Softpedia >News >Security >Hacking News
Softpedia Homepage   

DNS Rebinding Attack Can Be Used to Hack Home Routers

Automated tool to be released at Black Hat

Jul 14, 2010 08:53 GMT  ·  By
Automated home router hacking tool to be released at Black Hat
   Automated home router hacking tool to be released at Black Hat

A security researcher has devised a special attack that can be used to access the LAN-facing admin interfaces of many widely used home router models. The technique is a variation of DNS rebinding, but is able to bypass traditional protections against such attacks.

The attack method will be demonstrated at the upcoming Black Hat technical security conference in Las Vegas, by a ethical hacker named Craig Heffner, who currently works as a senior security engineer at Seismic. Heffner's presentation, called “How to Hack Millions of Routers” will be accompanied by the release of a tool which automates the attack.

According to the presentation notes this tool “allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials.”

DNS rebinding attacks have been known for well over a decade and usually involve subverting a browser's same-origin policy for code that executes on the client side, such as JavaScript, Java or Flash. This is achieved by serving extremely short-lived DNS responses for a hostname and quickly switching from an external IP address to that of the victim's LAN one. This will allow code to be executed in the context of the internal network.

Heffner's attack, which promises to circumvent existent DNS rebinding protections, is router-model-independent and does not employ any anti-DNS pinning techniques. The attack has been tested successfully on routers manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running Linux- or FreeBSD-based open source firmware like DD-WRT, OpenWRT and PFSense.

The ActionTec MI424-WR model provided by Verizon to its FiOS customers, will be of special interest in the presentation. The researcher plans to demonstrate how his attack can be used to obtain a remote root shell on this widely deployed router.

You can follow the editor on Twitter @lconstantin