[dns-operations]"remotely changing a home router's DNS server was theoretically possible " (C|Net)

Gadi Evron gevron at ca.afilias.info
Wed Jan 23 19:07:11 UTC 2008


Simon Waters wrote:
> On Tuesday 22 January 2008 22:17, Gadi Evron wrote:
>> I am unsure of what specific attack (malware?) they are talking about
>> which is MX specific, but SYMC is good with PR. I am however
>> increasingly concerned with the ease of compromising broadband routers.
> 
> It is well documented elsewhere, from well before live exploits were seen.
> 
> Basically routers with a web interface can be configured through Javascript, 
> as there are ways to subvert the javascript and http security models (indeed 
> the HTTP model of only POST/PUT/DELETE doing non-idempotent actions, and thus 
> alerting the user, is so widely ignored as to be pointless, although it can 
> make the exploit easier if the routers can be configured via GET).
> 
>> On the DNS side, without compromising (which can result in more botnets
>> or wiretap concerns) I am especially concerned due to many of these CPE
>> devices being recursive DNS servers.
> 
> It largely doesn't matter if they are recursive or not, the fundamental issue 
> is the ability to configure via web interface, poor security in web browser 
> (all), and default passwords.
> 
> I don't think there is any specifc DNS part to the problem, other than once 
> you control someones router, that is the easiest way to phish. I guess if 
> folk here suddenly get less DNS traffic it might be a bad sign - but I'm 
> guessing that applies almost whatever the reason for less traffic.
> 
> This web problems aren't specific to broadband routers, they are just low 
> hanging fruit.

Indeed. But please allow me to clarify what I mean.

Ports 80 or 21 tcp are often open and provide with an open admin 
console, using default passwords--easily found on the web. This allows 
for massive compromises of (often) linux machines which are outside the 
user's control and appear to be him/her.

Meaning, you can "spy" on the user's traffic, run a bot, etc.

Then there is the second issue which does not require compromising, 
which is recursive DNS servers open to the world, running on these CPE 
devices (think DNS amplification attacks instead of name hijacking).

Makes sense?

	Gadi.



More information about the dns-operations mailing list