After having attended the past times pair of DEFCONs, I'm truly excited to travel speaking at DEFCON eighteen this year. In anticipation of my presentation, "How to Hack Millions of Routers", I thought I'd accept this chance to answer some questions, offering some background information, together with give a quick teaser near the talk.
Most people assume that because they don't direct maintain remote direction enabled on their router, external attackers cannot access their router's administrative Web interface. However, for many routers this is exactly non true; anyone amongst a registered domain tin lav inward fact make total interactive access to the router's internal Web interface inward guild to exploit vulnerabilities or log inward to the device (either via the router's default password or a brute-force attack), at which betoken they tin lav persuasion settings, alter settings together with by together with large create whatever else they desire amongst the router*. However, this assail is non restricted to the primary Web interface; it tin lav also travel used to make interactive access to SOAP-based services running on the router every bit well, such every bit Universal Plug-n-Play which requires no authentication at all. While this assail does non operate against all routers, out of 30 dissimilar routers tested the assail was successful against to a greater extent than than one-half of them, including the venerable WRT54G from Linksys, ActionTec routers used past times Verizon FiOS together with DSL customers, together with many others. Given the number together with popularity of the affected routers, this translates into many millions of vulnerable routers deployed footing wide, non to cite all the other routers that direct maintain non yet been tested.
The assail is truly a combination of many things, from browsers together with JavaScript to firewalls together with TCP/IP stacks, but it ultimately centers exactly about DNS rebinding*. Although DNS rebinding has been publicly discussed for almost fifteen years, many people even hence don't completely empathize it. I've gotten several inquiries near the talk, together with they by together with large boil downwards to ii basic questions:
1) What is DNS rebinding?
2) What is hence special near the DNS rebinding technique presented inward this talk?
To empathize DNS rebinding, let's examine why DNS rebinding is needed inward the starting fourth dimension place: the same domain policy. The same domain policy is a safety policy that is enforced past times your Web browser. That policy states that if you lot browse to http://www.evilhacker.com/, together with hence that page from www.evilhacker.com tin lav order your Web browser to charge content from other Web sites (images, JavaScript, CSS, iframes, etc), but it cannot encounter the responses from those Web sites nor access the content that is returned past times those Web sites. In other words, JavaScript from www.evilhacker.com tin lav exclusively access content from www.evilhacker.com because that content comes from the same domain. This is a expert thing, every bit you lot wouldn't desire some JavaScript from www.evilhacker.com making unauthorized XmlHttpRequests to Web sites within your local network or elsewhere.
The work amongst this policy is that computers don't role domain names to communicate amongst each other; they role IP addresses. The thought behind DNS rebinding is:
1) Get the victim to charge some JavaScript from www.evilhacker.com.
2) Convince the victim's browser that www.evilhacker.com has moved to a dissimilar IP address, say, 192.168.1.1.
3) Evil hacker's JavaScript is costless to interact amongst www.evilhacker.com, which the browser at ane time thinks is located at 192.168.1.1.
The hard business office inward the higher upwardly assail is convincing the victim's browser to switch IP addresses. Various methods of achieving this direct maintain been presented inward the past, hence why yet some other utter on DNS rebinding attacks? Because quite simply, the mutual DNS rebinding attacks that direct maintain been discussed inward the past times are either non practical or exactly no longer work:
o Setting depression TTL values inward DNS responses doesn't operate anymore because of DNS pinning.
o Anti-DNS pinning attacks exclusively operate inward older browsers (IE6/7, FF2.x), together with fifty-fifty together with hence the rebinding assail takes betwixt fifteen together with 120 seconds to accept number depending on the victim's browser.
o The "multiple Influenza A virus subtype H5N1 record" technique tin lav no longer travel used to rebind to internal (RFC1918) IP addresses.
o In add-on to browsers, 3rd political party plug-ins such every bit Flash together with Java direct maintain implemented anti-rebinding measures.
Thanks to several features introduce inward many pop routers together with their underlying operating systems*, none of this volition deter the assail discussed inward this talk, which has been tested against alive networks nether real-world scenarios (with the appropriate permissions from the network owners, naturally). Common anti-DNS rebinding protections offered past times services such every bit dnsmasq, OpenDNS together with NoScript volition non preclude this attack, nor volition changing the router's internal IP address. The expert tidings is that at that spot are fixes that tin lav travel made past times both vendors together with terminate users to protect against this attack*. The bad tidings is that these are fixes that should direct maintain been implemented years ago, but instead direct maintain been ignored past times both vendors together with users alike.
Of course, what is a utter without a tool release? I volition travel demoing together with releasing a tool that automates the entire assail together with extends the target router's internal Web interface out to an external Web site where the assailant tin lav access together with browse the router's Web pages inward existent time, exactly every bit if he were sitting on the LAN himself. All the assailant needs is a user within the target network to browse to the attacker's Web site. It's point-and-click hacking goodness that's fun for the whole family!
* To travel discussed inward to a greater extent than exceptional at the talk!
Source : Def Con
Share This :
Thank a lot for this post that was very interesting. Keep posting like those amazing posts, this is really awesome :)
ReplyDeleteLooking for Linksys Support, visit on:
Linksys Router Technical Supportr