Tuesday, January 15, 2008

Home Router Vulnerability

From Bugtraq:

When the victim visits a malicious SWF file, a 4 step ATTACK will silently execute in the background. At that moment the attacker will have control over their router, pretty much regardless of its model. Many of the home routers are vulnerable to this attack as many of them support UPnP to one degree or another.

The attack does not rely on any bugs. Simply put, when two completely legitimate technologies, Flash and UPnP, are combined together, they compose a vulnerability, which exposes many home networks to a great risk. The attack depends on the fact that most, if not all, routers are UPnP enabled. The UPnP SOAP service can be accessed without authorization over the default Web Admin Interface. With the help of Flash, the attacker can send arbitrary SOAP messages to the router's UPnP control point and as such reconfigure the device in order to enable further attacks..

The most malicious of all malicious things to do when a device is compromised via the attack described in the link pointed at the top of this email, is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all bad guys want. Many routers come with Layer3 port forwarding UPnP service. This is also a potential vector that attackers can use. In cases like this, they will simply expose ports behind the router on the Internet facing side.

We hope that by exposing this information, we will drastically improve the situation for the future. I think that this is a lot better than keeping it for ourselves or risking it all by given the criminals the opportunity to have in possession a secret which no one else is aware of. The best way to protect against this attack is turn off UPnP if your router's Admin Interface allows it. It seams that many routers simply does not have this feature.

No comments: