 More FiberPremium,MVM
join:2005-09-26
West Chester, PA
kudos:18 | reply to mistigi
Re: Millions of home routers vulnerable...um ok.... said by mistigi:So whats the attack vector, can it be done through a browser ? Heffner hasn't presented his paper at the Black Hat conference yet. From what is in in the Forbes article,
the attack vector is DNS rebinding:
quote:
The attacker registers a domain and delegates it to a DNS server he controls. The server is configured to respond with a very short TTL record, preventing the response from being cached.
The first response contains the IP address of the server hosting the malicious code. Subsequent responses contain the attacker's target, typically spoofed private network IP addresses (RFC1918) behind a firewall.
Because both records are valid DNS responses, they authorize the sandboxed script to access hosts inside the private network. By returning multiple short-lived IP addresses, the DNS spoofing enables the script to scan the local network, or to perform other malicious activities.
Yes, it requires compromising the router credentials, which is trivial on many routers where the factory default is "admin/password". At least with the Actiontec, the user is forced to change the password the first time someone logs on to the router, which is usually done by the install tech. Of course, if you do a factory reset of the router and don't logon on, the default is still "admin/password".
--
There are 10 kinds of people in the world; those who understand binary and those who don't.
|
