http://www.networkworld.com/news/2008/040708-rsa-researcher-web-page-can.html
By Robert McMillan
IDG News Service
04/07/2008
On Tuesday at the RSA Conference, researcher Dan Kaminsky will show how
a Web-based attack could be used to seize control of certain routers.
Kaminsky has spent the past year studying how design flaws in the way
that browsers work with the Internet's Domain Name System (DNS) can be
abused in order to get attackers behind the firewall. But at the RSA
Conference in San Francisco, he will demonstrate how this attack would
work on widely used routers, including those made by Cisco's Linksys
division and D-Link.
The technique, called a DNS rebinding attack, would work on virtually
any device, including printers, that uses a default password and a
Web-based administration interface, said Kaminsky, who is director of
penetration testing with IOActive.
Here's how it would work. The victim would visit a malicious Web page
that would use JavaScript code to trick the browser into making changes
on the Web-based router configuration page. The JavaScript could tell
the router to let the bad guys remotely administer the device, or it
could force the router to download new firmware, again putting the
router under the hacker's control.
Either way, the attacker would be able to control his victim's Internet
communications.
The technical details of a DNS rebinding attack are complex, but
essentially the attacker is taking advantage of the way the browser uses
the DNS system to decide what parts of the network it can reach.
Although security researchers had known that this type of hack was
theoretically possible, Kaminsky's demo will show that it can work in
the real world, said David Ulevitch, CEO of DNS service provider
OpenDNS. "I'm always a fan of when something that's theoretical gets
made real, because it makes people act," he said.
On Tuesday, OpenDNS will offer users of its free service a way to
prevent this type of attack, and the company will also set up a Web site
that will use Kaminsky's techniques to give users a way to change the
passwords of vulnerable routers.
The attack "underscores the need for people to be able to have more
intelligence on the DNS," Ulevitch said.
Although this particular attack takes advantage of the fact that routers
often use default passwords that can be easily guessed by the hacker,
there is no bug in the routers themselves, Kaminsky said. Rather, the
issue is a "core browser bug," he said.
Router makers have known for some time how their default passwords can
be misused by attackers. Three months ago, hackers showed how a similar
attack could be launched, exploiting a flaw in the way Universal
Plug-and-Play works on PCs.
Cisco tries hard to discourage Linksys customers from using routers with
default passwords, said Trevor Bratton, a company spokesman. "One of the
first things that our setup software does is change that default name,"
he said. "So anyone who does as we ask with the initial setup will be
prompted to change that."
The problem is that home users rarely follow this advice, Kaminsky said.
"The vast majority of home users have a device with a default password,"
he said.
All contents copyright 1995-2008 Network World, Inc
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments