[dns-operations] might be interesting to watch the packets to/from 139.175.55.244

Paul Vixie paul at vix.com
Wed Nov 1 06:27:21 UTC 2006


(thanks to gadi evron for forwarding this.)

re:

Date: Mon, 30 Oct 2006 20:00:21 -0500
From: Nikolai Grigoriev <ngrigoriev at gmail.com>
To: bugtraq at securityfocus.com
Subject: Hawking Technology wireless router WR254-CA DNS issue

Hi,

I have discovered a security issue with Hawking Technology wireless
router, model WR254-CA. Since they are still available on the market
so I think it will be good to warn the community.

This router contains a DNS address 139.175.55.244 hardcoded in the
firmware. At least when used in DHCP mode, the set of DNS IP addresses
coming from the ISP does NOT override this hardcoded IP address. The
router takes only first real DNS IP address and puts it to the second
place on its list. Because of this,  the hardcoded address is used
first when you try to resolve a hostname through the router (it sends
its own IP address over DHCP to the machines in the local network so
it is typical case).

I have discovered that a similar issue has been reported against Zyxel
P2000W VoIP phone by Shawn Merdinger some time ago - it was exactly
the same hardcoded IP address.

I have attempted to contact Hawking Tech technical support but after
exchanging a couple of emails (they could not understand why do I
consider this a problem) they have stopped answering. Finally, I have
got the answer that "I think it is hard coded inside the router, in
case no DNS server obtain by the DHCP, you still can browse the
internet.".

I would suggest to stay away from this product, check other similar
products from this company and use static DNS configuration if you
actually have this router.

In addition to the danger of having an untrusted DNS server used
without your explicit permission, there is something strange happening
with this DNS server (dns.seed.net.tw).  Sometimes I see that some
well-known host names get resolved into wrong IP addresses (about 2-3
weeks ago they had troubles with *.google.com). It may be just a bug
or an attempt to  do something more interesting. Anyway, it is a
separate problem.

-- 
Nikolai Grigoriev
(514) 909-7846
(514) 260-6402



More information about the dns-operations mailing list