Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/8/2008
09:05 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RSA Session Features Live Linksys Router Hack

Researcher Dan Kaminsky plans a live demo to show a DNS rebinding attack in action

SAN FRANCISCO -- RSA 2008 Conference -- Researcher Dan Kaminsky here today will demonstrate a live hack of a Linksys home router to illustrate how easy it is to exploit an old browser and browser plug-in vulnerability he’s been researching and warning the security community about since last year. (See Old Flaw Threatens Web 2.0 and Hack Sneaks Past Firewall to Intranet.)

Kaminsky, who is also director of penetration testing for IOActive, says he decided to make the so-called DNS rebinding vulnerability more visual to get browser vendors to fix the flaw, which is not actually in DNS but in browsers and browser plug-in programs such as Java, Flash, and Adobe. He says although DNS rebinding is a difficult problem to correct, he hopes his demo during his “Black Ops of Web. 2.0: DNS Rebinding Attacks” session will get the attention of browser vendors.

“I’m a bit bothered that nobody realized that full router compromise is pretty much done and over with until the browsers get fixed. So I'm making it all visual,” Kaminsky says.

He says he will provide plenty of “prescriptive” guidance to device manufacturers as well as mitigation techniques and workarounds. DNS rebinding has worried researchers with the advent of Web 2.0-based sites because the more code and action occurring on the client, the more at risk it is to a DNS rebinding attack.

Kaminsky demonstrated a DNS binding attack at Black Hat USA last summer that made a victim’s browser a proxy server for an external attack to infiltrate the victim’s intranet.

DNS rebinding lets an attacker use DNS tricks to reach a different IP address than the one the browser is connected to -- the browser theoretically should block this by binding the host name to a particular IP address, but a flaw in many browsers and plug-ins lets an attacker interrupt that.

Meanwhile, OpenDNS today released a free tool called fixmylinksys.com that lets Linksys users easily change their default password to protect themselves from the type of hack Kaminsky will demo. “This will stop all the automated attacks that Dan is showing at the RSA conference today. It's easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. "In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Linksys
  • IOActive

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
    Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-16192
    PUBLISHED: 2020-08-05
    LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
    CVE-2020-17364
    PUBLISHED: 2020-08-05
    USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
    CVE-2020-4481
    PUBLISHED: 2020-08-05
    IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
    CVE-2020-5608
    PUBLISHED: 2020-08-05
    CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
    CVE-2020-5609
    PUBLISHED: 2020-08-05
    Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...