Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Hardware

D-Link Routers Vulnerable To DNS Hijacking 64

An anonymous reader writes At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered. Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link's DSL-2740R ADSL modem/wireless router. The firmware in question is implemented in many networking equipment manufactured by D-Link, TP-Link Technologies and ZTE.
This discussion has been archived. No new comments can be posted.

D-Link Routers Vulnerable To DNS Hijacking

Comments Filter:
  • Every day (Score:3, Funny)

    by Anonymous Coward on Thursday January 29, 2015 @06:32PM (#48935799)

    I get on my knees and give thanks to OpenWRT.

  • I actually specify Google's public DNS server in my computer's network config. The router's DNS is only there as a backup.
    Also: Using D-Link? *tsk*
    • Re:Manual config (Score:5, Interesting)

      by wierd_w ( 1375923 ) on Thursday January 29, 2015 @06:42PM (#48935887)

      The hardware isnt all that bad most of the time, it's the shitty horrible firmwares they run.

      Frequently, it's an old, horribly butchered hackjob of openwrt under there these days. Something unholy running a 2.6 era kernel, and with drivers with more hacked patches attached than a 4th century beggar's clothes.

      Getting that old filth flushed out and replaced with something properly maintained is a GOOD thing. The router (hw wise) itself usually isnt all that bad.

      Netgear tends to be a bit better, but overpriced. Belkin can go die in a fire though.

      • Are any of these routers actually quality hardware? All the routers I've ever had have been crap. All versions of WRT54G overheat, for example, as do most other home routers.

        Within the next couple of hours FedEx is supposed to drop off my new home router, which is a Lenovo SFF machine with 3GB RAM and a 1.8GHz C2D. I'm popping a quad-ethernet into it. Then I'm going to heat up this RB411 I've got here and use it just for the WiFi. I've been using an RB192 and it seems to have just died on me. If the RB411 d

        • If you dont mind taking one apart, it is pretty easy to install the missing cooling inside a home router.

          Most have a 3v level based serial connector that can be tapped for driving a fan. Just getting some circulation in there helps immensely.

          This has more to do with the manufacturer not wanting any moving parts than it does with poor design though.

          I have a WNDR3400 that I use for various fun projects (It's running OpenWRT) that is a few years old now. I have replaced it with a more capable home router some

          • If the biggest problem you have is with cooling, stop being a wimp and just drive a fan off the serial console port connector inside. Pretty much all consumer routers have one.

            Well, the one WRT54G I added a fan to still crashed its pathetic little ass off, I never have understood why the community loved those things so well. I tried five of them before I realized that everyone is a fucking idiot, apparently. I don't like to believe that I'm smarter than the masses, both because it looks like an ego trip and because usually that sort of reasoning leads to disappointment, but now I know the WRT54G is garbage across the board. So now I don't trust anyone on this subject.

            As it turns

            • by Bengie ( 1121981 )
              The dual port network card in my PC router is worth more than $100. No matter how many packets I throw at my router, the interrupts per second never go above 300. Interrupt coalescing is awesome. It even coalesces across my LAN and WAN ports. It does this while keeping latency low. I get a 0.04ms ping. from my PC to my router through my switch. I can't measure lower than that because of thread scheduling.
              • Well, somewhere i've got a mystery Quad Tulip with genuine DEC chips, but the NIC I'm planning to use is a Phobox P430TX. It's four totally discrete Intel 21143TD chips with Level One level shifters (whatever you actually call the chips that handle the ethernet line itself) behind an intel 21152AB PCI to PCI bridge. If it doesn't pan out then I've gotta track down that tulip, which is probably deep inside a crate someplace.

            • The WRT54G was one of the first consumer routers where the maker "Fucked up", and used FOSS software without a license, and then had to release the source code.

              As a consequence, it was one of the first devices to attract major community attention, even with all its warts.

              Later versions of the device were so horribly underpowered compared to the original hardware release that they just arent worth any effort. Compared to more recent SoC based home routers, they are garbage. (TINY system flash size, abysmall

            • Just turn the wifi power down a bit, and don't bother trying to overclock it.

            • by Skater ( 41976 )
              My experience with the WRT54G v1.1 was ten years of trouble free use. I replaced it only because I wanted a faster network (I move large files around frequently). In fact, I still have my WRT54G, and I needed to come up with a way to get internet access for one device to multiple devices at a show we run, so I installed dd-wrt or openwrt on it and had it connecting to two wireless networks (one with net access and our private one). Even when I was running a live video stream through that connection, the
        • They all tend to be fairly miserable(though thermal issues are often more a product of the desire to have more space for ugly branding and fewer vents, which can be fixed with a bit of applied violence); but I do have to give the hardware credit for often being rather amazing for the price. The firmware is shit more or less across the board; but it is astounding how much actual computer they can cram into a $20 router.
          • Yeah-- I was meaning "good for the price"

            A home router is little more than a SoC these days. Does not have the robustness that an actual dedicated computer has. What it DOES have is low energy draw, small physical footprint, and "Good for the price" hardware.

            Getting some quality software in there, and a little cooling, they can work quite well even under pretty heavy loads. They just aren't data center grade.

            They ARE getting some pretty powerful SoC in them though in recent offerings. Some are up to 1.2gh

            • I'd be inclined to say 'amazing' for the price. I understand the use case for rPi, beaglebone black, cubieboard, etc. when you need video and actually good GPIO(even more so if you need proper PWM, i2c/SPI, etc. BBblack, especially, has some pretty powerful specialty I/O options); but routers are so aggressively priced that they are often a pretty good deal for adding network capabilities to assorted projects on the fast and cheap.

              I'm always up for other suggestions, of course; but I'm currently a big fa
        • by epyT-R ( 613989 )

          You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

          • You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

            That's true, but the QE card came from a yard sale for five bucks, so unless it's bad I think I'm pretty well-off with that one. The machine has one GigE port onboard, and I'll feed that into a D-Link 1Gbps unmanaged switch for a storage segment just for my PC and some Pogoplugs. Everything else in the house is either wireless or 100Mbps, so it won't actually matter at all.

            I do have an atheros-chipset wlan PCI card which might do master mode, but it's only 802.11g. If it were 802.11a+n then I'd probably go

            • by epyT-R ( 613989 )

              If you don't need the extra performance, then that $5 board is just fine. Even dual ethernet boards with decent chipsets are ripoffs.

              • As it turns out, and as I would probably have noticed if I paid more attention to model numbers, all the intel chips on this card are DEC clones. Linux, naturally, just calls them tulips. Huzzah!

                Also as it turns out, the PCIE interface is weird. It has an almost-PCIEx1-almost-PCIEx16 video card in it which appears to just provide the DVI output for the onboard intel 960 graphics. I'm sure this is old hat to other people but I haven't messed about with an even vaguely modern corporate PC in a while, just clo

        • by MikeMo ( 521697 )
          It seems most consumers will only buy whichever router is the cheapest. They have no concept of quality, performance, features, configurability, etc. when it comes to routers. So, router makers have to keep making them cheaper and cheaper or they don't sell at all. Kinda like the whole PC market, only worse. Obviously, they get to the point where they barely run, barely have any thermal headroom, have the cheapest possible components, and buggy firmware.
        • by _merlin ( 160982 )

          AVM FritzBox is the only quality hardware I've seen in this space.

    • by Anonymous Coward

      I actually specify Google's public DNS server in my computer's network config.

      I'm sure Google is happy to hear that. Personally I think they know quite enough about me already, without also being aware of every single hostname my network resolves.

  • I've been working on various aspects of the CPE equation for almost 2 years now as part of the various OpenResolverProject, OpenNTPProject, and other related aspects. Most CPE can't even do DNS correctly, let alone securely.

    Take Netgear for example, they can't even process RFC1035 4.2.2 correctly to say a client should support DNS over TCP (it's not just for zone transfers), but instead of just not responding, or sending back some error that allows the DNS client to try the next resolver it has, you get it

  • by ciscoguy01 ( 635963 ) on Thursday January 29, 2015 @06:44PM (#48935891)
    Why leave remote administration on?
    I would avoid opening the web UI of any home router on the WAN side.
    It's mostly unnecessary and a needless security exposure.
    • Indeed, but getting the router's DNS table to point to your malicious package when it checks for "Available Updates" works even when the LAN side does the admin through the web UI.

      Leaving the WAN side open is just ASKING for trouble.

    • The funny thing is, hundreds of thousands of Cisco routers are open to the WAN with only a pw, no username at all. Somehow we get by. Heh.
      • You're braver than I am :D
        ( Assuming your Wan faces the internet )

        In a corporate environment, sure.
        In the wild ? hahahahahaha No.

        Better to be on site when doing any configuration tweaking anyway. A typo is the
        only thing standing in the way of locking yourself out of it and / or knocking if offline
        completely.

        I personally don't allow anything other than very specific hosts which are members of the
        wired Lan access to router / switch management. No remote sites, no wireless or VPN
        connections. ( Of course,
    • by Anonymous Coward

      From the original story, quote:

      "... even if it's only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router's interface.

      CSRF attacks hijack users' browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers.

      Large scale CSRF attacks a

  • Put OpenWrt on it and problem over.
    • Put OpenWrt on it and problem over.

      A lot of these el cheapo routers won't take an alternate firmware, they don't run Linux and they don't have sufficient hardware resources in a lot of cases, notably ram and flash. Unfortunately, a lot of these sort of devices have the same name as devices which will take Linux. When you're lucky, a revision number which can be used to determine compatibility appears on the device, but is usually not visible through the packaging.

      • This is what the OpenWRT Table of Hardware [openwrt.org] is for. One nice feature of the list is de-facto announced end-of-life, so you'll know when to retire your old gear. DD-WRT doesn't do this with their hardware compatibility list so you're left thinking they'll push out an update for your unit, except they don't.

        OpenWRT lists support for an interesting and cheap TP-Link router on their front page (the TP-Link TL-MR3420). What makes this 40 euro router so interesting is its support for both an ethernet WAN port, alo

        • There are a lot of routers with an USB that are supported by OpenWRT, TL-MR3420 is not that interesting. I've got my TL-WDR3600 (gigabit, 2 usb ports, 5GHz support) for less than $40. Unfortunately no hardware NAT support on OpenWRT, so I'm limited to ~300Mbs on wan.

          If you have a USB-port, you can stick whatever device supported by linux in-there, not just "GSM" modems. The limitations are mostly because of the crappy stock firmware. And many recent HSPA and LTE modems are themselves linux-based routers,

      • Really? [openwrt.org]
    • Put OpenWrt on it and problem over.

      OpenWrt is not without it's issues.
      It's not a panacea. Unless you need a package that has been implemented on that platform.
      If you do, OpenWrt is appropriate.
      DDWrt might be slightly easier to configure, but certainly not without it's own problems.
      But other platforms are better for average home users. Easier to use.
      Man, so many people get glazed looks when asked to make a change to even a simple home router. They are so simple!
      When the guy from the cable company did my install and I made the f

  • "The exploit was created by Todor Donev, member of a Bulgarian security research outfit called Ethical Hacker[...]"
    "Donev did not report the vulnerability to D-Link and as far as he knows it is currently a zero-day[...]"

    I don't think that word means what you think it means. :-/

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...