1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Vunerability

Discussion in 'Tomato Firmware' started by scouseware, Jul 19, 2010.

  1. scouseware

    scouseware Networkin' Nut Member

    I was reading this article and I was wondering if Tomato has the same DNS rebinding flaws? DD-WRT seems to have.

    http:[//blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/]

    Note square [...] brackets inserted by me.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    A relevant piece from the article:
    Of course, if the attacker already has full access to the router and the user's LAN, they can augment the DNS system to return whatever results they want. HOWEVER, they already have to have that access, and if they do, you're boned anyway.

    Uh, why?
     
  3. scouseware

    scouseware Networkin' Nut Member

    SgtPepperKSU, thanks for your take on it.

    Regarding the Square Brackets, I put the [...] in to ensure that my post was not seen as an attempt to provide a beneficial backlink to any particular website. Also on some forums I have come across links do not always go to safe places. The deliberate corruption is to promote my own view that people should not click links on any forum without due care and attention.
     
  4. FattysGoneWild

    FattysGoneWild LI Guru Member

    In the Dnsmasq box. Put in stop-dns-rebind Problem solved. With stock firmware though. I doubt Linksys will release a new firmware update. These routers are old news now.
     
  5. Aiko

    Aiko Networkin' Nut Member

    All this makes me wonder if there is a way to resolve external dns names in internal IPs in Tomato.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    But, if the attacker has already "compromise[d] the victim's router" as the article suggests is needed for this attack, they can take that back out (or do anything they want, actually). It just comes down to this: if they have control of your network, they can control your network (obvious).
     
  7. FattysGoneWild

    FattysGoneWild LI Guru Member

    That command though stops you from being compromised right? So I thought? Assuming you have also changed the router password from the default. And also assuming you have not been compromised already.

     
  8. davemuk

    davemuk LI Guru Member

    I added this in but it caused Outlook 2007 to pop up with user/name password requests when I left my email client open. It seemed the first time it picked up email it was ok, subsequent updates caused the message box appear. As soon as I took the stop-dns-rebind out, the problem went away.
     
  9. scuba_steve

    scuba_steve LI Guru Member

    Hmmm....I have two WRT54GLs...one configured as a router (near the network panel) with wireless disabled and the other configured just as an AP (in a more central spot)...pointing to the first router as the gateway.

    Should both devices be configured with stop-dns-rebind, just the AP, or just the router?

    Makes me think that I should learn more about this stuff. :)
     
  10. FattysGoneWild

    FattysGoneWild LI Guru Member

    That is really weird. I added the command and have no issue. I use Mozilla Thunderbird though for my email client.

     
  11. Badders44

    Badders44 LI Guru Member

    No issues with me either but I use Outlook 2003.
     
  12. Azuse

    Azuse LI Guru Member

    This thread is as pointless as the upnp is a security issue threads.

    There is no security issue. Your DNS can only be rebinded if someone has got into your router. If someone has got into your router the will simply delete the stop rebind command. If someone has got into your router they won't waste their time deleting it they'll just do whatever the heck they want.

    Put a very strong password on your router or stop wasting your time with panic reactions to amazing media revelations :rolleyes:
     
  13. Amuro

    Amuro Addicted to LI Member

    I just checked my logs and.. oh boy..

    Code:
    Jul 25 09:00:01 Router syslog.info root: -- MARK --
    Jul 25 09:09:17 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:12:25 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:17:58 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:39:45 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:44:23 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:45:08 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:53:14 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:53:22 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    Jul 25 09:54:39 Router daemon.warn dnsmasq[22220]: possible DNS-rebind attack detected
    
    This is minutes ago.. is there a way to check the ip this is coming from? or the url if it's a page?
     
  14. myersw

    myersw Network Guru Member

    Google is your friend by the way.
    Give http://cqcounter.com/whois/
    a try.
    --bill
     
  15. natel

    natel Networkin' Nut Member

    so ... there is new firmware from yesterday and changelog actually quotes that forbes article, says new firmware fixes problem.
    does this make sense ??
    i also have impression article was written by some moron as once you give admin access to router one can do all kinds of "attacks"
    what to fix here huh ???
     
  16. davemuk

    davemuk LI Guru Member

    Update:

    I'm still getting the popup account details requests without stop-dns-rebind so it's not down to that. It might be down to retrieving 6 pop accounts although I don't remember this before upgrading to 1.28 (but that might just be having a poor memory :)). * It could also be Virgin Media (via google email) servers.

    Another update:

    It seems I'm not the only one to have these problems with my ISP (Virgin Media). Apologies if I've mislead anyone.
     
  17. mstombs

    mstombs Network Guru Member

  18. davemuk

    davemuk LI Guru Member

  19. Badders44

    Badders44 LI Guru Member

    Yes, I'm with Virgin and have experienced the wonderful b*lls up they've made moving to google-mail. I guess you're using "recent:" mode as this appears to be the only way of guaranteeing you get all of your mail. (Sorry for the OT.)
     
  20. Azuse

    Azuse LI Guru Member

    As someone's pointed out my original remark was partly erroneous.

    While it's true most exploits require either the router to have a default ip address or default admin name/password the stop-dns-rebind command causes the dnsmasq to

    "Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network."

    While it won't prevent someone substituting your external ip to access your router (only a strong password will help there) however it almost certainly wouldn't be a bad thing for anyone to enable.

    Perhaps a better question to ask would why is rebinding in the dnsmasq not disabled by default :(
     

Share This Page