lesopp join:2001-06-27 Land O Lakes, FL 1 edit |
lesopp
Member
2008-Apr-8 10:43 am
So WhatDisable outside management, or turn off the http server on the router, or limit outside management access to SSH, or lock it down to a combination of the previously mentioned items and only permit access from specific IP addresses. | |
|
| |
Re: So WhatOr just change your router password to something other than the default. | |
|
| Krispy1 Premium Member join:2001-12-11 the stix |
to lesopp
The 'so what' is the fact that many people don't lock down or change defaults as we've all been ranting and raving about for years so a remote web based exploit has potential to impact lots of people and networks. | |
|
| evilghost Premium Member join:2003-11-22 Springville, AL 1 edit |
to lesopp
This attack uses CSRF to own the router... It's not about the outside getting in, it's about CSRF being used to repoint DNS to hostile servers so MITM attacks or DNS redirection (for phishing; likely) can be easily created.
In theory one could also load Linux powered firmware that would attack nearby APs using brute-force password guessing techniques after association to them as a client; of course this becomes less trivial if the AP is running WPA/WPA2. That would be more "wormlike".
Essentially, own a device with CSRF and use it to own nearby APs. | |
|
| Dogfather Premium Member join:2007-12-26 Laguna Hills, CA |
to lesopp
You're talking about the same people who refuse to run antivirusware, patch their systems and open every email attachment that says some hot Russian teen wants anal from them. | |
|
| | |
Re: So WhatNot always.
My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password...
This hack I assume will educate those users,. | |
|
| | | Dogfather Premium Member join:2007-12-26 Laguna Hills, CA |
Re: So WhatThen wouldn't up to date AV defs detect this hostile javascript? | |
|
| | | | |
Re: So Whatit would for a short time. but your antivirus is only as good as the programmer. Hackers will find ways around one thing then another after the other has been fixed. its a love/hate relationship your AV Company plays with Hackers and vise versa. | |
|
| | | CorydonCultivant son jardin Premium Member join:2008-02-18 Denver, CO |
to Karl Bode
said by Karl Bode:My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password... In my family, I generally end up being the one who does things like setting up new routers. A lot of people who are comfortable with the "basics" of computer security mentioned above are really a bit uncomfortable with setting up something like a router. After all, there are a number of layers of security in a router, especially a wireless router, that must be configured. Setting up WPA-PSK (with a strong passphrase), MAC address filtering, etc. on both the router and the computers in the home is generally something that's still a bit beyond the average user. And I'm just going off the top of my head so I could be wrong, but doesn't most firmware from the major companies prompt you to change the admin user ID and password as part of the setup process now? On the other hand, I still see unsecured wireless routers in my neighborhood that are broadcasting "NETGEAR" as their SSID, so I'd imagine that their password is still blank too. | |
|
| |
gaforces (banned)United We Stand, Divided We Fall join:2002-04-07 Santa Cruz, CA |
gaforces (banned)
Member
2008-Apr-8 10:46 am
Change your router password!I read about this a couple months ago in the security forum. One of the members had a proof of concept linked there. This only affects routers with the default password. | |
|
| Doctor FourMy other vehicle is a TARDIS Premium Member join:2000-09-05 Dallas, TX
1 recommendation |
Re: Change your router password!Or how about those with no password at all? The 2-Wire 3800HGV-B, which comes with all AT&T U-Verse installations as the RG (Residential Gateway) has no password securing settings at all by default. It is up to the user to go into the configuration and change that, but I'll bet many people don't even bother. | |
|
| | |
Re: Change your router password!Update them? | |
|
| | |
to Doctor Four
The most recent firmware upgrade that AT&T is pushing out forces the password on and will not let the user disable it. | |
|
| |
away404 to gaforces
Anon
2008-Apr-8 8:14 pm
to gaforces
I did as well. Credit where credit's due-- there are several examples available of these types of vulnerabilities located at the following link: » www.gnucitizen.org/proje ··· allenge/Just do a search in the page for 'setup_dns' and you will find some examples of vulnerable cgi's he is talking about. | |
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ
1 recommendation |
FFH5
Premium Member
2008-Apr-8 10:46 am
Not at risk if you changed default password on routerThere is some risk for all those people who neglected to change their password from the default when installing their router at home.
But for anyone who had the brains to change their passwords, this is a a non-event. | |
|
| evilghost Premium Member join:2003-11-22 Springville, AL 1 edit |
Re: Not at risk if you changed default password on routersaid by FFH5:There is some risk for all those people who neglected to change their password from the default when installing their router at home. But for anyone who had the brains to change their passwords, this is a a non-event. Routers vulnerable to CSRF are still exploitable IF the user has a trusted session with the configuration page and accesses a hostile site. How many routers are using session versus cookies for verifying successful authentication? | |
|
| | |
Re: Not at risk if you changed default password on routersaid by evilghost Routers vulnerable to CSRF are still exploitable IF the user has a trusted session with the configuration page and accesses a hostile site.
How many routers are using session versus cookies for verifying successful authentication? [/BQUOTE :Don't most routers automatically time out the session after a period of time? If I'm in my router, and I stay on the same page for a couple minutes, when I change pages I have to login again. | |
|
| MySpareBrain |
to FFH5
said by FFH5:There is some risk for all those people who neglected to change their password from the default when installing their router at home. But for anyone who had the brains to change their passwords, this is a a non-event. Yeah but then there are those who change the password then forget what they set it to. Or, they have their friend or kid do it for them and they don't remember what it was set to either. | |
|
jjoshua Premium Member join:2001-06-01 Scotch Plains, NJ |
jjoshua
Premium Member
2008-Apr-8 11:35 am
A lot of assumptionsWouldn't the attacker also need to know about your internal network addressing? Not only do they need to know the logon/password for your router but also the IP address. | |
|
| |
Re: A lot of assumptionsIf you are using your router as a DHCP server, this becomes very easy. | |
|
| impala join:2008-03-08 Clemson, SC |
to jjoshua
Assuming settings are default: If you know the victim's ISP; you probably know the router's internal address. That's usually enough to guess the default password. Some routers (at least the manufacturer) can be identified by a port probe. How many of you authenticate to your router to monitor it as you browse the web with the same browser? I know I have. | |
|
| |
to jjoshua
said by jjoshua:Wouldn't the attacker also need to know about your internal network addressing? Not only do they need to know the logon/password for your router but also the IP address. Java is by default setup that it can inform the server of your internal IP address. It's not hard to guess the routers IP after this :P | |
|
Heterman Premium Member join:2004-02-28 Fayetteville, AR |
Heterman
Premium Member
2008-Apr-8 12:36 pm
More to it?It seems to me Mr. Kaminsky is referring to something larger, as in the DNS itself. Having an unsecure router seems to only scratch the surface of the way this exploit can be used. | |
|
Smith6612 MVM join:2008-02-01 North Tonawanda, NY |
oooooh...Well, I should already be safe from this. Having the network IP for the router being very different from the default along with my own password consisted of various characters, I should be all set. | |
|
|
NeoLinuxyes
Anon
2008-Apr-8 7:47 pm
Tomato Routeryea, yea, blah blah. use my Linksys wrt54gs router with the Tomato firmware (Linux based). then change default pass. no ones gettin in, sister.
so just handle it.
(((((:::: | |
|
|
SunnyFL8
Premium Member
2008-Apr-9 1:30 am
Ouch!Doesn't sound good for wireless hotspots.
Once you figure out how to change default password mine as well lock the WAP down. | |
|
|
|