 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| reply to Stem Bolt
Re: Open-source firmware flaw exposes wireless routers - DD-WRT Is it me, or would the attacker need to know the ip address of the router and use that in their CSRF attack?
so, er, you could guess that it would be 10.x.x.x, but that's a lot of potentials to slog through isn't it?
I know I'm weird, but my router (which isn't a DD-WRT) isn't running on something silly like 10.0.0.1.
These posts are like the daily "elevated threat level orange" message from DHS. Yes, the first three or four hundred times you got my attention, but I'm not buying the "OMG and THE WHOLE WORLD IS pwn3d" punchline these days.
Or did I misunderstand the "attack vector"?
--
My place : »www.schettino.us |
|
 therube
join:2004-11-11
Randallstown, MD | quote:
would the attacker need to know the ip address of the router and use that in their CSRF attack?
They don't need to know your IP (ahead of time).
You simply need to access a malicious site that exposes the exploit. So you visit the site. At that point they know your IP. With that, they simply try. If it works, they're successful. If it doesn't work, they simply ignore & wait for the next fish. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| They know YOUR NATed IP. The router IP isn't your IP. Ever.
So they have a 1 in 254 chance of guessing right? As pointed out above that's assuming you've visited HaxRUs.ru with scripting enabled, as well.
I think this is one of those "ohhh sounds scary on paper" exploits.
--
My place : »www.schettino.us |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
·Shaw
| said by JohnInSJ:They know YOUR NATed IP. The router IP isn't your IP. Ever. So they have a 1 in 254 chance of guessing right? As pointed out above that's assuming you've visited HaxRUs.ru with scripting enabled, as well. I think this is one of those "ohhh sounds scary on paper" exploits. What percentage of networks defended by a DD_WRT router have the router IP as 192.168.1.1 (most), tagged on something like checking 10.0.0.1 if the initial attempt failed and I think you would have a huge percentage of networks owned.
Now if you downloaded/run an app (might tip off the user that something bad was happening) that checked for the gateway address and hence likely the router IP. So there are ways to increase the number of 'routers' owned, but I'm betting the extra payoff wouldn't be worth the extra effort/risk in the hacker's mind so they have likely hardcoded the most frequent addresses used.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| said by Link Logger:What percentage of networks defended by a DD_WRT router have the router IP as 192.168.1.1 (most), tagged on something like checking 10.0.0.1 if the initial attempt failed and I think you would have a huge percentage of networks owned. So, your assumption is that most DDWrt users are just about clueless?
Disabling web admin seems a reasonable 100% successful solution if you can't be arsed to put your router on any unexpected subnet (the other 100% magic solution)
--
My place : »www.schettino.us |
|
