PosterDude
@rr.com
| Inherent Flaw In Efficacy Of Attack Vector
In order for this sort of "attack" to work, the javascript must know the gateway's ("router's") specific configuration URLs.
For example, my D-Link DI-624 version C3 with firmware version 2.75 Build 2 has the following URL for configuring the DNS servers manually:
»192.168.0.1/h_wan_dhcp.html
Notice that the javascript would need to be able to adjust to different IP addresses for the local gateway IP address (not that difficult), and, for the different configuration page name (difficult), and for the specific format of sending configuration data via URL (extremely difficult).
And obviously, that posted configuration URL doesnt show the format that the URL has to be in to send new configuration data on that page.
And thats just for one version of firmware, on one specific model of gateway, from one specific vendor.
Indeed, I've noticed that the URL (page name) for specific configuration pages has CHANGED from one firmware version to another, just with this model.
So, obviously, "one size fits all" URL/page name code in the javascript, is impossible. That means the code would have to be written in such a way as to be able to detect different vendors/models/firmware versions of the gateways, and be PRECODED with the specific URLs for EACH FIRMWARE VERSION OF EACH MODEL OF EACH VENDOR.
Clearly, no small task, at all.
In fact, a company (Pure Networks) attempted just such a feat a few years ago with a product named "Port Magic" that was designed to configure your gateway for port forwarding. It attempted to do so by just the same means as this supposed javascript does. Needless to say, they have long since discontinued the product, and no longer support it (I'm sure the insurmountable task of keeping a database of all the different vendors/models/firmware versions of different gateways and their different configuration URLs had nothing to do with it)
From the PDF:
"(5) The script attempts to
change the discovered router’s settings."
Attempts is the right word there. Its just not going to happen, what with the different page names/URLS/data formats that all the different firmware versions and models of gateway have.
Regardless, susceptibility to this method of attack is very low (I'd say probably less than 1 %) even without a password or with a default password, contrary to the silly 50% claimed. |
