:

- Unzipping the original firmware:

- Unzipping the modified firmware:

- Two folders (in blue) are extracted:

- Going into the first folder:

- Applying binwalk to the original firmware:

- The root file system of the original firmware:

- Going into the second folder:

- Applying binwalk to the modified firmware:

- The root file system of the modified firmware:

3 - Locating the affected file LanDhcpServerRpm.htm

- Locating LanDhcpServerRpm.htm in the original firmware:

- Locating LanDhcpServerRpm.htm in the modified firmware:

- Let's put both files LanDhcpServerRpm.htm in the same folder, with the purpose of comparing them (the file corresponding to the modified firmware is renamed with a 1):

- Now, both files are in the same folder:

4 - Comparing fimwares with diff

- Let's use the diff command to compare both files:

- The comparison yields a difference of a existing JavaScript script in the modified firmware:

5 - Comparing firwmares with kdiff3

- Also, a graphical tool can be used to compare files, like kdiff3:

- The user is prompted to choose even three files. In our case we are interested in just two files (A and B):

- Taking A as the root file system for the original firmware:

- Taking B as the root file system for the modified firmware:

- Both root file systems are choosen:

- 285 different files are found:

- Going to the file that causes the possible CSRF attack, following this path:

squashfs-root -> web -> userRpm -> LanDhcpServerRpm.htm

- The original firmware:

- However, the modified or patched firmware holds a JavaScript script that actually takes the session ID and prevents the CSRF vulnerability to be performed: