[YLUG] Web sites hacking router [was: Re: Router]

Mon Sep 29 19:48:02 UTC 2008

For the Skeptics among you, consider this:
Many of you assume that to hack your router the hacker needs to know 
everything. This is where my choice of word hacker is more exact; hackers keep 
trying until they get somewhere, so as long as they know enough to make the 
number of attempts they've got time for  statistically likely to get a result, 
then they're happy.

1: Visit http://www.auditmypc.com/anonymous-surfing.asp
This will show you your external IP address and if you're not going through 
any proxy also your internal IP address. (We'll come back to this later.)

2: Imagine you have ACME router with IP address 192.168.1.1 and default 
password of admin, and I ask you to click the link 
http://admin:admin@192.168.1.1/config.htm?firewall=inactive&upnp=active
Would you do it?

If you say yes then your router would have opened your network to the world. 
It would be your browser making the request so all admin traffic to the router 
would be internal (between your browser on your machine and your router).

3: what if the link was in a rouge website, would you spot it?
But what if the link was just the source for an image tag: <IMG 
src="http://admin:admin192.168.1.1/config.htm?firewall=inactive&upnp=active"> 
You wouldn't have any choice unless you disable images. Even if you did I 
could simply replace the image tag with a little javascript that causes it to 
be loaded.

I hope we've now established that a rogue website (or a subtly hacked one) can 
make your browser make any number of requests without your control. (Unless 
you are from the tinfoil hat clan and disable java/script/images/cookies...)

4: But you say "my router is different". Well there are only a handful of 
router brands. With interactive web 2.0 style code the browser only needs to 
get the index page of the router and report back for further instructions on 
which commands to use to disable it. Failing that it only needs to assume you 
have the most or 2nd most popular one to get lucky enough of the time.

5: But you say "my network is configured different". Well lets go back to "1:"
Most people use the default addressing that the router gives them. Popular 
addresses for routers are 192.168.1.1, 192.168.11.1, 192.168.1.254, 10.0.0.1, 
10.1.1.1  The rogue website knows your internal address so can have a good go 
at guessing your router's internal IP address. Even if you chose your router's 
IP address, I bet you made it memorable for your own benefit. I think a short 
list of 100 of those rogue image links would be sufficient to get lucky and find 
the right address. (And remember if it didn't get lucky it can try a different 
set next time you load the page.)

6: The attacker knows your internal IP address, your router's internal IP 
address and your router's external IP address. It has made your browser 
contact the router and disable it's firewall and switch on port forwarding to 
your machine... What do you think happens next...

Once your router is forwarding all external ports to your machine the hacker 
only needs to find one bug in one service you use to take control of your 
machine... so if you're running a mail server, web server, file sharing (NFS or 
samba) it's only a matter of time. Even if you don't think your running 
anything, ports still get opened for all sorts of reasons.

If you think this is unlikely, think again it's a popular attack vector and 
with routers becoming more like little computers there are known hacks 
installing rogue firmware actually on your router. That way even when your 
computer is off they have a bot active 24/7.

So if your router is unprotected - can you trust it?
Hopefully the answer is still yes but believe me; if you understand half of 
this then you can appreciate how simple it is to open or disable a web-
controlled firewall.

So it's a good idea--if you haven't already--on your router to:
o) Change the admin account name if possible.
o) Use a good  password (not the default one).
o) Change the default IP address.
o) Disable upnp. (Different issue but do it anyway.)

Paul.<><