Reviews:
 ·Verizon FiOS
| Millions of home routers vulnerable...um ok.... »blogs.forbes.com/firewall/2010/0···eb-hack/
I read the chart and saw the Actiontec models listed. My firmware is newer than listed, but I noted that the default "backup" firmware in the Fios router settings is the same version listed in the vulnerable chart as "yes".
Doesn't Verizon push new firmware update to the units so this is moot?
But seriously, is this FUD or what.
(Off topic - I noticed last week, that I've had a really long uptime on my router. But also was getting dropped connections while gaming. I rebooted the router...no more drops...odd...so I turned logging on to see if something was up.)
--
Splat |
|
 More FiberPremium,MVM
join:2005-09-26
West Chester, PA
kudos:18 | Old news. The following FAQ in the »Verizon Fiber Optics forum is based on a paper by Craig Heffner from Nov. 2008.
»Verizon Online FiOS FAQ »Actiontec Security considerations
Since this is FIOS specific, it might be better to discuss this in the »Verizon Fiber Optics forum.
Use the "hey mod" link if you want your post moved.
--
There are 10 kinds of people in the world; those who understand binary and those who don't.
|
|
|
|
| Is this the vulnerability in question ?
said by Verizon Online FiOS FAQ :
•DNS Hijacking
quote:Another host-name related attack vector, again involving DHCP, is domain name hijacking [5]. This attack occurs when a router resolves internal host names to their respective IP addresses; as in the DHCP XSS attack, the internal client's host name is specified inside a DHCPREQUEST packet. This in itself is not a particular concern, but if an attacker can register themselves on the network with a host name of WPAD then they can carry out any number of man-in-the-middle attacks against other clients on the network [6]. WPAD attacks primarily affect Windows users, and Internet Explorer users in particular, as various Windows applications (including IE) will look for a WPAD server by default.
This problem is further complicated on home networks where no domain name is configured. Normally, host names will be registered as sub-domains of the network domain; i.e., if the domain name is "home", then a host named "laptop" will be registered as "laptop.home". However, small networks rarely have a domain name configured, so the host would simply be registered on the LAN as "laptop". Thus, performing a DNS lookup for "laptop"; would return the IP address of the internal client who registered the host name of "laptop". But what if a host claims that its host name is "www.google.com"? Logic would suggest that a router would know better than to resolve requests for www.google.com to an internal IP address, but unfortunately that is exactly what some routers do; this allows an internal attacker to perform a single-packet DNS poison that will persist until the attacker either un-registers his host name, or leaves the network.
So whats the attack vector, can it be done through a browser ? Do router credentials need to be compromised for the exploit to work ? |
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 | reply to cableties
Ugh, my Linksys WRT54GL is in the list. I use its latest firmware too. I hope Linksys releases a fix soon. |
|
More FiberPremium,MVM
join:2005-09-26
West Chester, PA
kudos:18 | reply to mistigi
said by mistigi:So whats the attack vector, can it be done through a browser ? Heffner hasn't presented his paper at the Black Hat conference yet. From what is in in the Forbes article,
the attack vector is DNS rebinding:
quote:
The attacker registers a domain and delegates it to a DNS server he controls. The server is configured to respond with a very short TTL record, preventing the response from being cached.
The first response contains the IP address of the server hosting the malicious code. Subsequent responses contain the attacker's target, typically spoofed private network IP addresses (RFC1918) behind a firewall.
Because both records are valid DNS responses, they authorize the sandboxed script to access hosts inside the private network. By returning multiple short-lived IP addresses, the DNS spoofing enables the script to scan the local network, or to perform other malicious activities.
Yes, it requires compromising the router credentials, which is trivial on many routers where the factory default is "admin/password". At least with the Actiontec, the user is forced to change the password the first time someone logs on to the router, which is usually done by the install tech. Of course, if you do a factory reset of the router and don't logon on, the default is still "admin/password".
--
There are 10 kinds of people in the world; those who understand binary and those who don't.
|
|
KoRnGtL15Premium
join:2007-01-04
Grants Pass, OR
1 edit | reply to antdude
You could flash to 3rd party easily Tomato or DDWRT. Then use the dnsmasq command stop-dns-rebind. Problem solved. That router is rock solid using either 2 of those firmwares.
said by antdude:Ugh, my Linksys WRT54GL is in the list. I use its latest firmware too. I hope Linksys releases a fix soon. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to cableties
My router is vulnerable.  It is an old Linksy...BEFSR41 version 3. Ver 4 is on the list so I'm sure version 3 is also vulnerable.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
 Grail KnightWho Dares WinsPremium
join:2003-05-31
Valhalla
kudos:5 | reply to cableties
Thanks for the info.
I see my Linksys Wireless Model is not listed as being vulnerable.
--
"Those that can move on prosper well those stuck in the past inevitably will fail."
|
|
neftv
join:2000-10-01
Broomall, PA | reply to cableties
It shows my router Asus WL-520gU too. But I am using Tomato Firmware on it. Does that make any difference? |
|
neftv
join:2000-10-01
Broomall, PA
1 edit | actually on my router I have it so the it passes the DNS IP right to my PCs. In other words my PC's have the Public IP address of the DNS it's not my Router IP address.
I hope that is a good way to do this. Comments. |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
 ·RoadRunner Cable
| reply to KoRnGtL15
said by KoRnGtL15:You could flash to 3rd party easily Tomato or DDWRT. Then use the dnsmasq command stop-dns-rebind. Problem solved. That router is rock solid using either 2 of those firmwares. said by antdude:Ugh, my Linksys WRT54GL is in the list. I use its latest firmware too. I hope Linksys releases a fix soon. Question: What does this DNS Masq command do? Will I ever need it? I do use OpenDNS. I don't do anything special with DNS. I do use hosts files on local computers.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
| reply to cableties
My router made the do not hack list.  |
|
KoRnGtL15Premium
join:2007-01-04
Grants Pass, OR
1 edit | reply to antdude
This page describes it easily.
»www.thekelleys.org.uk/dnsmasq/do···man.html
Here is what mine looks like.
said by antdude:said by KoRnGtL15:You could flash to 3rd party easily Tomato or DDWRT. Then use the dnsmasq command stop-dns-rebind. Problem solved. That router is rock solid using either 2 of those firmwares. said by antdude:Ugh, my Linksys WRT54GL is in the list. I use its latest firmware too. I hope Linksys releases a fix soon. Question: What does this DNS Masq command do? Will I ever need it? I do use OpenDNS. I don't do anything special with DNS. I do use hosts files on local computers. |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| Hmm, does using OpenDNS' IP address in my router's latest stock firmwares fit with this or is this a completely different thing? I only configured my DNS for OpenDNS.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
KoRnGtL15Premium
join:2007-01-04
Grants Pass, OR | It has no effect on opendns when using it.
said by antdude:Hmm, does using OpenDNS' IP address in my router's latest stock firmwares fit with this or is this a completely different thing? I only configured my DNS for OpenDNS. |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| said by KoRnGtL15:It has no effect on opendns when using it. said by antdude:Hmm, does using OpenDNS' IP address in my router's latest stock firmwares fit with this or is this a completely different thing? I only configured my DNS for OpenDNS. Darn, I guess I will have to switch to third party firmware then if Linksys doesn't fix this soon.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
| Thanks!  Mine was not successful. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to antdude
said by antdude:Darn, I guess I will have to switch to third party firmware then if Linksys doesn't fix this soon. Linksy sure isn't going to fix the BEFSR41. Mine is almost 7 years old. Even the later version 4 is now six years old. Linksy fixes NOTHING over 2 years old. Their position that the router is outdated at 2 years and needs to be replaced. I'm not buying a new router because of this.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| said by Mele20:said by antdude:Darn, I guess I will have to switch to third party firmware then if Linksys doesn't fix this soon. Linksy sure isn't going to fix the BEFSR41. Mine is almost 7 years old. Even the later version 4 is now six years old. Linksy fixes NOTHING over 2 years old. Their position that the router is outdated at 2 years and needs to be replaced. I'm not buying a new router because of this. They better fix WRT54GL. I bet my Netgear RT311 has the same problem, but that's like a decade old!
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
neftv
join:2000-10-01
Broomall, PA | reply to KoRnGtL15
I get it. so those IP address are made up right? Or are you suppose to use certain ones?
Just asking, Thanks. |
|
