Follow

router firmwarecode 

looking at router firmware
issue 1: there's an unauthenticated api that sends you the wifi passwords
issue 2: its remotely accessable
issue 3: but dont worry because it's censored client-side, but the server sends you the full password so
issue 4: the code that censors the password looks like this computerfairi.es/media/bNX09DZ

router firmwarecode 

OH MY GOD THERE'S AN UNAUTHENTICATED API TO SET THE *ADMIN PASSWORD*
I SENT A REQUEST TO IT TO SEE HOW IT WOULD BOUNCE BECAUSE I THOUGHT "oh hey they wouldnt do that i wonder how it errors" BUT NO

$.post("BelkinAPI/DBPasswordSet", {"RequestID":6969,'PassWd':"im gay"}, console.log, "json")

THIS JUST SETS THE PASSWORD

router firmwarecode 

@boots and this is why our router runs HardenedBSD here...

router firmwarecode 

@boots in all seriousness, we're pretty hard on stuff like this in firmware because @rachel and the rest of us have been working on our own platform for this kind of stuff... that actually takes into security into consideration.

hope we have the spoons to work on it more soon !

router firmwarecode 

@boots every time I worry about if I am qualified to make the stuff I make I think about things like this

router firmwarecode 

@boots I don't know what to say to that.

Well fuck?

router firmwarecode 

@boots

Is there an API method to turn on remote management, too?

Because if so, you might want to get in touch with people who can make sure critical level cert advisories get published...

router firmwarecode 

@ghedipunk well, not if you're outside the network, because youd have to be able to access it to do it

router firmwarecode 

@boots

*I* don't have to be inside of your network to get your browser to execute arbitrary Javascript to send POST requests to your router.

I don't even have to get you to visit my site; I just put the code in an ad, and let the ad networks pwn the Belkin owners for me.

router firmwarecode 

@ghedipunk well, i dont know if it has anti-csrf, but...

router firmwarecode 

@boots Do you have to be inside the network for this to work, though?

router firmwarecode 

@boots What port is it over? That should be closed to the outside by default, right.

router firmwarecode 

@mdm it is, 8080
remote management is not on by default, but the router settings imply it's fine if you have an admin password set

router firmwarecode 

@boots Ah -- I knew I hated remote management for a reason. :P

router firmwarecode 

@mdm honestly, oem router firmware is just
always bad
like, i dont know any oem firmware that isn't the worst

router firmwarecode 

@boots what's with all the .parent() calls, it's like I'm looking at java code

Sign in to participate in the conversation
Computer Fairies

Computer Fairies is a Mastodon instance that aims to be as queer, friendly and furry as possible. We welcome all kinds of computer fairies!