[YLUG] Web sites hacking router [was: Re: Router]

john halewood john.halewood at gmail.com
Mon Sep 29 16:26:06 UTC 2008 

 2008/9/28 Craig Genner <craig at tuxx.org.uk>: wrote
> Doesn't matter, it's been proven that certain scripts can run on your
 web
> browser that are used to access the router.  Because it's run from your
> browser on the local lan then it has access to the web interface of your
> router.

It may be that I'm a bit confused due to having a bad cold at the
moment, but how does the script know where your router is? I can
imagine that if you've got a simple setup that just goes computer -
router - interweb, then it could pick it up from the default gateway.
But in the deployments that I use for many companies the network goes
pc - firewall - router - t'internet, so accessing the default gateway
gets you nothing unless you can ssh into it from a predefined address
with the right set of keys. Then you could find the gateway to the
router (which is on a different network from the LAN).
 Also, many routers (even my own ancient one, which still manages to
work despite the fact that the cat spends most of it's time sleeping
on it), have configuration options which let you lock down the hosts
which can access it by IP address, which should mitigate most of the
problems.
 I think this is more a educate the user (preferably with a lump of
wood with rusty nails at the business end) issue rather than anything
else, but I would agree with Pete about turning uPnP off on everything
- it's just a nightmare in terms of security.
 Another problem I find with a lot of ADSL routers these days is that
they can't be configured properly from anything other than a web
browser - they may have a token telnet interface, or in some cases
even ssh access, but that's not enough to actually set them up
properly.
 Years back, when I was doing this regularly on (ahem) "proper"
routers (i.e. big expensive Cisco boxes) there was a basic rule -
configure it from the console, turn all external access off (telnet,
SNMP, uPnP etc) and leave it. If someone wanted statistics from it
then I'd set up an ACL to allow SNMP from one host only, and that one
wouldn't be able to change the config.

cheers
john

More information about the York mailing list