IOT PT / 4 - DETECTING ALTERATIONS AT A PATCHED TP-LINK ROUTER FIRMWARE TO PREVENT A CSRF ATTACK
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH7MoSAifAHChAyRSsPR6bAOKKNHm-LuPhHtBJDhEgsR3smcxTFJOYym7iURaE36kJtZQQsffqI2ta1nd4xymAq_TeCwIpboOX_hnXX74gxJ14y79nMWsN81WmF16GcCykfh8uUShLGzWq/s1600/layout.jpg)
1 - Introduction
- This exercise is based on the CSRF (Cross Site Request Forgery) vulnerability described here:
http://www.jakoblell.com/blog/2013/10/30/
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcImK8CV4ALzbcsneoEH733Fgmmt2SEe7SPflHWWOsk8wJXewP8rbt8igahw39ySj_5VYgaeG8VJNwQxYI1_QYKoGHD1l4QgcJzJ5Lp4Pjsi_qYKwJoTY55rUmzLX-87cvirAPN1wLUYEW/s640/screenshot.1.jpg)
- According to the web author's comment, "when a user visits a compromised website, the exploit tries to change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks."
- One of the affected devices is the firmware corresponding to the router TP-Link TL-MR3020:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw8yHiX-3LLVe_FrXZiWWfoP8tyRrcPLyRJtXWB-qCeAVW7b5Bil2dP3DSftJBd-t5NxkNP8RJw3vufV95wqsHRZ9Y6LZ82woQrohoHk_tWdB1nonXBW6-aeNUU5RLUBRTOP2U8JP2jix1/s640/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitYkv7tjdgAgVeIGUgUU7ifKB0pXM5jLPwIPucYTfOF6AfP-fjMzGF9Y2R5NQBUkKx_Nyvxqs5JGDJLIJl7qseBWi4Ew7xr9tCe1NcJJO0rgyxYF3Y42HZ4ZT09fKEHBjWFGJ6HXAT_oTh/s1600/screenshot.34.jpg)
- Actually, the specific file affected by the vulnerability is the LanDhcpServerRp.htm, located into the folder /web/userRpm of the web root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZaEB_-9NeqaImPNsuGhOe9kiOLi0sht3WVLT2Xccx4yENHM-D3y2vQ5uu3OvNmirM1RtmXGTgbHrlFtyPACX9DXzO-Cc8Gfx-2ff4VVzgRlwRqm3mbcTSPWmRsQtTStTsk7_Tkin6bjYt/s1600/screenshot.3.jpg)
2 - Extracting the original and modified firmwares
- Now, what we are going to do in this exercise is compare two different firmwares. One corresponds to the original and vulnerable firwmare of the TP-LINK router, and the other corresponds to an modified or patched firmware.
- Both firmwares:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEX1_dm_G3djJ0HHR_0RjbiKLZBzmDukU9CTKMJ_Cs-1iQMvucLyTJK9agu8S2e78Wow90JGDNn-FCf4pydJqBYsK2wKhXU3m24yyPRj6Z0epL0ZgT-99UKNYn8pwnhTOB51eDsccETfF/s400/screenshot.4.jpg)
- Unzipping the original firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiXI7b9uiV3t8GDE2kGOk6IvEHieq5iQSxGOVqeSZfk6Lz5J4k9m9fdrjnfeEHw82xYH_DHnboEZigCGCgxA6V6P6kxRpoYpkDUV_-tDhXTs_Efa4RE3B6m97jSNUIF4rfBsKqLOqMTWyo/s1600/screenshot.5.jpg)
- Unzipping the modified firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt5n6XFur3imWJuEnxmwNyJ8YYvEl5P-QSIbjY4MiWe8eMd96OWUlN8X5YOxwkQIFGZeTQu4wL9s_IzWOcaeHO8bKTmvlAXIwRPcBAc2vNsYJYAueUl7RvyTsYbTwe1yCH8Drc57k82SSE/s1600/screenshot.6.jpg)
- Two folders (in blue) are extracted:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjisgf8O3ztEBtHiVSaK3thtkEOfGxVQVCYDWXJRaYGTVGD0ffydkn3X4IqXISLiVtNvEhXRS6XLhmzgjSa1de6RpXEGNFjZ73GBPo8WUU4OYOgbtQaAXULGOS1l_F5NpOwuZ7RvCOuz-t9/s1600/screenshot.7.jpg)
- Going into the first folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmzaQmnR-FZKez8sDi0uVBSzhqbGJe9hL4BKouIO8_HM2PWj3-RCgdyl4GMU0iCGjafGs5yhQyTp1-rToPe8NKIyDn0wc-l5Z1oSnFvlejUXFqKfDCceY9hO-89vJkwwXfwWmjRrSse8Yg/s1600/screenshot.8.jpg)
- Applying binwalk to the original firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6M8lQQ7TJ866slqjGf7Wk09rUqoqn1j5aJI4ke72DqAHWAtDRNuewh-7WV82-HJKj_dsN4_KNPJyDQqbWyWG8DEGhv8tdazQTSBD33vtRIl6LVqaQS87O2WYn87LcrnfDIIxH9kYxP3i5/s1600/screenshot.9.jpg)
- The root file system of the original firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2x-26aR33RZK_TMYu_uD8DGkVGtuslbW0mSbqhEvMMAEA0-1xfdoWABpAI71KEmNRpv7D_pWN8D05g56KJkrUjLPmMclfFczEdRXQm1FwoxCM1lfgADMBRx-F0widxgy7c5VQvNtuYVsd/s1600/screenshot.10.jpg)
- Going into the second folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLPn8HyXVOlJXWbT9UgT1yb7Ct9sj0swoobNtfLkBARybHFJ-FZfcQFWmoYjddeOIUhXDAC_4MaXMiP66ozRyRNadJMSLlBL_YZmA0OHLwLbJsDuBzEvzzURxuEM5lsnQIN25FH9UO48cW/s1600/screenshot.11.jpg)
- Applying binwalk to the modified firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkfBTKRZa12KMB5F3gV7b6ieyCN8jeRO72swhPRBUBbXqtitjJI0UCsFveoY3EW4h-908cNhgPmZ_9tiOfOH0tI_v-zGZ-hFzCP757WDQ5faJ1Wtf2Hx_pHjYO5WxcmewPEQlAv0tT7Fyd/s1600/screenshot.12.jpg)
- The root file system of the modified firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd9XjUjpgfFfznDtA9mWViHWjhPJg44B4BFYPHzaeZWY2BzV8P_hiYMOlXDLCFgxdJh62F2eowFrpYcU1grpg9v-iHk76JROiEdPu1GY5zpBzBECUE9LI3Cfln2tKvyQXPbHQPM7EUKZ0X/s1600/screenshot.13.jpg)
3 - Locating the affected file LanDhcpServerRpm.htm
- Locating LanDhcpServerRpm.htm in the original firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglJciI6u_jlbXwHX-2w6ni9_O9tJWucRVBE8v0nYdvVioFKiYwu-nB7_rjFgz6stpnB0UUSZVObnDRz-BTDYwM94M3jDQAWqBuUUqRG5DmESF4odMZA5Ay0X5IsgVknEYa6TYZhxwQnbYG/s1600/screenshot.15.jpg)
- Locating LanDhcpServerRpm.htm in the modified firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz3wAq7lHIYR8drI-QiK95KBHN4uiJGtnamC_EWrzLaQqJ1Km1Fnt7Cpx17OuBWqs9YOtNJuWkoH1jKeGJqcmxTa3FNNvOZYoV76KOSpTKb6Pi28ycCnuOmxX1jrBL7VVMJCnXIqesT9Rw/s1600/screenshot.16.jpg)
- Let's put both files LanDhcpServerRpm.htm in the same folder, with the purpose of comparing them (the file corresponding to the modified firmware is renamed with a 1):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7rIYnzCOOkv1zjLkG6KcWrOUpPLBWdcIGEWCrEGd6hjvG0FH19JEoX2C3WfycT08j2Zrt0cGHs05zg3JM62A47QTAAbLpj43h1GGa0Ti_L5D1eqxK1i8S48cGUnosAK81DeqFzHAVI4Yf/s1600/screenshot.18.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEZ0zioU_y0sBHvvYXjw47GIUQsRuBe9UrHybaRjrA7_7i8t0ybF56JEWx0RVPjwd2Xky0FPWHw0STo2mpK6Wp1ohIe27PpLm42HCuBuXCzvKoBozxJsVMJRFYFcJP3ASnrsuc5HHJL-ij/s1600/screenshot.17.jpg)
- Now, both files are in the same folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYWtbnYvBj0TTsljPiwO-hXwQX0faam6K_Wj8RU8bV1bhugpCCEG73gJMGCa-oDnuQinhnRyCX13Pir-V9zQDxlPI3ltcg4FqpkWozeklqWYwU0L2rM3yzdBrSqZ87ImejZvndslMNPjrC/s1600/screenshot.19.jpg)
4 - Comparing fimwares with diff
- Let's use the diff command to compare both files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTK1rlpxAnjclmQVAZ60nii37K4sI-AmYj786rHz0ssEOAj4oT_0Lilu5hzgnfz5Jrkm5djLkHk6PaFjMG7w_6ZFORdjQ7pU1EcSpR5IlFEZ3Mqg7yqxDx1MAWgtKFFoI3p6JsVNuv5KXj/s400/screenshot.36.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-2etNzoh1LmEK1-2apWVc_GL-beCi_g8GkSDu5nY_K9XD4BiFpukmpYCFb_pQu694flYxGHyfFTLgFYFVAFB0HYmfHKl7SN1tU1FgapNzjt89ql29STx-UviXEoIQpHsKJvZZtZk7_Zl0/s640/screenshot.35.jpg)
- The comparison yields a difference of a existing JavaScript script in the modified firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsDofDfmSbE6S8bkMc-l_i3y6dhmmZNkxJwSVtiEScV881uoIMnTF18YChy3IRo-4CEDe9e3u5SizULM9VjmPBGWTxm2dd5pzOY4oFnGpNX0_CvICMCKpze72JRgBJJ8JXG5QLf-UjW6oX/s1600/screenshot.21.jpg)
5 - Comparing firwmares with kdiff3
- Also, a graphical tool can be used to compare files, like kdiff3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggF1Wg_K8-zFyPVpwVHzEMVTT9pDLOYv97a1hV4q5lzE0QwssFuf3G-O8e4t7kH4OYtwJcwaUhWbgpC9ZbcjrU_E01GPk2IkT7v1VqUJdeSvmKis0vjEDDyh8Xsp7Gb2M-tkUPg2t0bYl1/s320/screenshot.38.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0qiPrpj3u7vaLamd1WGhg5S7jrkwPdZRaCoTZUwoIy5nwYbBPebzQl7J12GuM2pyD9mFVMdkOD1j-73n181s1KpHgxhEizWsFBhjN4b6yOsojt9SHvRZil64B-6O_KDAJJ3Tkcrtn3E3h/s640/screenshot.39.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZcq34oJEp7Kz9_UELQTXWq9HqTaxW4wExNj4aCRfoxjktl56A_rTb6RMMPkJc9CZuvzmsUCROAHi2pOl_FLvnyPMP6bBYKtN5-6e2DQOX6-wKV2G5PMqYc7GzumZ7Hc1BXYzxIXDNFS2W/s400/screenshot.22.jpg)
- The user is prompted to choose even three files. In our case we are interested in just two files (A and B):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujyN3BBUuBjOkr9MktnuZRRrBiyJRa9CE5c69MQNFWoP0wf3lZD_ylmynM2HRzv9LzL5VjBuRxqVJq0jXn_xxp2sVYFHMpI_mYWQGl4J74iseC3erpR-EHZVn1sWrWi7seBZhWO9N-XM7/s1600/screenshot.23.jpg)
- Taking A as the root file system for the original firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyKJz7kSlGR_N7q1fN8DHiY_tSa1oCzltB_ZATtpveDA-y0mdC0ngqL26jChyphenhyphenvhFHHFsXFr6RQWf-Oq3xEwbyRbx-QzTs-YP0QEf9ZuEui-6Mbd5OKqVgW_LPaCXie8RuJA-0FdaYjIOQ/s1600/screenshot.25.jpg)
- Taking B as the root file system for the modified firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtu7-RbyoleoyVBgAW1Z8QQhfs0yyErV6UAZj_hD0A50c1EbEJu4kwMfGYDl-fi9fa0Zm-PxeySDbFGH63a12IFpHe1WASSLvBZkVSGRaTpaMxm3dQ6rhkbCS8UGTKAP-LixFq6jEfZ2WN/s1600/screenshot.26.jpg)
- Both root file systems are choosen:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgM5jdwPxAP8TWdwBIAffJL9tAP3SkR1xw3MpUYaQ5zVghSyIMJRgvP8b3shBbHv2cXy7oP_DGJXbfA8Z0nk-W-j9vUbdt0PQ_SDWXPWtlJCWcm2JY0VTdTm-I52wmTBPmyE1SVANT4nXX/s1600/screenshot.27.jpg)
- 285 different files are found:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv909Aow5TdEARFK_u19TJqm9BUugm5F8jigz9MigFEM79JbyZo8Ubt4fiLL9kbcJa5AXtgiWAeFcWpLpFVuEujd87MODZEe6PXfbZHiULNpkmrWi40trnacfOCn_bNyH6rq7Y9geBlbwr/s400/screenshot.28.jpg)
- Going to the file that causes the possible CSRF attack, following this path:
squashfs-root -> web -> userRpm -> LanDhcpServerRpm.htm
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKA4kGizZhaWU59cAfQTjsNE4xBt7x4g9ClVgL6W3W-PI6AkmIiF79Q1tOBHvV2b0ZJdrXFM8ZnOLqkCNQBi4NJbS5DDitgmiw583e9nbRNLWXOxNJir_aIMnxJGhFZpbi7p-jKluHYcx7/s1600/screenshot.31.jpg)
- The original firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9JVOZJxuiI8U9Sjbe3LI4e1XhaZEw8ygko9FhmLckmsTYvDouqrgDiSqrj_WYPfSvnl3tMtx5rragZ1rL6b7V0AJp4DXFHqaGNEVxdwohGDjnn_f4521P7Zo5N_F601g8dskR2Oi679G4/s1600/screenshot.32.jpg)
- However, the modified or patched firmware holds a JavaScript script that actually takes the session ID and prevents the CSRF vulnerability to be performed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpr6o0dIQqlKN0icVj6aRl_04DgSHoV2S6UFqS0SbFkFLfBN5kUbK6MUDLp8yOiI8-eatyFVMk1-q_-EX6LOKadAmTpqdMt8HmL70URguhhBmT6HJUp93R7uhIFa0_L_I82L5PluRpPESm/s1600/screenshot.33.jpg)