dslreports logo

The following is extracted from the following paper:


Security Vulnerabilities in SOHO Routers by Craig Heffner and Derek Yap of www.sourcesec.com


It's an interesting read, especially for users for the Actiontec MI424-WR router. To summarize, of 9 types of attacks discussed, it reports the Actiontec as vulnerable to the following attacks:

•DNS Hijacking
quote:
Another host-name related attack vector, again involving DHCP, is domain name hijacking [5]. This attack occurs when a router resolves internal host names to their respective IP addresses; as in the DHCP XSS attack, the internal client's host name is specified inside a DHCPREQUEST packet. This in itself is not a particular concern, but if an attacker can register themselves on the network with a host name of WPAD then they can carry out any number of man-in-the-middle attacks against other clients on the network [6]. WPAD attacks primarily affect Windows users, and Internet Explorer users in particular, as various Windows applications (including IE) will look for a WPAD server by default.

This problem is further complicated on home networks where no domain name is configured. Normally, host names will be registered as sub-domains of the network domain; i.e., if the domain name is "home", then a host named "laptop" will be registered as "laptop.home". However, small networks rarely have a domain name configured, so the host would simply be registered on the LAN as "laptop". Thus, performing a DNS lookup for "laptop"; would return the IP address of the internal client who registered the host name of "laptop". But what if a host claims that its host name is "www.google.com"? Logic would suggest that a router would know better than to resolve requests for www.google.com to an internal IP address, but unfortunately that is exactly what some routers do; this allows an internal attacker to perform a single-packet DNS poison that will persist until the attacker either un-registers his host name, or leaves the network.


•Local UPNP
quote:
UPNP attacks are nothing new [10], but started receiving more attention after GNUCitizen demonstrated that UPNP attacks could be carried out remotely when coupled with flash-based CSRF attacks [11]. Because UPNP is an unauthenticated protocol that, by definition, provides control over a router's configuration, insecure UPNP stacks can result in a plethora of exploitation possibilities, including command execution and re-configuration of DNS settings. While most new routers protect against these attacks, there is another UPNP action that we can use to our advantage.

The previously mentioned session hijacking attacks (and some of the CSRF attacks) require an administrator to already be authenticated with the target router. But waiting around for the average user to log into their router makes these attacks unlikely to succeed. Instead, an attacker can use UPNP to terminate a router's WAN connection, interrupting the user's Internet connection.
Eventually, they are likely to:
1. Reset their router
2. Log into the router to diagnose the problem
3. Call their ISP, who will ask them to log into their router to diagnose the problem.
The WAN connection can be terminated using the UPNP ForceTermination action, which was available in all of the routers that we examined. Using Miranda [14], a UPNP administration utility, we can easily send UPNP commands to a router, forcing it to terminate it's WAN connection.



•CSRF UPNP
quote:
One of the most common uses for UPNP is port forwarding. UPNP allows client applications, such as P2P programs and games, to open ports on the router in order to facilitate necessary communications with other peers or services. While these port forwarding rules are meant to forward traffic from external clients to internal clients, an attacker can make use of these rules to expose the router's administrative interface to the WAN by forwarding traffic to port 80 of the router's IP address. Configuring the router as the attacker's personal proxy is also possible, by telling the router to forward traffic not to an internal IP, but an external IP [12]. While most new routers prevent these types of attacks by checking the specified IP addresses, some, like the ActionTec MI424-WR, still allow users to forward incoming connections on external ports to port 80 of the router itself, effectively enabling remote administration on the device.


It should be noted that the Actiontec was not the only router subject to these vulnerabilities. The paper also looked at the Linksys WRT160N, D-Link DIR-615 and Belkin F5D8233-4v3 routers, which had some of the same vulnerabilities along with other vulnerabilities of which the Actiontec was not susceptible.


Expand got feedback?

by More Fiber See Profile edited by Branch See Profile
last modified: 2016-10-02 15:34:59