[ISN] Security researcher: Web page can take over your router

From: InfoSec News (alerts@private)
Date: Wed Apr 09 2008 - 01:10:18 PDT


http://www.networkworld.com/news/2008/040708-rsa-researcher-web-page-can.html

By Robert McMillan
IDG News Service 
04/07/2008

On Tuesday at the RSA Conference, researcher Dan Kaminsky will show how 
a Web-based attack could be used to seize control of certain routers.

Kaminsky has spent the past year studying how design flaws in the way 
that browsers work with the Internet's Domain Name System (DNS) can be 
abused in order to get attackers behind the firewall. But at the RSA 
Conference in San Francisco, he will demonstrate how this attack would 
work on widely used routers, including those made by Cisco's Linksys 
division and D-Link.

The technique, called a DNS rebinding attack, would work on virtually 
any device, including printers, that uses a default password and a 
Web-based administration interface, said Kaminsky, who is director of 
penetration testing with IOActive.

Here's how it would work. The victim would visit a malicious Web page 
that would use JavaScript code to trick the browser into making changes 
on the Web-based router configuration page. The JavaScript could tell 
the router to let the bad guys remotely administer the device, or it 
could force the router to download new firmware, again putting the 
router under the hacker's control.

Either way, the attacker would be able to control his victim's Internet 
communications.

The technical details of a DNS rebinding attack are complex, but 
essentially the attacker is taking advantage of the way the browser uses 
the DNS system to decide what parts of the network it can reach.

Although security researchers had known that this type of hack was 
theoretically possible, Kaminsky's demo will show that it can work in 
the real world, said David Ulevitch, CEO of DNS service provider 
OpenDNS. "I'm always a fan of when something that's theoretical gets 
made real, because it makes people act," he said.

On Tuesday, OpenDNS will offer users of its free service a way to 
prevent this type of attack, and the company will also set up a Web site 
that will use Kaminsky's techniques to give users a way to change the 
passwords of vulnerable routers.

The attack "underscores the need for people to be able to have more 
intelligence on the DNS," Ulevitch said.

Although this particular attack takes advantage of the fact that routers 
often use default passwords that can be easily guessed by the hacker, 
there is no bug in the routers themselves, Kaminsky said. Rather, the 
issue is a "core browser bug," he said.

Router makers have known for some time how their default passwords can 
be misused by attackers. Three months ago, hackers showed how a similar 
attack could be launched, exploiting a flaw in the way Universal 
Plug-and-Play works on PCs.

Cisco tries hard to discourage Linksys customers from using routers with 
default passwords, said Trevor Bratton, a company spokesman. "One of the 
first things that our setup software does is change that default name," 
he said. "So anyone who does as we ask with the initial setup will be 
prompted to change that."

The problem is that home users rarely follow this advice, Kaminsky said. 
"The vast majority of home users have a device with a default password," 
he said.

All contents copyright 1995-2008 Network World, Inc


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Apr 09 2008 - 01:27:16 PDT