The harm of routing csrf

0x00 Environmental Analysis

The recent burst of d-link back door to make everyone panic. I'm glad I don't have to d-link, so I'm done? Can the user be able to fill in the loophole, the manufacturer to notify the user in time to prevent the gun? It is obvious that no one has done it.

First of all, as soon as a release xxx route XXX flaw, this to their own company discredit, first of all users will not upgrade (can be normal online who is so boring to update the router's firmware, Tintin very large?), but also to the company added PR pressure, this put to who will not do.

So we've summed it up in a few points:

After the router has a vulnerability, the user will not repair! The manufacturer does not want to make up! The user is lazy!

Where does the 0x01 leak come from?

The vulnerabilities of routers are really minimal. Most of them are remote command execution and backdoor, XSS, and so on, but Daniel's hands are remote command execution, the basic coverage of X, X for the engine room commonly used road oil, just to perform a few POC, PA, right hand, this scene only in Daniel's apt scene to see.

But for those ordinary cock silk black wide, I am not interested in apt, I prefer those sister's router.

As a then, the black broad to the computer square, to the router wholesale department, took out 50 ocean to the boss, told the boss, I want to try your hot performance of the router. The boss look at the soft sister currency face, took 20 Lai router to black wide look, black wide see the router smiled, exposing big gold teeth, several wvs is crazy sweep, then according to the model carefully record loopholes.

In this way, this gray-wide day spent less than 200 soft sister coins, but recorded the domestic mainstream router's various bugs (→*→, really a lewd guy)

The germination of 0x02 evil power

The black wide after scanning, the satisfaction of the closed notebook, router boss is still in the heart of the dark, and earned a silly money ... But he did not know that this is the beginning of the game.

Raid a day, the cock was gray wide in the roadside of a fried powder booth sat down, looking at the surrounding migrant workers, there is always a sense of intimacy, looking at the foreman in the BMW far away figure, black and determined to continue their efforts, angry days a roar: Boss, two fried powder and meat!!!

After full, gray to go to a board game shop, choose a quiet corner, for God horse to board games ... He told me that board game 75 soft sister currency 6 hours, drink unlimited refill cup, the important thing is to have 20M WiFi, and those tyrants are playing board games with her sister, all wooden people with him to rob Speed, the air is dozens of times times better than the Internet café, the code does not have ideas when you can look at the next beautiful sister (→*→, hey. I just want to say, next time please bring me!!!)

Black wide Open the computer, and began to take the greasy keyboard, open a few Wvs report, pick out the command execution, CSRF,XSS, and other loopholes such as unauthorized access classification, and mark is controllable, but also each feature Post,get package to organize.

That's it... A common routing vulnerability library is almost done ...

Black-and-wide vulnerabilities are placed on their own XSS platforms, and several rules are planned. By title to determine the router's brand, and then control the model ... Carry on various posture inserts, the controllable CSRF directly inserts in the route, if cannot control then uses the default password to insert, he tells me ... In fact, the chance of direct access is very small, but the CSRF through the default password is a great chance to insert ... (this explains the route security awareness to improve, do not think you can not plug in the intranet ...) The default password is not changed so I'll put you in a position.

There are many kinds of penetration for routers, but the usual gray-wide concern is the DMZ and DNS.

For example, a CSRF let the router's DMZ function open, the target host exposed to the public network ....

0x03 shot, not just bullets, but a gun.

Last went to the computer square spent hundred the ocean, so that the black wide life a bit tight, these days his XSS platform moved to a more high-quality VPS in Japan ... He was afraid that he couldn't carry the big flow. (Eh, Daniel has foresight)

This week, black and frugally, not to eat fried powder. A few large steamed bread to send water, and finally saved a sum of money, in the United States to rent a server, spent a night to install the server as a DNS server, black wide out of his big gold teeth, hehe asleep.

0x04 The early dawn is always the most silent.

These days the black broad began to play the jet lag, daytime sleep, start playing games at night, or go out to eat barbecue with the base friends, the infiltration time has changed to the evening.

Every day when surfing the internet, they look for big websites, find places where users and websites can interact and submit data, and record them. Late at night began a variety of bypass, and then the construction of worms, worms into the black-wide XSS platform, in the spread of the hard to give the router to the first!!!

Late at night, engaged in the operation of the Victoria is still sleeping, the development of the program Ape is still on the bed of the sister ... So the black wide after the worm does not trigger, wait until the user online rate is relatively high, (such as the morning 8 to 10:30, 11:30 to noon 1 o'clock, Night 8 o'clock to 10:30), triggered a few days ago to find the storage type of XSS.

These days the white dark wide also did not stop, looking around for various ads, many people questioned his inability to find so much traffic. Black wide Just a smile, silently put the list to take down.

0x05 suddenly as a night spring breeze, thousand tree million tree chrysanthemum Open

Black wide in order to ensure the validity of their own testing, directly at 12 o'clock midnight began to deploy the platform, the XSS platform to replace the rules of full DNS hijacking, mainly controllable csrf to change the router's DNS, uncontrolled direct use of the default password test ... The brands and models of different routers correspond to different rules.

That's it, with the first person to see the worm, forwarding the same domain of worms, and then infected people showed several multiples of the growth, and the gun of the people's routers have been changed to the black wide he rented in the United States, the DNS server, the server points to the advertising address ....

At 10 o ' Day in the morning, the PV of the advertisement grew in geometric multiples, and the black width revealed his big gold teeth:D

One months later, black wide open his super run past his once site, looking at the foreman of the familiar figure of the back of a laugh pulled away, because the black wide worm not like white hat outfit force, must play a window to tell others I put you in. Instead, it continues to propagate in the background, which is difficult for administrators to discover (with the exception of a monitoring platform) ...