Security audit of the SKYWORTH GN542VF router – how to hack the admin panel password without leaving the web browser!

Factory passwords (default passwords) are a big security hole in the Internet of things (IoT), including routers, surveillance cameras and other network equipment.

If devices from the same manufacturer have the same passwords, then everyone knows these passwords. An attack on network devices can lead to data leakage and expansion of the attack surface.

See, for example: Attack on devices in the local network through a vulnerable router

Router manufacturers understand this and take various steps in this regard, for example, a unique password for each device, which, for example, coincided with part of the MAC address.

Some devices require a password change when the user first logs in (the owners of such devices suffer not so much from attacks as from the inability to remember the password of the router years after it is set).

The variant with unique passwords based on part of the MAC address is not a good idea, since the attacker can often see the MAC address of the device (unlike the user, who has little understanding of what is happening at all).

The SKYWORTH GN542VF router takes an interesting approach:

  1. Passwords are unique for all routers
  2. To prevent users from getting lost, the password is displayed right on the login page – so you definitely won’t lose your password, right?
  3. To prevent strangers from seeing the password, it is shown only when connected to the router from the local network
  4. Even if the attacker somehow found out the password and tries to enter it when connecting from the global network, the router does not accept it and shows an error message

Safe and thoughtful, right?

Let's see this in practice.

In a web browser, I type the IP address of the router 192.168.1.1. I get a login page that shows the password:

I enter username (“admin”) and password

and get into the admin panel of the router:

In the WAN information, you can see that in the ISP's local network, the router is assigned the IP address 10.241.59.196, and the default gateway is 10.241.56.1.

It can be assumed that there are other routers in this local network. But for now, just open the web interface of the router at 10.241.59.196 in a web browser.

Even in this case, the password is not displayed – everything is quite safe.

Quick hacking of the SKYWORTH GN542VF router

To make the results more convincing, I will be conducting our small security audit not on my local router, but on one of the random routers that I found in the 10.241.0.0/16 subnet range.

For example, let's try to open the web panel of the router at the IP address 10.241.114.14:

The password is not shown. But let's look at the source code of the page (HTML markup):

Among other things, there is the following piece of JavaScript code:

	if( AccessIP != "N/A" && (LanIP != "N/A" || Ipv6LanIP != "N/A") )
	{
		if((LanIP != AccessIP) && (Ipv6LanIP != AccessIP) ){
			document.getElementById('default_password_tr').style.display="none";
		}
	}

That is, using JavaScript code, the element with the identifier default_password_tr is hidden.

Any protections and checks performed on the user's side should obviously be considered unreliable – on their side, the user can manipulate data in any way – replace the values of JavaScript variables, disable code blocks and modify JavaScript and HTML in any way.

But perhaps this does not carry any danger – let's check it out.

Next, I will perform actions in the web browser in Chrome Developer Tools (or just DevTools). If you do not know what it is, then the following articles are recommended for review:

Press F12 to open developer tools. To get to the “Elements” tab and immediately go to the code fragment of interest, right-click on the page on the element you are interested in and select “Inspect”.

Find the piece of code we are interested in

and replace style="display: none;" with style="display: block;"

And we immediately get a password to enter the administrative panel of the router:

This is already bad.

But perhaps the developers have provided additional protection and I will not be allowed to authenticate, because I am trying to log in from outside the local network.

I enter the username (“admin”) and password and get the following message:

Sorry, remote access not allowed!

That is, remote access is not allowed. But I remembered that I had already seen this phrase in the HTML code of the web page, let's find a piece of JavaScript code and study it more carefully:

      		if( AccessIP != "N/A" && (LanIP != "N/A" || Ipv6LanIP != "N/A") )
			{
				if((LanIP != AccessIP) && (Ipv6LanIP != AccessIP) && remoteAccess == "1"){
					var str = 'Sorry,  remote access not allowed!';
					document.write(str);
				}
			}

The bottom line is that if the IP address is not local, then this message is simply displayed. And that's it… That is, nothing else is being done.

Once again I will focus on this – according to the logic of the program, the login from a remote IP address should be canceled, even if the correct login and password are entered. If this validation and invalidation is done on the user side (in JavaScript), then this validation can be hacked/disabled. But specifically in this case, nothing is done, except for the output of the message.

I had a theory that if the correct login and password are entered, then it is possible that the entrance to the administrative panel of the router is still completed, despite the line shown about the prohibition of remote login?

To test my theory, in the address bar of a web browser, I shorten the URL from http://10.241.114.14/cgi-bin/index2.asp to http://10.241.114.14

and get into the admin panel!

Yes, the router successfully authenticated the user from the remote IP address and instead of invalidating their login, it simply showed a message to the already logged in user that remote access was not allowed.

Conclusion

In this very small example, we hacked the administrator password of the SKYWORTH GN542VF router without any specialized software tools, almost with our bare hands. We had enough web browser capabilities.

Despite the thoughtfulness of the algorithm, due to poor implementation, the protection of the router from remote login using the factory password is leveled.

Even if the protection were better developed in JavaScript code, it could be bypassed or disabled. Any checks and implementations of security algorithms on the user's side must obviously be considered unreliable (in fact, absent). In this case, checking the IP address, denying remote login, and disabling the display of the default password would have to be done inside the router (at the level of the router's web server or internal software).

Recommended for you:

Leave a Reply

Your email address will not be published.