IOT PT / 4 - DETECTING ALTERATIONS AT A PATCHED TP-LINK ROUTER FIRMWARE TO PREVENT A CSRF ATTACK
- Layout for this exercise:
1 - Introduction
- This exercise is based on the CSRF (Cross Site Request Forgery) vulnerability described here:
http://www.jakoblell.com/blog/2013/10/30/
- According to the web author's comment, "when a user visits a compromised website, the exploit tries to change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks."
- One of the affected devices is the firmware corresponding to the router TP-Link TL-MR3020:
- Actually, the specific file affected by the vulnerability is the LanDhcpServerRp.htm, located into the folder /web/userRpm of the web root:
2 - Extracting the original and modified firmwares
- Now, what we are going to do in this exercise is compare two different firmwares. One corresponds to the original and vulnerable firwmare of the TP-LINK router, and the other corresponds to an modified or patched firmware.
- Both firmwares:
- Unzipping the original firmware:
- Unzipping the modified firmware:
- Two folders (in blue) are extracted:
- Going into the first folder:
- Applying binwalk to the original firmware:
- The root file system of the original firmware:
- Going into the second folder:
- Applying binwalk to the modified firmware:
- The root file system of the modified firmware:
3 - Locating the affected file LanDhcpServerRpm.htm
- Locating LanDhcpServerRpm.htm in the original firmware:
- Locating LanDhcpServerRpm.htm in the modified firmware:
- Let's put both files LanDhcpServerRpm.htm in the same folder, with the purpose of comparing them (the file corresponding to the modified firmware is renamed with a 1):
- Now, both files are in the same folder:
4 - Comparing fimwares with diff
- Let's use the diff command to compare both files:
- The comparison yields a difference of a existing JavaScript script in the modified firmware:
5 - Comparing firwmares with kdiff3
- Also, a graphical tool can be used to compare files, like kdiff3:
- The user is prompted to choose even three files. In our case we are interested in just two files (A and B):
- Taking A as the root file system for the original firmware:
- Taking B as the root file system for the modified firmware:
- Both root file systems are choosen:
- 285 different files are found:
- Going to the file that causes the possible CSRF attack, following this path:
squashfs-root -> web -> userRpm -> LanDhcpServerRpm.htm
- The original firmware:
- However, the modified or patched firmware holds a JavaScript script that actually takes the session ID and prevents the CSRF vulnerability to be performed:
