Gladiator Research and Security

For years Cross-site request forgery (CSRF) attacks have occurred on many websites and network devices, often undetected.  CSRF attacks execute malicious content on a trusted site, or device, that appear to come from the victim.  These attacks are often difficult to both detect and protect against.  While CSRF attacks are nothing new, a security researcher named Nathan Hamiel, has recently discovered that most DSL modems (and Cable modems) are still just as vulnerable to CSRF attacks as other technologies.

At issue is the fact that, by default, most DSL/Cable modems do not require any authentication for configuration changes to be made.  A hacker could easily send commands to a vulnerable modem to enable access to the device, modify routes, etc.  Even more disturbing is that the commands to make changes on these modems can be executed by a user visiting a trusted website.  For example, a user could visit a trusted forum on “How to Cook a Chocolate Cake,” and on this forum a malicious user could post the following snippet of code:

<img src=”http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&amp;NSS_EnableWANAdminAccessRES=on&amp;timeoutDisable=0&amp;Enable=Enable” alt=”" width=”1″ height=”1″ />

This code would then attempt to set the Admin password and enable remote access for a user with a vulnerable modem.  Any user visiting this forum website would not see the code above, but it would be executed.  An attacker could also post some code to log the IP address of all users that execute the above code, thereby providing the IP addresses to attempt further exploits.

These vulnerabilities are scary and should not be taken lightly.  The ramifications of not protecting your modem could be dire.  The good news is that there are some simple steps a user can take to mitigate these attacks.  Always change the default configuration of your network devices by following these steps:

• Change your password.
• Change the IP address and Port for Admin access.
• Do not allow Remote Administration access from the Internet for your DSL/Cable modem.

Reference Links:

• http://www.neohaxor.org/2008/12/01/csrf-vulns-on-local-network-devices/
• http://en.wikipedia.org/wiki/Cross-site_request_forgery
• http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212201777&cid=nl_DR_DAILY_T