Bypass Basic Authentication in Routers

A friend bought a router model GN-B46B of Gigabyte, and asked me if it is dangerous to expose the router to the WAN.

“Yes, of course, but you must have at least one point of contact anyway. By the way, if you cannot access the administrator page, the account name is ‘admin’ and password is ‘password’.”

Yup, I changed the password, Well, that was simple, as it was a creation of the year 2004. I searched SecurityFocus and immediately answered my friend’s question. No, I invented nothing. How did it happen?

The main page redirects to a login page secured by a HTTP Basic Authentication. However, the rest of the pages do not require the HTTP Basic Authentication. Here is the point, if you know the URL to the page that does certain function ( e.g. change password ), you can skip the login page and enter the URL to that page directly! The router site map is trivial to obtain, and I changed the password. Ouch…

This is old news, but such grave mistakes are still present out there. Time to check your own router!

References :
http://en.wikipedia.org/wiki/Basic_access_authentication
http://www.ietf.org/rfc/rfc2617.txt
http://www.securityfocus.com/bid/9740/discuss

Advertisements

7 Responses to “Bypass Basic Authentication in Routers”


  1. 2 log0 September 14, 2008 at 3:13 am

    >>Billy

    It was trivial anyway. But the fun is in finding out the ways to get into it.

  2. 3 Tom Chan September 15, 2008 at 6:05 am

    Same for my router. Why don’t the manufacturers improve this?
    and… am I safe by just turning off the “remote management” function? (I wonder if there’s other vulnerabilities out there…)

  3. 4 cheapyu September 15, 2008 at 7:19 am

    Can this trick be applied on routers of different brands?
    say LinkSys, Belkin, Level1, blah blah blah…?

  4. 5 log0 September 15, 2008 at 1:06 pm

    >>Tom Chan

    Vendors like LinkSys have improved a lot. I didn’t do an extensive research on the routers recently, but I am sure there are quite a number still vulnerable to various attacks. I have randomly scanned different hosts in the Wild and can freely modify settings for a number of them.

    Turning off remote management helps, but if you’re targeted to be hacked, intranet hacking is not rare nowadays. If you are tricked into clicking some weird links, you can auto-execute some functions. This is called Cross Site Request Forgery (XSRF).

    >>cheapyu

    If you study more about them, there can be problems lying in routers. I have scanned in various ranges on the internet and found low hanging fruits. Big names such were amongst the earliest exploited routers, but they have improved substantially. I did not study a lot into the new routers already. But certainly, bruteforce the password can also do the job. It is not elegant, but it works.

  5. 6 pakming October 25, 2008 at 4:14 am

    I have just tested my 2-year-old LinkSys boardband router. At least, authentication is needed for every page (not just the main page).

    Therefore, if you want more security, buy a latest LinkSys router. But I wonder whether hacking in LAN/WAN is so common.

  6. 7 log0 October 25, 2008 at 4:22 am

    Unfortunately, LinkSys were among the most hacked routers back then. This is an older topic already, so it is less readily exploitable nowadays much like ACL vulnerabilities then.

    LAN/WAN hacking is very common, and actually is one of the most profitable business. Money is what it is. It may be uncommon to you, but not to the cartel.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





%d bloggers like this: