DEF CON 22 - Dan Kaminsky - Secure the default random
Router Crash Test your home network could be supported remotely.
During our development of complete system of profiling spoofability DNS name server of the RRB, we discovered something quite unexpected A number of users have lost all Internet connectivity shortly after the start of profiling nameserver A closer examination, they discovered that the test planted their consumption NAT routers the following routers are currently known to be susceptible to collapse under this test.
3Com OfficeConnect 3CR858-91 Ethernet Broadband Router.
3Com OfficeConnect 3CRWDR100A-72 ADSL Wireless 11g Firewall Router.
A-Link RR24AP i with the latest firmware at the time of the accident report.
Belkin F5D7234-4 01 Wireless G router firmware 3 00 3.
Okay, it's boring, but why is it a concern that means the Internet data packets entering these external routers are, somehow, that the router does not currently properly handle if the router blocks the development of virtually all successful Internet remote exploits began when someone notices something crashes unexpectedly a system This is usually evidence of a previously unknown buffer buffer overflow vulnerability or without control in the respective device armed with the knowledge of the existence of such a potential vulnerability, skilled hackers and make no mistake, these people are highly qualified are often able to specify the characteristics of crashes package for the affected system to execute code that they provide some sophisticated version of this package.
And with that, the minor annoyance that once a router crashed while running the GRC DNS test progresses to full blown exploit which allows a remote hacker to take control of the network that has been protected by this router.
PLEASE NOTE CAREFULLY what we are and we do not explicitly state this potential for an exploitable vulnerability remotely.
We do not say that one of the routers that our test crash causes are discoverable remotely exploitable vulnerability.
We affirm that the router should never just crash by passing a domain name, resolved valid from the Internet to a machine on the internal network that is our test done.
We affirm that exploits remote execution almost always begin life as unexpected and definitely unwanted accidents.
We affirm that all newly discovered accident, just as it provides the kind of window of opportunity that talented hackers live.
We will not be surprised to learn that this revelation leads to the creation and operation of one of the routers listed above.
Extenuating circumstances it could very well be the inherent behavior of NAT routers, whereby they ignore and drop unsolicited packets from the Internet, would completely mitigate any danger that planned and solicited packages such as that occur during our test were able to block the router in other words, your router is crashable and only potentially vulnerable because only then that he is running this test which was initiated by you inside behind the inherent protection of your router.
That said, however, it is also possible that all ports exposed in a router, such as those created by the transfer of port or explicit use of the DMZ transmission capacity of a router, is once again the router DNS packets, he seems to be unable to digest safely.
You already know and trust us that the reason you are here, you know RRB are the good guys But imagine for a moment if we were not t We have a simple test based on the web that is blocking your router It does this through the simplest everyday occurrence to have your web browser lookup the IP address of an unknown domain easy, law and art as far as we got, because our interest is limited to you know, and allow to help you get your fixed router we have no interest in using our test to support your router and have unsolicited access to your network really we do not really.
But even if it proves, as now seems likely, that crashable routers are vulnerable to unsolicited DNS responses, it seems highly likely that additional research could transform the requested behavior crashing into Solicited Remote exploitation Here two disturbing ways this could be done.
You innocently visit a malicious Web site that causes your Web browser to request the IP address of a malicious DNS server that supports your router No personal firewall would prevent that since beginning as a simple DNS domain name and valid But research by requesting the IP address of this malicious domain, doesn t return package plant your router, it takes longer maybe it allows the management of remote WAN side, opens a port, delete the opening password session aims DMZ router to your main machine, or anything of the kind that's worrying.
Now take the case of a shared public network behind a consumer-grade router, like any wireless access point, hotel or other shared network A bad guy sitting anywhere within the network, in a cafe in lobby or hotel, identifies the router watching his login page or by distributing a set of n UPnP universal plug application now he knows what router it's treated and exactly how its vulnerability if a DNS response requested it therefore sends its Internet DNS server and a DNS query when the publicly shared router receives a response designed it owns the router in the jargon of hackers This is worrying too.
It is quite clear that we need these fixed routers, and sooner rather than later.
What can and should you do if you have a router crashable.
Complain loudly to your router manufacturer One advantage of this crashability of public router test is that any router manufacturer can easily use it to reproduce and fix their defective router firmware Yes, we realize that the downside is that the bad guys can also use it to understand what's happening and perhaps design a powerful feat it is the compromise between common when dealing publicly and openly with internet problems.
Don t panic Yes, there's great potential for trouble, but please remember that it is only possible at this time, although it is significant that is still very different difficulty confirm If please don t confuse two currently, there's every reason to believe that can cause a router to block unsolicited unexpected incoming packets will simply abandoned the DNS test that the requested packets that arrive during the RRB no matter what the payload they carry it seems quite likely that it is the act of the router is actively processing and digesting the DNS packet entering that's causing trouble without knowing the exact nature of the problem for each router, it is impossible to say for sure, except for bad websites such as we have indicated in the above case, it is not worthy type of panic at this point.
If a failure of your router and it is not already on the list Since so many faulty routers have been discovered by a relatively small test group, we expect to discover many other routers are crashable Therefore, if you crashable discover a router that is not listed above, please notify us immediately by using our feedback page at this link or on the link below our best option is to bring this problem to the attention of the Internet community so that users can inform their router manufacturers, and manufacturers can repeat the behavior, observe the trouble and fix their faulty firmware quickly the more pressure that's exerted by their customers, most manufacturers are likely to respond so please help us a list of additional routers as you discover this will also help protect any other person who may use the same router.
If your router is on the list and will not fail, we must know that too, so we can maintain an accurate list of currently crashable routers Once manufacturers have repaired their firmware, we'll want to take note of that fact so that even defective firmware users and unnecessarily crashable routers can update the firmware on their router then uses this test to verify that their router is repaired.
If a router is not yours crashes As detailed in the above box, we recognize that this problem may be widespread as routers on borrowed networks such as wireless hotspots, in hotels, or other community settings and unfortunately could inadvertently be reduced by the use of this benign DNS-based test that is a risk created by a public test like this, if benign, however, this disorder was publicly discovered through public testing newsgroups RCMP, so that the horses have left the barn and were released the best course of action now is to get all the routers crashable repaired especially if this disorder goes beyond simple crashability so please let us know also if you discover crashability borrowed on such networks we probably gained share t informatio No, except very general, but it might be important to know that this happens.
So now you know as much as us on this intriguing question, but you can not know if you have a router crashable Just press the button below to find out.
Gibson Research Corporation is owned and operated by Steve Gibson The contents of this page are Copyright c 2016 Gibson Research Corporation SpinRite, ShieldsUP, Nanoprobe and other noted brands are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA RCMP canvas and customer privacy policy.
Last Edition 4 June 2014 to 06 ago 07 1,040 05 days.
RCMP DNS nameserver Spoofability test Router Crash Test, nameserver, spoofability, trial.