Hacker News new | ask | show | jobs
by tlrobinson 5783 days ago
He does have control of the router's settings (possibly even the ability to update the firmware with a malicious replacement?). Most routers let you set the DNS server addresses to be provided via DHCP. If you control DNS, you control which addresses domains resolve to. No need to control the routing table.

SSL helps mitigate the damage to some extent, but only if the site uses SSL.
1 comments
nkassis 5783 days ago
Wait where does it state he he gained access to router? You can get the mac address of your router with sending a http request to it. Mine states it on the homepage. Doesn't mean you can change anything on there. What I'd like to know is how he manages to send this request, javascript origination policy should be blocking this.

EDIT: I was referring to the original article, schneier has a point, if the users has the default password set then yes he can login, but how is that even possible on most browsers today which prevents you from sending ajax request to anything but the original server?

EDIT2: Just tried it and got a error from chrome: 400 Bad Request Cross Site Action detected!

link
tlrobinson 5783 days ago
You need to watch the video again. Starting at 1:20 he mentions logging in using the default admin credentials.

He's using an XSS vulnerability in the router admin interface to execute JavaScript on the router's pages, so he can use JavaScript to do pretty much anything the user can do.

But even without an XSS exploit you can make cross-domain POSTs using forms, and GETs using IMG or SCRIPT tags. You just can't get the response, so it's not suitable for this attack where you need to get the MAC address out.

The "Drive-by Pharming" mentioned in the link I posted used the latter technique, because all it needs to do is POST some form that tells the router to update the DNS settings, it doesn't need the response.

He actually mentioned that technique in the video, but sort of glossed over it (right before "now, this isn't necessary in our geolocation XXXSS attack")

link
nkassis 5783 days ago
Thanks for the clarifications. I'm now turning off my router's web interface ;p ssh is all that's needed anyway.
link
revicon 5783 days ago
I'm also curious as to how he's managing to call to the router via javascript. Anyone have more details on the hack?

edit: Here's more info...

http://samy.pl/mapxss/

The hack relies on a specific XSS vulnerability in the Verizon FiOS router. It requires that you're already logged into your router or that you're using default username/password.

link
jdc 5783 days ago
The page linked is a proof of concept -- a minimal demonstration. The same process can be applied to any XSS vulnerable router.

That said, I've upvoted you for the link.

link