 lesopp
join:2001-06-27
Land O Lakes, FL
edit:
April 8th, @10:45AM
| So What Disable outside management, or turn off the http server on the router, or limit outside management access to SSH, or lock it down to a combination of the previously mentioned items and only permit access from specific IP addresses. | |
|
 | 
booticon
join:2007-07-31
East Lyme, CT | Re: So What Or just change your router password to something other than the default. | |
|
| 
Krispy
Premium,VIP
join:2001-12-11
the stix
| The 'so what' is the fact that many people don't lock down or change defaults as we've all been ranting and raving about for years so a remote web based exploit has potential to impact lots of people and networks.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper
| |
|
| 
evilghost
Premium
join:2003-11-22
Springville, AL
 ·Windstream
edit:
April 8th, @10:48AM
| This attack uses CSRF to own the router... It's not about the outside getting in, it's about CSRF being used to repoint DNS to hostile servers so MITM attacks or DNS redirection (for phishing; likely) can be easily created.
In theory one could also load Linux powered firmware that would attack nearby APs using brute-force password guessing techniques after association to them as a client; of course this becomes less trivial if the AP is running WPA/WPA2. That would be more "wormlike".
Essentially, own a device with CSRF and use it to own nearby APs. | |
|
| 
Skeedatl
Ah, push it - push it real good
Premium
join:2007-12-26
The Cloud | You're talking about the same people who refuse to run antivirusware, patch their systems and open every email attachment that says some hot Russian teen wants anal from them. | |
|
| | 
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| Re: So What Not always.
My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password...
This hack I assume will educate those users,. | |
|
| | |
Skeedatl
Ah, push it - push it real good
Premium
join:2007-12-26
The Cloud | Re: So What Then wouldn't up to date AV defs detect this hostile javascript? | |
|
| | | | joker5656
join:2006-06-23
Greenville, SC
 ·Charter Pipeline
| Re: So What it would for a short time. but your antivirus is only as good as the programmer. Hackers will find ways around one thing then another after the other has been fixed. its a love/hate relationship your AV Company plays with Hackers and vise versa. | |
|
| | | Corydon
Cultivant son jardin
Premium
join:2008-02-18
Denver, CO
clubs:
·Comcast
| said by Karl Bode  :My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password... In my family, I generally end up being the one who does things like setting up new routers. A lot of people who are comfortable with the "basics" of computer security mentioned above are really a bit uncomfortable with setting up something like a router. After all, there are a number of layers of security in a router, especially a wireless router, that must be configured. Setting up WPA-PSK (with a strong passphrase), MAC address filtering, etc. on both the router and the computers in the home is generally something that's still a bit beyond the average user.
And I'm just going off the top of my head so I could be wrong, but doesn't most firmware from the major companies prompt you to change the admin user ID and password as part of the setup process now?
On the other hand, I still see unsecured wireless routers in my neighborhood that are broadcasting "NETGEAR" as their SSID, so I'd imagine that their password is still blank too. | |
|
| |
gaforces
United We Stand, Divided We Fall
join:2002-04-07
Santa Cruz, CA
·Cruzio Internet
| Change your router password! I read about this a couple months ago in the security forum.
One of the members had a proof of concept linked there.
This only affects routers with the default password.
--
There is no greater sign of a general decay of virtue in a nation, than a want of zeal in its inhabitants for the good of their country. ~ Joseph Addison | |
|
| |
| | Binary
join:2007-12-29
Creston, WV | Re: Change your router password! Update them? | |
|
| | koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs: | The most recent firmware upgrade that AT&T is pushing out forces the password on and will not let the user disable it. | |
|
| 
away404
@comcast.net
| I did as well. Credit where credit's due-- there are several examples available of these types of vulnerabilities located at the following link:
»www.gnucitizen.org/projects/rout···allenge/
Just do a search in the page for 'setup_dns' and you will find some examples of vulnerable cgi's he is talking about. | |
|
|
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
edit:
April 8th, @10:50AM
| Re: Not at risk if you changed default password on router said by TK Junk Mail :There is some risk for all those people who neglected to change their password from the default when installing their router at home. But for anyone who had the brains to change their passwords, this is a a non-event. Routers vulnerable to CSRF are still exploitable IF the user has a trusted session with the configuration page and accesses a hostile site.
How many routers are using session versus cookies for verifying successful authentication? | |
|
| | MySpareBrain
join:2000-06-12
Missouri City, TX
·AT&T Yahoo
| Re: Not at risk if you changed default password on router said by evilghost
Routers vulnerable to CSRF are still exploitable IF the user has a trusted session with the configuration page and accesses a hostile site.
How many routers are using session versus cookies for verifying successful authentication?
[/BQUOTE :Don't most routers automatically time out the session after a period of time? If I'm in my router, and I stay on the same page for a couple minutes, when I change pages I have to login again. | |
|
| MySpareBrain
join:2000-06-12
Missouri City, TX
·AT&T Yahoo
| said by TK Junk Mail :There is some risk for all those people who neglected to change their password from the default when installing their router at home. But for anyone who had the brains to change their passwords, this is a a non-event. Yeah but then there are those who change the password then forget what they set it to. Or, they have their friend or kid do it for them and they don't remember what it was set to either. | |
|
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ | A lot of assumptions Wouldn't the attacker also need to know about your internal network addressing? Not only do they need to know the logon/password for your router but also the IP address. | |
|
| koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs: | Re: A lot of assumptions If you are using your router as a DHCP server, this becomes very easy. | |
|
| impala
join:2008-03-08
Clemson, SC
·AT&T Southeast
| Assuming settings are default:
If you know the victim's ISP; you probably know the router's internal address.
That's usually enough to guess the default password.
Some routers (at least the manufacturer) can be identified by a port probe.
How many of you authenticate to your router to monitor it as you browse the web with the same browser? I know I have.  | |
|
| djforumsguy
join:2004-10-03
Hamilton, ON
·Bell Sympatico
| said by jjoshua :Wouldn't the attacker also need to know about your internal network addressing? Not only do they need to know the logon/password for your router but also the IP address. Java is by default setup that it can inform the server of your internal IP address. It's not hard to guess the routers IP after this :P | |
|
Heterman
Premium
join:2004-02-28
Fayetteville, AR | More to it? It seems to me Mr. Kaminsky is referring to something larger, as in the DNS itself. Having an unsecure router seems to only scratch the surface of the way this exploit can be used. | |
|
Smith6612
Premium
join:2008-02-01
united state | oooooh... Well, I should already be safe from this. Having the network IP for the router being very different from the default along with my own password consisted of various characters, I should be all set. | |
|
NeoLinuxyes
@cableone.net | Tomato Router yea, yea, blah blah. use my Linksys wrt54gs router with the Tomato firmware (Linux based). then change default pass. no ones gettin in, sister.
so just handle it.
(((((:::: | |
|
Surfinusa
Premium
join:2001-02-08 | Ouch! Doesn't sound good for wireless hotspots.
Once you figure out how to change default password mine as well lock the WAP down. | |
|
|
|
|
Browser Hack Allows Router Control
·
Not at risk if you changed default password on router