Website accessing your router settings?

Discussion in 'other security issues & news' started by vincenzo, Nov 15, 2014.

  1. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    I read today on a security website that it is possible for a malicious script on a website to attempt to login in to your router and make changes, ie to the DNS settings. (Changing the router login from the default to a strong password will of course block this attack.)

    I've thought previously that this could only be done by someone logged in to the network, or by a hacker who breaks in by scanning for vulnerable IP addresses, but I've never heard of it being possible from a script on a website. Any truth to this?

    Thanks
     
  2. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I'm saying something to say something, but no I've never heard of "just a script" doing it, but for some reason it doesn't seem impossible that it could. If you hit a malicious site and it manages to exploit your browser or plugins, then obviously it can download its payload and then do whatever the payload wants.

    It'd have to rely on some browser exploit though I'd think.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    As far as I know such an attack would involve two serious flaws/vulnerabilities, one in the way the router web interface is implemented and another in the way your browser (or NoScript in Firefox case) filters cross scripting attacks. Highly unlikely. As MrBrian says, don't access the router with other tabs opened. For example, launch Chrome in Incognito mode just for that and close it when you are done.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If I recall correctly, Flash Player was used with UPnP to alter router settings a while back.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    Thanks to all for the info and tips.

    BrBrian's link pretty much shows that it can be done. Surprising you don't hear about it happening more.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Real-World CSRF attack hijacks DNS Server configuration of TP-Link routers:
    ----------

    @vincenzo: you're welcome :).
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From the link in the last post:
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The articles mention routers, but this also applies to modems and modem/router combination units, including those supplied by ISPs. These can be especially problematic when the user doesn't have the credentials or authority to change the settings.
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    The most common attack via CSRF and DNS rebinding is against router so Noscript's ABE blocks them by default, but the attack are only possible when you open web interface of the router (and keep logging on or use default/weak password) while browsing so never do it and use strong password. I don't like fact that many router interface uses basic authentication, so if you can choose, use stronger authentication scheme.
    Also some router had vulnerability which enables attacker to e.g. overwrite firmware, change settings, and/or steal password so make sure your router is up-to-date and don't use no-more-supported router.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If I recall, it wasn't that long ago that routers were being exploited via UPnP using a flash exploit. I also seem to recall the article mentioning that flash wasn't necessary, that other vectors would work as well.
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Yup, it is first thing when I get new router to disable UPnP, as it has plenty of vuln.
    Some are in implementation but others are in protocol itself.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, UPnP is a security nightmare waiting to happen. I've stripped out its components from every PC I have. If I need a port forwarded, I'll do it manually.
     
  15. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    Good info about closing browser before and after. Thanks
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Basic auth is terrible.
    In my case, I use IE (always InPrivate by -private flag) which is usually for sensitive activity to login to router, and I don't do anything other than changing rooter setting, never go any website, only change the settings and done. Still local sniffer will be able to see the transaction, but it's unavoidable for basic auth.
     
Loading...