Feeds

Demo shows how web attack threatens fabric of the universe

All hail the power of DNS rebinding

Beginner's guide to SSL certificates

RSA Showing how the web's underpinnings can be abused to attack assets presumed to be secure, a researcher unveiled a website that can log into a home router and change key settings, such as administrator passwords and servers used to access trusted web destinations.

Rather than creating a trojan or other piece of specialized malware to access servers or other devices behind a firewall, researcher Dan Kaminsky, a director of penetration testing firm IOActive, showed how a web browser can do much the same thing. His demo uses so-called DNS rebinding, an attack technique that uses fraudulent IP addresses to breach a network's security.

DNS rebinding can be used to subvert the same origin policy, which prevents pages or data loaded by one site from being modified by pages or data loaded by a different site. Because a single destination can have more than one IP address associated with it - and because nothing prevents one site from associating itself with anyone else's IP - DNS rebinding attacks fool a browser into letting one site tamper with a server or other resource that normally would be off limits.

"It kind of sort of breaks the entire security model of the web," Kaminsky said of the technique. "At one moment bar.com can point to server in Europe [and] the next moment it can point to a printer down the hall. We were depending on the web security model to prevent this very thing from happening."

To demonstrate the attack in action, he visited a website that opened the browser-based configuration page of a D-Link wireless router and change several key settings. Yes, we know the attack requires the device to use a weak or non-existent administrator password, but that's not the point. The same technique can also be used to tamper with firewalls, databases and other resources that are attached to an IP address. (It's worth pointing out, too, that weak or non-existent passwords are depressingly common.)

And of course, security weakness isn't the fault of a single vendor or even a handful of them. It's the collective fault of everyone who's played a hand in shaping the net over several decades. The protocols that allow a browser to find a website can also be used to sneak past a company's firewall to rifle precious resources.

DNS rebinding isn't the only way whitehat and blackhat hackers have been able to force their way into routers and other network-attached devices. Cross-site script (XSS) attacks, which allow attackers to inject malicious code into trusted web pages, have been known to do the same thing. So has Universal Plug and Play (UPnP), a feature that ethical hacking outfit GNU Citizen in January said made many home routers vulnerable to take-over simply by luring an attached computer to a booby-trapped website.

But those methods are made possible by design flaws, either in the router or in a software component, such as Adobe flash, according to Kaminsky. That means they can be fixed in a relatively short time. Indeed, Adobe today pushed out a major Flash update that Kaminsky said neutralizes the router attack using UPnP.

The update also minimizes much of the damage that could have been caused by Kaminsky's DNS rebinding attack. Previously, Kaminsky could commandeer devices using a host of protocols, including Remote Desktop, Windows file sharing, and proprietary Oracle database calls. Now, the attack is limited to devices with web interfaces.

It's a good thing Adobe has minimized the damage, because the problem itself is not easily fixed. Plenty of legitimate websites balkanize their various services across more than one IP address, making so-called DNS pinning unworkable. Eventually, he says, browser makers will be forced to build in controls, but he said that won't happen for a while.

So in the meantime, IT administrators need to consider the vulnerability carefully when deciding how to attach various devices to their network, and home users should make sure their routers have robust passwords. To that end. Open DNS, a company that provides a safer alternative to ISP-provided DNS lookup, today unveiled a new option that allows users to block suspicious responses, such as those from the outside that provide a URL with an IP address for a router or other internal device.

Beyond that, learn to live with DNS rebinding, Kaminsky said. "This bug is not going away anytime soon." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.