Hacking The Interwebs
http://www.gnucitizen.org/blog/hacking-the-interwebs
When the victim visits a malicious SWF file, a 4 step ATTACK will
silently execute in the background. At that moment the attacker will
have control over their router, pretty much regardless of its model.
Many of the home routers are vulnerable to this attack as many of them
support UPnP to one degree or another.
The attack does not rely on any bugs. Simply put, when two completely
legitimate technologies, Flash and UPnP, are combined together, they
compose a vulnerability, which exposes many home networks to a great
risk. The attack depends on the fact that most, if not all, routers
are UPnP enabled. The UPnP SOAP service can be accessed without
authorization over the default Web Admin Interface. With the help of
Flash, the attacker can send arbitrary SOAP messages to the router's
UPnP control point and as such reconfigure the device in order to
enable further attacks..
The most malicious of all malicious things to do when a device is
compromised via the attack described in the link pointed at the top of
this email, is to change the primary DNS server. That will effectively
turn the router and the network it controls into a zombie which the
attacker can take advantage of whenever they feel like it. It is also
possible to reset the admin credentials and create the sort of onion
routing network all bad guys want. Many routers come with Layer3
portforwarding UPnP service. This is also a potential vector that
attackers can use. In cases like this, they will simply expose ports
behind the router on the Internet facing side.
We hope that by exposing this information, we will drastically improve
the situation for the future. I think that this is a lot better than
keeping it for ourselves or risking it all by given the criminals the
opportunity to have in possession a secret which no one else is aware
of. The best way to protect against this attack is turn off UPnP if
your router's Admin Interface allows it. It seams that many routers
simply does not have this feature.
More information on related UPnP research can be found here:
http://www.gnucitizen.org/
http://www.gnucitizen.org/blog/steal-his-wi-fi
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play
GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
Tank, which primarily deals with all aspects of the art of hacking.
Our work has been featured in established magazines and information
portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
many others. The members of the GNUCITIZEN group are well known and
well established experts in the Information Security, Black Public
Relations (PR) Industries and Hacker Circles with widely recognized
experience in the government and corporate sectors and the open source
community.
GNUCITIZEN is an ethical, white-hat organization that doesn't hide
anything. We strongly believe that knowledge belongs to everyone and
we make everything to ensure that our readers have access to the
latest cutting-edge research and get alerted of the newest security
threats when they come. Our experience shows that the best way of
protection is mass information. And we mean that literally!!! It is in
the public's best interest to make our findings accessible to vast
majority of people, simply because it is proven that the more people
know about a certain problem, the better.--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org http://www.hakiri.com
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org http://www.hakiri.com