User: Password:
Subscribe / Log in / New account


Home routers and security flaws

By Jake Edge
October 10, 2007

A message to Bugtraq about vulnerabilities in the British Telecom (BT) Home Hub this week had a familiar ring to it. We covered a cautionary posting about these kinds of problems in May, now we have a report of easily exploited flaws in a home router that is widely deployed in the UK. Unfortunately, we will probably have to cover the problem again, as these devices are becoming ubiquitous, while the manufacturers and distributors are, seemingly, leaving the security testing to their users.

The Home Hub is a standard Thompson/Alcatel DSL router, branded and distributed by BT, that provides VoIP and digital television in addition to internet access. It also has Wi-Fi connectivity which can provide shared access to the neighborhood via the Fon network. Overall, it sounds like a nice device, providing multiple useful features, but it evidently can be completely taken over ("owned") rather easily.

The exact details of the exploits used are not revealed, but the video linked from the discoverer's website shows web access to the router's administration screen after luring the victim into following a malicious link. The description of the flaws found read like a laundry list of web application flaws: cross-site scripting, cross-site request forgery, and authentication bypass. Though the router runs Linux, presumably the flaws are specific to the application software or configuration of the router; at least no more widespread vulnerability was reported.

Full access to the router configuration allows for a mind-boggling number of malicious uses. As is pointed out in the posting, one could steal VoIP credentials, reroute VoIP calls for eavesdropping, steal the WEP keys, change the DNS to point to a server under the attacker's control in order to steal credentials, etc. Most of these would be completely undetectable in normal use and the owner might go a long time before noticing that the settings had changed – if they can even log in anymore.

According to the website, BT has responded and is investigating the flaws, presumably some kind of update will be forthcoming. Home routers are particularly sensitive targets, precisely because of the undetectable nature of the attack. If the attacker is careful enough not to interrupt normal functioning, the owner will have no reason to check the configuration.

These kinds of problems are not restricted to routers or embedded networking devices, of course, but they do make tempting targets. Because of that, and the difficulty of ensuring that all customers get a critical security update, vendors of these products and the internet providers that push them need to test very carefully. Someone other than the developers should be tasked with strenuous penetration testing on a device like this, before it gets in the hands of customers.

Updating the devices in the field pose a number of problems; the obvious solution is to do it automatically, without customer intervention. But, as iPhone unlockers recently found out, that can lead to unwanted "upgrades". It is an uneasy balancing act – customers will need to trust the device providers to only update for bugs or security holes, while the providers will need to earn that trust by not breaking functionality the customer relies upon. Otherwise, folks will figure out ways to disable the auto-update functionality, completely defeating the purpose.

This particular incident seems not to exploit any particular Linux problem, but we might not be so lucky the next time. It would be a tragedy to see Linux linked with an in-the-wild exploit of a vulnerable device. An unknown exploit (a so-called "zero day") would be bad enough, but a known kernel bug that did not get properly updated would be a far worse black eye.

Comments (7 posted)

Brief items

Gathering 'Storm' Superworm Poses Grave Threat to PC Nets (Wired)

Bruce Schneier worries about the Storm worm on Wired. "Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way."

Comments (none posted)

New vulnerabilities

debian-goodies: privilege escalation

Package(s):debian-goodies CVE #(s):CVE-2007-3912
Created:October 5, 2007 Updated:March 24, 2008
Description: Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.
Debian DSA-1527-1 debian-goodies 2008-03-24
Ubuntu USN-526-1 debian-goodies 2007-10-04

Comments (none posted)

gforge: cross-site scripting

Package(s):gforge CVE #(s):CVE-2007-3918
Created:October 5, 2007 Updated:October 10, 2007
Description: It was discovered that a cross site scripting vulnerability in GForge, a collaborative development tool, allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user's session.
Debian DSA-1383-1 gforge 2007-10-04

Comments (none posted)

imagemagick: multiple vulnerabilities

Package(s):imagemagick CVE #(s):CVE-2007-4985 CVE-2007-4986 CVE-2007-4987 CVE-2007-4988
Created:October 4, 2007 Updated:August 11, 2009
Description: The ImageMagick image decoders have multiple vulnerabilities. If a user can be tricked into processing a specially crafted DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with the user's privileges.
Oracle ELSA-2012-0301 imagemagick 2012-03-07
Debian DSA-1858-1 imagemagick 2009-08-10
Red Hat RHSA-2008:0145-01 ImageMagick 2008-04-16
Red Hat RHSA-2008:0165-01 ImageMagick 2008-04-16
Mandriva MDVSA-2008:035 ImageMagick 2007-02-05
Foresight FLEA-2007-0066-1 ImageMagick 2007-11-11
Gentoo 200710-27 imagemagick 2007-10-24
rPath rPSA-2007-0220-1 imagemagick 2007-10-18
Ubuntu USN-523-1 imagemagick 2007-10-03

Comments (none posted)

opal: denial of service

Package(s):opal CVE #(s):CVE-2007-4924
Created:October 8, 2007 Updated:January 9, 2008
Description: From the Red Hat advisory: A flaw was discovered in the way opal handled certain Session Initiation Protocol (SIP) packets. An attacker could use this flaw to crash an application, such as Ekiga, which is linked with opal. (CVE-2007-4924)
Ubuntu USN-562-1 opal 2008-01-08
Mandriva MDKSA-2007:205 opal 2007-11-02
Red Hat RHSA-2007:0957-01 opal 2007-10-08

Comments (none posted)

pwlib: denial of service

Package(s):pwlib CVE #(s):CVE-2007-4897
Created:October 8, 2007 Updated:January 9, 2008
Description: From the Red Hat advisory: A memory management flaw was discovered in PWLib. An attacker could use this flaw to crash an application, such as Ekiga, which is linked with pwlib (CVE-2007-4897).
Ubuntu USN-561-1 pwlib 2008-01-08
Mandriva MDKSA-2007:206 pwlib 2007-11-02
Red Hat RHSA-2007:0932-01 pwlib 2007-10-08

Comments (none posted)

ruby: insufficient SSL certificate validation

Package(s):ruby CVE #(s):CVE-2007-5162 CVE-2007-5770
Created:October 8, 2007 Updated:October 10, 2008
Description: The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
Fedora FEDORA-2008-6094 ruby 2008-07-04
Fedora FEDORA-2008-6033 ruby 2008-07-03
Ubuntu USN-596-1 ruby1.8 2008-03-26
Fedora FEDORA-2008-2443 ruby 2008-03-13
Fedora FEDORA-2008-2458 ruby 2008-03-13
Mandriva MDVSA-2008:029 ruby 2007-01-31
Debian DSA-1411-1 libopenssl-ruby 2007-11-24
SuSE SUSE-SR:2007:024 cacti, openldap2, phpPgAdmin, ruby, perl, rubygem-activesupport, yast2-core, librpcsecgss, liblcms 2007-11-22
Debian DSA-1412-1 ruby1.9 2007-11-24
Debian DSA-1410-1 ruby1.8 2007-11-24
Red Hat RHSA-2007:0961-01 ruby 2007-11-13
Red Hat RHSA-2007:0965-01 ruby 2007-11-13
Foresight FLEA-2007-0068-1 ruby 2007-11-11
Fedora FEDORA-2007-2812 ruby 2007-11-06
Fedora FEDORA-2007-738 ruby 2007-11-05
Fedora FEDORA-2007-2685 ruby 2007-10-29
Fedora FEDORA-2007-2406 ruby 2007-10-08
Fedora FEDORA-2007-718 ruby 2007-10-08

Comments (none posted)

tk: arbitrary code execution via malformed GIF

Package(s):tk CVE #(s):CVE-2007-4851
Created:October 8, 2007 Updated:October 10, 2007
Description: From the Gentoo advisory: Reinhard Max discovered a boundary error in Tk when processing an interlaced GIF with two frames where the second is smaller than the first one.
Gentoo 200710-07 tk 2007-10-07

Comments (1 posted)

util-linux: privilege escalation

Package(s):util-linux CVE #(s):CVE-2007-5191
Created:October 9, 2007 Updated:January 7, 2008
Description: mount and umount in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.
Debian DSA-1450-1 util-linux 2008-01-05
Debian DSA-1449-1 loop-aes-utils 2008-01-05
Red Hat RHSA-2007:0969-01 util-linux 2007-11-15
SuSE SUSE-SR:2007:022 fetchmail, flac, opera 9.24, util-linux, openssh 2007-10-26
Ubuntu USN-533-1 util-linux 2007-10-22
Gentoo 200710-18 util-linux 2007-10-18
Mandriva MDKSA-2007:198 util-linux 2007-10-15
Fedora FEDORA-2007-722 util-linux 2007-10-15
Fedora FEDORA-2007-2462 util-linux 2007-10-10
rPath rPSA-2007-0212-1 util-linux 2007-10-08

Comments (none posted)

x11: xfs font server overflows

Package(s):x11 CVE #(s):CVE-2007-4568 CVE-2007-4989 CVE-2007-4990
Created:October 4, 2007 Updated:January 18, 2008
Description: xorg-x11 has a number of integer and heap overflow vulnerabilities in the xfs font server. A local attacker may be able to use these for the execution of arbitrary code with elevated privileges.
Red Hat RHSA-2008:0029-01 XFree86 2008-01-18
Red Hat RHSA-2008:0030-01 xorg-x11 2008-01-17
Fedora FEDORA-2007-4263 xorg-x11-xfs 2007-12-10
Mandriva MDKSA-2007:210 xfs 2007-11-06
Gentoo 200710-11 xfs 2007-10-12
SuSE SUSE-SA:2007:054 XOrg 2007-10-12
Debian DSA-1385-1 xfs 2007-10-09
rPath rPSA-2007-0205-1 x11 2007-10-03

Comments (none posted)

xen: privilege escalation

Package(s):xen CVE #(s):CVE-2007-4993
Created:October 9, 2007 Updated:November 2, 2007
Description: pygrub (tools/pygrub/src/ in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.
Fedora FEDORA-2007-2708 xen 2007-11-01
Mandriva MDKSA-2007:203 xen 2007-11-01
Ubuntu USN-527-1 xen-3.0 2007-10-05
rPath rPSA-2007-0210-1 xen 2007-10-08

Comments (1 posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds