Hacking JavaScript residing on router --- Question

From: dtf (dtf@on.aibn.com)
Date: 01/31/02 

From: "dtf" <dtf@on.aibn.com>
Date: Wed, 30 Jan 2002 16:33:41 -0800

Hi,

I downloaded a 225K byte binary file from a router manufacturer. This .BIN
file is the latest firmware version for a home cable/DSL router I'm using.
The router allows up to four PC's on a home LAN to share one WAN port to the
Internet; it also has a printer port on it that the PC's on the LAN can all
share --- it can also be used as a firewall. The router can be upgraded by
accessing its internal web page from any of the LAN side PC's browswer and
hitting the "upgrade" button. At that point, the PC sends this binary file
into the router.

I took a look at the contents of this file using IDA Pro disassmebler, and
saw that about half the 225K bytes are ASCII coded JavaScript, the rest is
assembly language for the 80186 embedded processor (some GIF files are also
there).

I am analysing this box for weaknesses. The manufacturer says that the
JavaScript is used "only" for the user interface to configure various
things --- like the firewall. But could this JavaScript be hacked? By that
I mean, can the the file's JavaScript section be modified prior to loading
it into the router to bypass the security features? I think a hacker would
find it easier to attack that part (JavaScript) easier than figuring out the
flow of, and then altering, the assembler code present. But I know nothing
about JavaScript so I'm not sure. Is this possible?

I would appreciate any advice.

Thanks,
---dtf