router firmwarecode
looking at router firmware
issue 1: there's an unauthenticated api that sends you the wifi passwords
issue 2: its remotely accessable
issue 3: but dont worry because it's censored client-side, but the server sends you the full password so
issue 4: the code that censors the password looks like this https://computerfairi.es/media/bNX09DZuQrxc6dynZTY
router firmwarecode
OH MY GOD THERE'S AN UNAUTHENTICATED API TO SET THE *ADMIN PASSWORD*
I SENT A REQUEST TO IT TO SEE HOW IT WOULD BOUNCE BECAUSE I THOUGHT "oh hey they wouldnt do that i wonder how it errors" BUT NO
$.post("BelkinAPI/DBPasswordSet", {"RequestID":6969,'PassWd':"im gay"}, console.log, "json")
THIS JUST SETS THE PASSWORD
router firmwarecode
Is there an API method to turn on remote management, too?
Because if so, you might want to get in touch with people who can make sure critical level cert advisories get published...
router firmwarecode
@ghedipunk well, not if you're outside the network, because youd have to be able to access it to do it
router firmwarecode
*I* don't have to be inside of your network to get your browser to execute arbitrary Javascript to send POST requests to your router.
I don't even have to get you to visit my site; I just put the code in an ad, and let the ad networks pwn the Belkin owners for me.
router firmwarecode
@ghedipunk well, i dont know if it has anti-csrf, but...
