FON Router allows anonymous web access

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: FON Router allows anonymous web access
From: l.friedrichs@xxxxxxxxxxxx
Date: 6 Jan 2007 19:49:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Description:
"La Fonera" routers distributed by FON allow web access to unauthenticated 
users via DNS tunneling.

Explanation:
The router gives a client an DHCP answer but does not forward ip traffic until 
the client authenticates via the captive portal. The given DNS server address 
is the router itself so there is a DNS forwarder running on the router. Even an 
unauthorized client is allowed to surf certain sites as of obvious reasons 
(google, skype and the accesspoint's owner's site) but instead of filtering the 
dns requests for these few domains, it resolves all domains. This is where an 
DNS tunnel comes handy...

Environment:
Tested with router's standard config on 01/04/07. Runs smoothly with NSTX 
(http://nstx.dereference.de/nstx/ 
Version 1.1-beta6) and an ssh-session for connection testing without any 
authentication via the FON captive portal.

Impact:
Unauthorized ressource usage (internet bandwidth)

Solution:
New firmware from FON, workaround can be rate limiting DNS traffic on the real 
router (if possible...)

Follow-Ups:
- Re: FON Router allows anonymous web access
  - From: Thierry Zoller

Prev by Date: shopstorenow (orange.asp) sql injection
Next by Date: [OpenPKG-SA-2007.005] OpenPKG Security Advisory (wordpress)
Previous by thread: shopstorenow (orange.asp) sql injection
Next by thread: Re: FON Router allows anonymous web access
Index(es):
- Date
- Thread