Router access through the back door

Many modern routers are controlled through a built-in web server which presents a tempting point of attack. During his presentation at the Black Hat conference, security expert Craig Heffner described a new technique for gaining access to a router's web front end.

In certain circumstances, attackers can use a few name resolution tricks to gain access to a router's web front end and, if the front end's security is insufficient, the doors are open wide for attackers. Heffner concedes that his approach doesn't involve many new basic concepts. Instead, he craftily combines various ingredients such as DNS rebinding and laxly defined router access privileges to exploit an existing problem.

His trick is based on making a request for a web page, such as www.p0wn.you, to a DNS server controlled by the attacker, return two addresses. This is quite a common practice used, for instance, to balance loads across several servers. In Heffner's case, however, the DNS returns the real IP address as well as the IP address of the current visitor of p0wn.you – which is that of the external (DSL) interface of the visitor's router.

The browser will initially use the first, correct server address to retrieve the web page. The web page contains embedded JavaScript code which will, for instance, try to open another web page such as

http://www.p0wn.you/firewall-config.html

This time, however, the attacker's server will decline the connection request, which makes the browser remember: "Wasn't there another address? I'll try that one." At this point, attackers benefit from a laxly defined basic setting many routers have inherited from the Linux systems they are based on: their internal interfaces accept requests which are actually intended for the external interface. As a result, the script can access the web page containing the router's firewall settings, and the browser even thinks that this page is part of the p0wn.you domain. This, in turn, grants the script full access to the page and, for instance, allows it to disable the firewall by ticking the "disable firewall" check box and then clicking the "save" button.

However, attackers need to bypass the router's access protection to launch a successful attack. An attacker can either achieve this via a guessable default password or, in situations where the router's web interface happens to be open in a second browser page, through the open router page. Current recommendations by the German Federal Office for Information Security (BSI), which are generally also relevant if a user's router isn't vulnerable to this specific DNS rebinding attack, address this situation.

For example, the BSI recommends that the router's web interface be given a separate, not easily guessed password, and that users always start a new browser session when accessing the router's web interface – that is, users should close all existing browser windows, open a single new browser window and close this window again as soon as the router tasks have been completed. While this may seem unnecessarily complicated, it's the only way to prevent external scripts from interfering. Users are also advised to check for router updates on a regular basis and install any updates they find. Finally, the BSI recommends that wireless networks should be protected with a dedicated WPA2 password.

(crve)