LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Authentication bypass in routers

By Jake Edge
March 5, 2008

An authentication bypass vulnerability is one of the more dangerous problems that a web application can have. It allows the attacker to perform some action that the application designer saw fit to restrict to authenticated users without providing said authentication. Using these techniques, an attacker can control a targeted web application from afar without even wasting time cracking bad passwords—a dream scenario for such people.

If an authentication bypass is found in the latest social networking site, the flaw could cause embarrassment, but if that bypass is in your home router, much worse things could result. A series of articles over at GNUCITIZEN highlights quite a variety of authentication bypass flaws in various embedded devices including routers. The flaws come from their research and recent router hacking challenge, which challenged readers to find holes in their routers. (There is no table of contents for the series, so here are links to the four installments: 1, 2, 3, and 4).

Most authentication bypass flaws are caused by a conceptual mistake made by web programmers: believing that the "normal" way of accessing the site is the only way to access it. This manifests itself as applications that check for particular URLs to see if they require credentials without considering the possibility of aliasing. For example, web servers will generally ignore double-slashes in a URL, but if the application checks for /privileged/page and gets /privileged//page it may very well fall prey to an authentication bypass. Other similar schemes can be used to make the URL look different, but arrive at the same place.

A far uglier possibility is applications that believe you can only get to a particular URL via a page that enforces authentication. This is a belief in "security through obscurity"; that attackers won't be able to guess the URLs for the pages "behind" the authentication screen. This is almost comical in that there are many ways to find out what those URLs are, not least by buying the device and accessing them yourself. Pages that require authentication need to check that the credentials have been provided whenever the page is accessed—without regard for what URL got them there.

Some applications do all of the checking correctly on the pages that show various settings in a form allowing them to be changed, but the action of the form submits it to a different program. Inexplicably, sometimes that program does not check for credentials. Perhaps the programmer believes that web forms can only be submitted from the page that they have created, but it is trivially easy to generate an HTTP POST with the appropriate parameters. It certainly does no good to protect the current value of settings from non-authenticated users if they can easily change them to any values they want.

In terms of web security, authentication bypass is usually quite easy to avoid, it is a matter of ensuring valid credentials anywhere they are required. Before performing any action that requires a logged-in user, check the cookie (or other persistent authentication mechanism) for validity to perform the action requested. For people using routers at home, perhaps the best advice is to make sure its administrative interface is not internet facing. Routers have a pretty bad track record of getting this right, so far, as the hacking challenge and other research has shown.

(Log in to post comments)

openwrt

Posted Mar 6, 2008 9:04 UTC (Thu) by ssam (subscriber, #46587) [Link] 

Is openwrt (or a similar project) any more secure?

openwrt

Posted Mar 6, 2008 22:47 UTC (Thu) by tetromino (subscriber, #33846) [Link] 

Yes, by virtue of not including any kind of web interface :)

openwrt

Posted Mar 7, 2008 0:59 UTC (Fri) by afalko (subscriber, #37028) [Link] 

Correct me if I am wrong, but openwrt does come with an interface --- at least when I tried it
two years ago. The difference I guess is that openwrt authenticates via apache (also correct
me if I wrong; my memory from two years ago is probably butchered up by now) or you can make
it authenticate via apache :).

openwrt

Posted Mar 7, 2008 1:29 UTC (Fri) by tetromino (subscriber, #33846) [Link]

Openwrt never used apache. The historical "White Russian" versions of openwrt (all those released before spring 2007) included a web interface that was implemented in shell script. Frankly, I would be surprised if the thing had no security issues.

However, modern "Kamikaze" releases of openwrt have no web interface at all; you configure them by ssh'ing in and editing config files, just like on a normal Linux server.

openwrt

Posted Mar 7, 2008 13:48 UTC (Fri) by jengelh (subscriber, #33263) [Link] 

There is X-Wrt/webif² built ontop of OpenWRT/Kamikaze — and it uses HTTP Authentication with
cookies. All good.

Authentication bypass in routers

Posted Mar 6, 2008 10:07 UTC (Thu) by scarabaeus (subscriber, #7142) [Link]

In terms of web security, authentication bypass is usually quite easy to avoid, it is a matter of ensuring valid credentials anywhere they are required. Before performing any action that requires a logged-in user, check the cookie (or other persistent authentication mechanism) for validity to perform the action requested.
Unfortunately, it isn't so easy: Using CSRF, the attacker can exploit the fact that a user may already be logged into his router. If the programmer of the web app is unaware of this type of attack, he is bound to get it wrong, because usually some extra implementation details are necessary to defeat it.

Authentication bypass in routers

Posted Mar 6, 2008 19:20 UTC (Thu) by martinfick (subscriber, #4455) [Link]

For people using routers at home, perhaps the best advice is to make sure its administrative interface is not internet facing.

Actually, even this has a pretty bad track record of working since it is trivial to design a web page that accesses internal routers by simply guessing what there IP is (could it perhaps be 192.168.1.1?) Some routers allow access with the external IP from the inside, no guessing required here.

There have been many papers written about this from this simplest attacks, an html IMG tag with a src URL that includes default passwords for common routers (some routers don't even require POST, GET is enough to access them!) to javascript POST attacks to advanced java attacks which actually figure out the IP. The simple GET attacks even work with simpler "safer" browsers like links!

It really is scary how easy it is to access many of the really poorly designed mass produced home broadband routers! Change the DNS settings and: voila, almost all non-secured (ssh/ssl) connections are owned! It is very easy for an internal facing site to be accessed from the outside,

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds