D-Link Routers Vulnerable To DNS Hijacking

An anonymous reader writes At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered. Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link's DSL-2740R ADSL modem/wireless router. The firmware in question is implemented in many networking equipment manufactured by D-Link, TP-Link Technologies and ZTE.

Every day

[Anonymous Coward]

I get on my knees and give thanks to OpenWRT.

Re:

[Anonymous Coward]

If you like OpenWRT so much why don't you marry it?

Re:

[Anonymous Coward]

I don't think it's legal, yet.

Re:Every day

[FatdogHaiku]

When a binary and an analog love each other, that's all that matters.
How they compile in the privacy of their home is no ones business.
And soon you may hear the pitter patter of little dependencies...

Re:

[fustakrakich]

Yeah, but then the includes move in...

Manual config

[jargonburn]

I actually specify Google's public DNS server in my computer's network config. The router's DNS is only there as a backup.
Also: Using D-Link? *tsk*

Re:Manual config

[wierd_w]

The hardware isnt all that bad most of the time, it's the shitty horrible firmwares they run.

Frequently, it's an old, horribly butchered hackjob of openwrt under there these days. Something unholy running a 2.6 era kernel, and with drivers with more hacked patches attached than a 4th century beggar's clothes.

Getting that old filth flushed out and replaced with something properly maintained is a GOOD thing. The router (hw wise) itself usually isnt all that bad.

Netgear tends to be a bit better, but overpriced. Belkin can go die in a fire though.

Re:

[drinkypoo]

Are any of these routers actually quality hardware? All the routers I've ever had have been crap. All versions of WRT54G overheat, for example, as do most other home routers.

Within the next couple of hours FedEx is supposed to drop off my new home router, which is a Lenovo SFF machine with 3GB RAM and a 1.8GHz C2D. I'm popping a quad-ethernet into it. Then I'm going to heat up this RB411 I've got here and use it just for the WiFi. I've been using an RB192 and it seems to have just died on me. If the RB411 d

Re:

[wierd_w]

If you dont mind taking one apart, it is pretty easy to install the missing cooling inside a home router.

Most have a 3v level based serial connector that can be tapped for driving a fan. Just getting some circulation in there helps immensely.

This has more to do with the manufacturer not wanting any moving parts than it does with poor design though.

I have a WNDR3400 that I use for various fun projects (It's running OpenWRT) that is a few years old now. I have replaced it with a more capable home router some

Re:

[drinkypoo]

If the biggest problem you have is with cooling, stop being a wimp and just drive a fan off the serial console port connector inside. Pretty much all consumer routers have one.

Well, the one WRT54G I added a fan to still crashed its pathetic little ass off, I never have understood why the community loved those things so well. I tried five of them before I realized that everyone is a fucking idiot, apparently. I don't like to believe that I'm smarter than the masses, both because it looks like an ego trip and because usually that sort of reasoning leads to disappointment, but now I know the WRT54G is garbage across the board. So now I don't trust anyone on this subject.

As it turns

Re:

[Bengie]

The dual port network card in my PC router is worth more than $100. No matter how many packets I throw at my router, the interrupts per second never go above 300. Interrupt coalescing is awesome. It even coalesces across my LAN and WAN ports. It does this while keeping latency low. I get a 0.04ms ping. from my PC to my router through my switch. I can't measure lower than that because of thread scheduling.

Re:

[drinkypoo]

Well, somewhere i've got a mystery Quad Tulip with genuine DEC chips, but the NIC I'm planning to use is a Phobox P430TX. It's four totally discrete Intel 21143TD chips with Level One level shifters (whatever you actually call the chips that handle the ethernet line itself) behind an intel 21152AB PCI to PCI bridge. If it doesn't pan out then I've gotta track down that tulip, which is probably deep inside a crate someplace.

Re:

[wierd_w]

The WRT54G was one of the first consumer routers where the maker "Fucked up", and used FOSS software without a license, and then had to release the source code.

As a consequence, it was one of the first devices to attract major community attention, even with all its warts.

Later versions of the device were so horribly underpowered compared to the original hardware release that they just arent worth any effort. Compared to more recent SoC based home routers, they are garbage. (TINY system flash size, abysmall

Re:

[fustakrakich]

Just turn the wifi power down a bit, and don't bother trying to overclock it.

Re:

[Skater]

My experience with the WRT54G v1.1 was ten years of trouble free use. I replaced it only because I wanted a faster network (I move large files around frequently). In fact, I still have my WRT54G, and I needed to come up with a way to get internet access for one device to multiple devices at a show we run, so I installed dd-wrt or openwrt on it and had it connecting to two wireless networks (one with net access and our private one). Even when I was running a live video stream through that connection, the

Re:

[fuzzyfuzzyfungus]

They all tend to be fairly miserable(though thermal issues are often more a product of the desire to have more space for ugly branding and fewer vents, which can be fixed with a bit of applied violence); but I do have to give the hardware credit for often being rather amazing for the price. The firmware is shit more or less across the board; but it is astounding how much actual computer they can cram into a $20 router.

Re:

[wierd_w]

Yeah-- I was meaning "good for the price"

A home router is little more than a SoC these days. Does not have the robustness that an actual dedicated computer has. What it DOES have is low energy draw, small physical footprint, and "Good for the price" hardware.

Getting some quality software in there, and a little cooling, they can work quite well even under pretty heavy loads. They just aren't data center grade.

They ARE getting some pretty powerful SoC in them though in recent offerings. Some are up to 1.2gh

Re:

[wierd_w]

If it is supported, YES.

There are 2 drivers that work with USB to VGA dongles. One is the SISVGA driver, the other is the DisplayLink driver.

This provides a simple framebuffer device to the system that can drive a VGA monitor. You need to custom build your openwrt image to have it turned on though, and to enable the main system console to run on the virtual console hosted by the framebuffer device (And NOT on the physical serial port usually inside most routers.)

Here's a blog detailing the process for getti [h-wrt.com]

Re:

[fuzzyfuzzyfungus]

I'd be inclined to say 'amazing' for the price. I understand the use case for rPi, beaglebone black, cubieboard, etc. when you need video and actually good GPIO(even more so if you need proper PWM, i2c/SPI, etc. BBblack, especially, has some pretty powerful specialty I/O options); but routers are so aggressively priced that they are often a pretty good deal for adding network capabilities to assorted projects on the fast and cheap.

I'm always up for other suggestions, of course; but I'm currently a big fa

Re:

[epyT-R]

You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

Re:

[drinkypoo]

You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

That's true, but the QE card came from a yard sale for five bucks, so unless it's bad I think I'm pretty well-off with that one. The machine has one GigE port onboard, and I'll feed that into a D-Link 1Gbps unmanaged switch for a storage segment just for my PC and some Pogoplugs. Everything else in the house is either wireless or 100Mbps, so it won't actually matter at all.

I do have an atheros-chipset wlan PCI card which might do master mode, but it's only 802.11g. If it were 802.11a+n then I'd probably go

Re:

[epyT-R]

If you don't need the extra performance, then that $5 board is just fine. Even dual ethernet boards with decent chipsets are ripoffs.

Re:

[drinkypoo]

As it turns out, and as I would probably have noticed if I paid more attention to model numbers, all the intel chips on this card are DEC clones. Linux, naturally, just calls them tulips. Huzzah!

Also as it turns out, the PCIE interface is weird. It has an almost-PCIEx1-almost-PCIEx16 video card in it which appears to just provide the DVI output for the onboard intel 960 graphics. I'm sure this is old hat to other people but I haven't messed about with an even vaguely modern corporate PC in a while, just clo

Re:

[MikeMo]

It seems most consumers will only buy whichever router is the cheapest. They have no concept of quality, performance, features, configurability, etc. when it comes to routers. So, router makers have to keep making them cheaper and cheaper or they don't sell at all. Kinda like the whole PC market, only worse. Obviously, they get to the point where they barely run, barely have any thermal headroom, have the cheapest possible components, and buggy firmware.

Re:

[_merlin]

AVM FritzBox is the only quality hardware I've seen in this space.

Re:

[Anonymous Coward]

I actually specify Google's public DNS server in my computer's network config.

I'm sure Google is happy to hear that. Personally I think they know quite enough about me already, without also being aware of every single hostname my network resolves.

Re:

[account_deleted]

Comment removed based on user account deletion

CPE are horrible

[jaredmauch]

I've been working on various aspects of the CPE equation for almost 2 years now as part of the various OpenResolverProject, OpenNTPProject, and other related aspects. Most CPE can't even do DNS correctly, let alone securely.

Take Netgear for example, they can't even process RFC1035 4.2.2 correctly to say a client should support DNS over TCP (it's not just for zone transfers), but instead of just not responding, or sending back some error that allows the DNS client to try the next resolver it has, you get it

Re:

[wierd_w]

Routers are an obvious choice to deploy payloads against.

Most are running a hackfest 2.6 era kernel with not-well-vetted hackfest drivers. Most have an autoupdate feature which silently updates the firmware when you log into them from their web interfaces.

With a combination of a DNS hijack, this autoupdater, malicious intent, and a suitable "Upgrade package"-- these routers can be zombified VERY easily.

Once pwned like this, they become willing and capable servants in a botnet.

Re:

[ShaunC]

I'm pretty sure I recall reading that most of Lizard Squad's botnet, the one used to attack PSN and XBL, is comprised of rooted routers.

Why leave remote administration on?

[ciscoguy01]

Why leave remote administration on?
I would avoid opening the web UI of any home router on the WAN side.
It's mostly unnecessary and a needless security exposure.

Re:

[wierd_w]

Indeed, but getting the router's DNS table to point to your malicious package when it checks for "Available Updates" works even when the LAN side does the admin through the web UI.

Leaving the WAN side open is just ASKING for trouble.

Re:

[ciscoguy01]

The funny thing is, hundreds of thousands of Cisco routers are open to the WAN with only a pw, no username at all. Somehow we get by. Heh.

Re:

[nehumanuscrede]

You're braver than I am :D
( Assuming your Wan faces the internet )

In a corporate environment, sure.
In the wild ? hahahahahaha No.

Better to be on site when doing any configuration tweaking anyway. A typo is the
only thing standing in the way of locking yourself out of it and / or knocking if offline
completely.

I personally don't allow anything other than very specific hosts which are members of the
wired Lan access to router / switch management. No remote sites, no wireless or VPN
connections. ( Of course,

Re:

[Anonymous Coward]

From the original story, quote:

"... even if it's only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router's interface.

CSRF attacks hijack users' browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers.

Large scale CSRF attacks a

Re:

[epyT-R]

old sff pc with two gigabit nics and a separate switch.. Install linux or bsd of your choice and configure, or use distros tailored to the purpose like zeroshell or m0n0wall.

Re:

[ciscoguy01]

old sff pc with two gigabit nics and a separate switch.. Install linux or bsd of your choice and configure, or use distros tailored to the purpose like zeroshell or m0n0wall.

Uh, right. Now that makes no sense at all for most people.
Zynos is not bad, just turn off remote administration if you don't need it.
If you *do* need remote admin, make sure to establish a good username and pw.

Re:

[ciscoguy01]

Asus is a motherboard company.
They just have a marketing deal to sell routers.
That said, it's probably fine.
But let me just say, Engenius has the features and the WIFI performance. Very strong.
And they are indeed a networking company.

Re:

[drinkypoo]

Asus sells a lot of computer-related electronics these days, most of their hardware is of very good quality. I bought one of their earlyish USB2 DVD-burners back in the EEE701 days. It's done quite a bit of traveling, and I've still got it and it still works.

Re:

[jones_supa]

Heh. I know, the name might sound dorky to some, but I'm actually glad that some guys named a group "Ethical Hacker research team". There's so many "security researchers" which in practice just provide direct ammunition for the black hats.

Re:

[jones_supa]

Ah, now I hear that he actually published the vulnerability without informing the manufacturer(s) first. Thus, let me cancel that comment.

Come on already

[hcs_$reboot]

Put OpenWrt on it and problem over.

Re:

[drinkypoo]

Put OpenWrt on it and problem over.

A lot of these el cheapo routers won't take an alternate firmware, they don't run Linux and they don't have sufficient hardware resources in a lot of cases, notably ram and flash. Unfortunately, a lot of these sort of devices have the same name as devices which will take Linux. When you're lucky, a revision number which can be used to determine compatibility appears on the device, but is usually not visible through the packaging.

Re:

[operator_error]

This is what the OpenWRT Table of Hardware [openwrt.org] is for. One nice feature of the list is de-facto announced end-of-life, so you'll know when to retire your old gear. DD-WRT doesn't do this with their hardware compatibility list so you're left thinking they'll push out an update for your unit, except they don't.

OpenWRT lists support for an interesting and cheap TP-Link router on their front page (the TP-Link TL-MR3420). What makes this 40 euro router so interesting is its support for both an ethernet WAN port, alo

Re:

[Anonymuous Coward]

There are a lot of routers with an USB that are supported by OpenWRT, TL-MR3420 is not that interesting. I've got my TL-WDR3600 (gigabit, 2 usb ports, 5GHz support) for less than $40. Unfortunately no hardware NAT support on OpenWRT, so I'm limited to ~300Mbs on wan.

If you have a USB-port, you can stick whatever device supported by linux in-there, not just "GSM" modems. The limitations are mostly because of the crappy stock firmware. And many recent HSPA and LTE modems are themselves linux-based routers,

Re:

[hcs_$reboot]

Really? [openwrt.org]

Re:

[ciscoguy01]

Put OpenWrt on it and problem over.

OpenWrt is not without it's issues.
It's not a panacea. Unless you need a package that has been implemented on that platform.
If you do, OpenWrt is appropriate.
DDWrt might be slightly easier to configure, but certainly not without it's own problems.
But other platforms are better for average home users. Easier to use.
Man, so many people get glazed looks when asked to make a change to even a simple home router. They are so simple!
When the guy from the cable company did my install and I made the f

"Ethical Hacker"?

[Nanoda]

"The exploit was created by Todor Donev, member of a Bulgarian security research outfit called Ethical Hacker[...]"
"Donev did not report the vulnerability to D-Link and as far as he knows it is currently a zero-day[...]"

I don't think that word means what you think it means. :-/