AdSense

Tuesday, May 2, 2017

4 - Detecting alterations at a patched TP-LINK router firmware to prevent a CSRF attack


IOT PT / 4 - DETECTING ALTERATIONS AT A  PATCHED TP-LINK ROUTER FIRMWARE TO PREVENT A CSRF ATTACK

- Layout for this exercise:




1 - Introduction

- This exercise is based on the CSRF (Cross Site Request Forgery) vulnerability described here:

http://www.jakoblell.com/blog/2013/10/30/




- According to the web author's comment,  "when a user visits a compromised website, the exploit tries to change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks."

- One of the affected devices is the firmware corresponding to the router TP-Link TL-MR3020:









 - Actually, the specific file affected by the vulnerability is the LanDhcpServerRp.htm, located into the folder /web/userRpm of the web root:




2 - Extracting the original and modified firmwares

- Now, what we are going to do in this exercise is compare two different firmwares. One corresponds to the original and vulnerable firwmare of the TP-LINK router, and the other corresponds to an modified or patched firmware.


- Both firmwares:




- Unzipping the original firmware:




- Unzipping the modified firmware:




- Two folders (in blue) are extracted:




- Going into the first folder:




- Applying binwalk to the original firmware:




- The root file system of the original firmware:




- Going into the second folder:




- Applying binwalk to the modified firmware:




- The root file system of the modified firmware:




3 - Locating the affected file LanDhcpServerRpm.htm

- Locating LanDhcpServerRpm.htm in the original firmware:




- Locating LanDhcpServerRpm.htm in the modified firmware:




- Let's put both files LanDhcpServerRpm.htm in the same folder, with the purpose of comparing them (the file corresponding to the modified firmware is renamed with a 1):






- Now, both files are in the same folder:




4 - Comparing fimwares with diff

- Let's use the diff command to compare both files:




















- The comparison yields a difference of a existing JavaScript script in the modified firmware:




5 - Comparing firwmares with kdiff3

- Also, a graphical tool can be used to compare files, like kdiff3:










- The user is prompted to choose even three files. In our case we are interested in just two files (A and B):





- Taking A as the root file system for the original firmware:




- Taking B as the root file system for the modified firmware:




- Both root file systems are choosen:




- 285 different files are found:












- Going to the file that causes the possible CSRF attack, following this path:

squashfs-root -> web -> userRpm -> LanDhcpServerRpm.htm


















- The original firmware:




- However, the modified or patched firmware holds a JavaScript script that actually takes the session ID and prevents the CSRF vulnerability to be performed: