D-Link Routers Vulnerable To DNS Hijacking

An anonymous reader writes At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered. Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link's DSL-2740R ADSL modem/wireless router. The firmware in question is implemented in many networking equipment manufactured by D-Link, TP-Link Technologies and ZTE.

Every day

I get on my knees and give thanks to OpenWRT.

Re:Every day

If you like OpenWRT so much why don't you marry it?

Re:Every day

I don't think it's legal, yet.

Re:Every day

[FatdogHaiku]

When a binary and an analog love each other, that's all that matters.
How they compile in the privacy of their home is no ones business.
And soon you may hear the pitter patter of little dependencies...

Re:Every day

[fustakrakich]

Yeah, but then the includes move in...

Manual config

[jargonburn]

I actually specify Google's public DNS server in my computer's network config. The router's DNS is only there as a backup.
Also: Using D-Link? *tsk*

Re:Manual config

[wierd_w]

The hardware isnt all that bad most of the time, it's the shitty horrible firmwares they run.

Frequently, it's an old, horribly butchered hackjob of openwrt under there these days. Something unholy running a 2.6 era kernel, and with drivers with more hacked patches attached than a 4th century beggar's clothes.

Getting that old filth flushed out and replaced with something properly maintained is a GOOD thing. The router (hw wise) itself usually isnt all that bad.

Netgear tends to be a bit better, but overpriced. Belkin can go die in a fire though.

Re:Manual config

[drinkypoo]

Are any of these routers actually quality hardware? All the routers I've ever had have been crap. All versions of WRT54G overheat, for example, as do most other home routers.

Within the next couple of hours FedEx is supposed to drop off my new home router, which is a Lenovo SFF machine with 3GB RAM and a 1.8GHz C2D. I'm popping a quad-ethernet into it. Then I'm going to heat up this RB411 I've got here and use it just for the WiFi. I've been using an RB192 and it seems to have just died on me. If the RB411 dies I guess I'll have to find a PCI-E WLAN NIC which works in Linux in Host mode. The machine supposedly had 1xPCI and 1xPCIE, and I need the PCI slot for the quad eth. But since the machine is so balls-heavy, I'm going to feel compelled to do more than just firewalling on it...

Re:Manual config

[wierd_w]

If you dont mind taking one apart, it is pretty easy to install the missing cooling inside a home router.

Most have a 3v level based serial connector that can be tapped for driving a fan. Just getting some circulation in there helps immensely.

This has more to do with the manufacturer not wanting any moving parts than it does with poor design though.

I have a WNDR3400 that I use for various fun projects (It's running OpenWRT) that is a few years old now. I have replaced it with a more capable home router some time ago as the main workhorse. However, the logic board that drives that little silly dome light is a +5v system. I have removed the dome completely, removed the logic board with the lights on it, and used the header strip it connected to, to drive a pretty beefy fan. I can drive its little CPU at 100% nonstop and it does not get much above room temp.

If the biggest problem you have is with cooling, stop being a wimp and just drive a fan off the serial console port connector inside. Pretty much all consumer routers have one.

Re:Manual config

[fuzzyfuzzyfungus]

They all tend to be fairly miserable(though thermal issues are often more a product of the desire to have more space for ugly branding and fewer vents, which can be fixed with a bit of applied violence); but I do have to give the hardware credit for often being rather amazing for the price. The firmware is shit more or less across the board; but it is astounding how much actual computer they can cram into a $20 router.

Re:Manual config

I actually specify Google's public DNS server in my computer's network config.

I'm sure Google is happy to hear that. Personally I think they know quite enough about me already, without also being aware of every single hostname my network resolves.

Re:Manual config

[epyT-R]

You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

Re:Manual config

[drinkypoo]

If the biggest problem you have is with cooling, stop being a wimp and just drive a fan off the serial console port connector inside. Pretty much all consumer routers have one.

Well, the one WRT54G I added a fan to still crashed its pathetic little ass off, I never have understood why the community loved those things so well. I tried five of them before I realized that everyone is a fucking idiot, apparently. I don't like to believe that I'm smarter than the masses, both because it looks like an ego trip and because usually that sort of reasoning leads to disappointment, but now I know the WRT54G is garbage across the board. So now I don't trust anyone on this subject.

As it turns out, a whole PC with a case and drives and everything is around fifty bucks, which is dramatically less than a decent home router any more — most of them are well over $100, and many of them over $200! This is completely batshit crazy when I can build a PC with quad-ethernet and Wireless-N for less money brand new if I compromise.

Re:Manual config

[wierd_w]

Yeah-- I was meaning "good for the price"

A home router is little more than a SoC these days. Does not have the robustness that an actual dedicated computer has. What it DOES have is low energy draw, small physical footprint, and "Good for the price" hardware.

Getting some quality software in there, and a little cooling, they can work quite well even under pretty heavy loads. They just aren't data center grade.

They ARE getting some pretty powerful SoC in them though in recent offerings. Some are up to 1.2ghz ARM platforms now. Probably a side effect of the android phone market.

My old WNDR3400 I use for fun projects just has a 400mhz MIPS (Little endian) SoC though. Has a USB2.0 port, which makes it a fun thing to play with all the same though. (It's BARELY enough to put a compatible USBVGA dongle on, and some USB permanent storage.)

Re:Manual config

[drinkypoo]

You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

That's true, but the QE card came from a yard sale for five bucks, so unless it's bad I think I'm pretty well-off with that one. The machine has one GigE port onboard, and I'll feed that into a D-Link 1Gbps unmanaged switch for a storage segment just for my PC and some Pogoplugs. Everything else in the house is either wireless or 100Mbps, so it won't actually matter at all.

I do have an atheros-chipset wlan PCI card which might do master mode, but it's only 802.11g. If it were 802.11a+n then I'd probably go looking for a PCIE QE card to go next to it.

Re:Manual config

[Bengie]

The dual port network card in my PC router is worth more than $100. No matter how many packets I throw at my router, the interrupts per second never go above 300. Interrupt coalescing is awesome. It even coalesces across my LAN and WAN ports. It does this while keeping latency low. I get a 0.04ms ping. from my PC to my router through my switch. I can't measure lower than that because of thread scheduling.

Re:Manual config

[wierd_w]

The WRT54G was one of the first consumer routers where the maker "Fucked up", and used FOSS software without a license, and then had to release the source code.

As a consequence, it was one of the first devices to attract major community attention, even with all its warts.

Later versions of the device were so horribly underpowered compared to the original hardware release that they just arent worth any effort. Compared to more recent SoC based home routers, they are garbage. (TINY system flash size, abysmally slow CPU. TINY system RAM, etc.)

When shopping for a consumer router, I look for one that is listed in the OpenWRT support list, with the best intersection of price and hardware inside.

Simply because it has a 50$ pricetag does not mean it is the best router. It just means that the manufacturer has set a 50$ MSRP.

Personally, I think one of those tiny "Fitlet" miniPCs that were mentioned earlier this month would make a great home router. They have a mini PCIe slot inside them, have an actual DIMM slot, and a few other perks. Sadly, I cant seem to find a price or retailer.

Re:Manual config

[epyT-R]

If you don't need the extra performance, then that $5 board is just fine. Even dual ethernet boards with decent chipsets are ripoffs.

Re:Manual config

[drinkypoo]

Well, somewhere i've got a mystery Quad Tulip with genuine DEC chips, but the NIC I'm planning to use is a Phobox P430TX. It's four totally discrete Intel 21143TD chips with Level One level shifters (whatever you actually call the chips that handle the ethernet line itself) behind an intel 21152AB PCI to PCI bridge. If it doesn't pan out then I've gotta track down that tulip, which is probably deep inside a crate someplace.

Re:Manual config

[MikeMo]

It seems most consumers will only buy whichever router is the cheapest. They have no concept of quality, performance, features, configurability, etc. when it comes to routers. So, router makers have to keep making them cheaper and cheaper or they don't sell at all. Kinda like the whole PC market, only worse. Obviously, they get to the point where they barely run, barely have any thermal headroom, have the cheapest possible components, and buggy firmware.

Re:Manual config

[drinkypoo]

As it turns out, and as I would probably have noticed if I paid more attention to model numbers, all the intel chips on this card are DEC clones. Linux, naturally, just calls them tulips. Huzzah!

Also as it turns out, the PCIE interface is weird. It has an almost-PCIEx1-almost-PCIEx16 video card in it which appears to just provide the DVI output for the onboard intel 960 graphics. I'm sure this is old hat to other people but I haven't messed about with an even vaguely modern corporate PC in a while, just clones and servers. Presumably I could still stick a normal X1 card in it.

Re:Manual config

[_merlin]

AVM FritzBox is the only quality hardware I've seen in this space.

Re:Manual config

[fustakrakich]

Just turn the wifi power down a bit, and don't bother trying to overclock it.

Re:Manual config

[houghi]

I just run my own DNS server pdnsd because it is easy to configure. That way I have access to sites that are blocked otherwise by law (Torrent sites) and I do not give Google even more information then what they already get.

I can also easily add the domains from mvps and others to block. Bit of scripting and it is done.

Re:Manual config

[Skater]

My experience with the WRT54G v1.1 was ten years of trouble free use. I replaced it only because I wanted a faster network (I move large files around frequently). In fact, I still have my WRT54G, and I needed to come up with a way to get internet access for one device to multiple devices at a show we run, so I installed dd-wrt or openwrt on it and had it connecting to two wireless networks (one with net access and our private one). Even when I was running a live video stream through that connection, the WRT54G performed perfectly. I wish my newer Netgear router was as reliable as my WRT54G was; it requires a power cycle every few weeks.

Re:Manual config

[fuzzyfuzzyfungus]

I'd be inclined to say 'amazing' for the price. I understand the use case for rPi, beaglebone black, cubieboard, etc. when you need video and actually good GPIO(even more so if you need proper PWM, i2c/SPI, etc. BBblack, especially, has some pretty powerful specialty I/O options); but routers are so aggressively priced that they are often a pretty good deal for adding network capabilities to assorted projects on the fast and cheap.

I'm always up for other suggestions, of course; but I'm currently a big fan of the little 'travel/portable' routers that the RT5350 seems to have spawned a bunch of. Ethernet, USB, 802.11B/G/N, typically a serial port(I got lucky with the ones I purchased, the pads were even labelled and everything), and a few GPIOs, all for $15 or less. Kind of weak (usually 32MB RAM and ~400MHz MIPS core); but feel the price.

CPE are horrible

[jaredmauch]

I've been working on various aspects of the CPE equation for almost 2 years now as part of the various OpenResolverProject, OpenNTPProject, and other related aspects. Most CPE can't even do DNS correctly, let alone securely.

Take Netgear for example, they can't even process RFC1035 4.2.2 correctly to say a client should support DNS over TCP (it's not just for zone transfers), but instead of just not responding, or sending back some error that allows the DNS client to try the next resolver it has, you get it sending REFUSED: https://www.cloudshark.org/cap...

These devices are unmaintained outside of the few who actually upgrade them, and it's most likely still got default passwords on it causing all sorts of other possible pain and xss abuse/malware concerns. This is only going to get worse as more things have an IP address and communicate with the rest of the world.

Why leave remote administration on?

[ciscoguy01]

Why leave remote administration on?
I would avoid opening the web UI of any home router on the WAN side.
It's mostly unnecessary and a needless security exposure.

Re:Why leave remote administration on?

[wierd_w]

Indeed, but getting the router's DNS table to point to your malicious package when it checks for "Available Updates" works even when the LAN side does the admin through the web UI.

Leaving the WAN side open is just ASKING for trouble.

Re:Why leave remote administration on?

[ciscoguy01]

The funny thing is, hundreds of thousands of Cisco routers are open to the WAN with only a pw, no username at all. Somehow we get by. Heh.

Re:Why leave remote administration on?

From the original story, quote:

"... even if it's only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router's interface.

CSRF attacks hijack users' browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers.

Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past. "

Re:Why leave remote administration on?

[nehumanuscrede]

You're braver than I am :D
( Assuming your Wan faces the internet )

In a corporate environment, sure.
In the wild ? hahahahahaha No.

Better to be on site when doing any configuration tweaking anyway. A typo is the
only thing standing in the way of locking yourself out of it and / or knocking if offline
completely.

I personally don't allow anything other than very specific hosts which are members of the
wired Lan access to router / switch management. No remote sites, no wireless or VPN
connections. ( Of course, talking about a home network. Corporate is different story. )

Re:Hey let's attack routers now!

[wierd_w]

Routers are an obvious choice to deploy payloads against.

Most are running a hackfest 2.6 era kernel with not-well-vetted hackfest drivers. Most have an autoupdate feature which silently updates the firmware when you log into them from their web interfaces.

With a combination of a DNS hijack, this autoupdater, malicious intent, and a suitable "Upgrade package"-- these routers can be zombified VERY easily.

Once pwned like this, they become willing and capable servants in a botnet.

Re:Hey let's attack routers now!

[ShaunC]

I'm pretty sure I recall reading that most of Lizard Squad's botnet, the one used to attack PSN and XBL, is comprised of rooted routers.

Come on already

[hcs_$reboot]

Put OpenWrt on it and problem over.

Re:Come on already

[drinkypoo]

Put OpenWrt on it and problem over.

A lot of these el cheapo routers won't take an alternate firmware, they don't run Linux and they don't have sufficient hardware resources in a lot of cases, notably ram and flash. Unfortunately, a lot of these sort of devices have the same name as devices which will take Linux. When you're lucky, a revision number which can be used to determine compatibility appears on the device, but is usually not visible through the packaging.

Re:Come on already

[ciscoguy01]

Put OpenWrt on it and problem over.

OpenWrt is not without it's issues.
It's not a panacea. Unless you need a package that has been implemented on that platform.
If you do, OpenWrt is appropriate.
DDWrt might be slightly easier to configure, but certainly not without it's own problems.
But other platforms are better for average home users. Easier to use.
Man, so many people get glazed looks when asked to make a change to even a simple home router. They are so simple!
When the guy from the cable company did my install and I made the few little changes that needed to be made, his eyes opened wide that I knew how to do that!
He seemed shocked.

Re:Come on already

[operator_error]

This is what the OpenWRT Table of Hardware is for. One nice feature of the list is de-facto announced end-of-life, so you'll know when to retire your old gear. DD-WRT doesn't do this with their hardware compatibility list so you're left thinking they'll push out an update for your unit, except they don't.

OpenWRT lists support for an interesting and cheap TP-Link router on their front page (the TP-Link TL-MR3420). What makes this 40 euro router so interesting is its support for both an ethernet WAN port, along with another GSM WAN port which affords the user internet provider redundancy. It's been on my to-do list for a while to pick one up.

European Pre-Pay GSM can be super-affordable too. Here's an Austrian ISP that will sell you 9Gb of 4G data for 9.90 euro. In The Netherlands Bliep will sell you 3G data for .50 cents a day, and 4G data for 1 euro a day.

Does anyone have any experience with such a router? I don't even try to discuss such configurations with the installation folks from the wired ISPs. The last guy was here simply amazed I had one with OpenWRT; and that I wasn't interested in the ISP's modem for anything except being a basic firewall and cable link to the OpenWRT unit.

Re:Come on already

[hcs_$reboot]

Really?

Re:Come on already

[Anonymuous+Coward]

There are a lot of routers with an USB that are supported by OpenWRT, TL-MR3420 is not that interesting. I've got my TL-WDR3600 (gigabit, 2 usb ports, 5GHz support) for less than $40. Unfortunately no hardware NAT support on OpenWRT, so I'm limited to ~300Mbs on wan.

If you have a USB-port, you can stick whatever device supported by linux in-there, not just "GSM" modems. The limitations are mostly because of the crappy stock firmware. And many recent HSPA and LTE modems are themselves linux-based routers, and appear like a CDC ethernet interface, so they just work, auto-magically.

Re:dsl2741b firmware

[epyT-R]

old sff pc with two gigabit nics and a separate switch.. Install linux or bsd of your choice and configure, or use distros tailored to the purpose like zeroshell or m0n0wall.

Re:dsl2741b firmware

[ciscoguy01]

old sff pc with two gigabit nics and a separate switch.. Install linux or bsd of your choice and configure, or use distros tailored to the purpose like zeroshell or m0n0wall.

Uh, right. Now that makes no sense at all for most people.
Zynos is not bad, just turn off remote administration if you don't need it.
If you *do* need remote admin, make sure to establish a good username and pw.

Re:dsl2741b firmware

[ciscoguy01]

Asus is a motherboard company.
They just have a marketing deal to sell routers.
That said, it's probably fine.
But let me just say, Engenius has the features and the WIFI performance. Very strong.
And they are indeed a networking company.

Re:usb vga dongle ?

[wierd_w]

If it is supported, YES.

There are 2 drivers that work with USB to VGA dongles. One is the SISVGA driver, the other is the DisplayLink driver.

This provides a simple framebuffer device to the system that can drive a VGA monitor. You need to custom build your openwrt image to have it turned on though, and to enable the main system console to run on the virtual console hosted by the framebuffer device (And NOT on the physical serial port usually inside most routers.)

Here's a blog detailing the process for getting the displaylink driver working.

Putting a USB2 hub on the lonely USB2.0 port on the back, putting a keyboard, mouse, and USB2VGA dongle on, you can directly hack away on the router. Even without the keyboard and mouse, the framebuffer device can be used to display data about the current status of the router in real time, and other fun things.

Re:dsl2741b firmware

[drinkypoo]

Asus sells a lot of computer-related electronics these days, most of their hardware is of very good quality. I bought one of their earlyish USB2 DVD-burners back in the EEE701 days. It's done quite a bit of traveling, and I've still got it and it still works.

Re:dis guy

[jones_supa]

Heh. I know, the name might sound dorky to some, but I'm actually glad that some guys named a group "Ethical Hacker research team". There's so many "security researchers" which in practice just provide direct ammunition for the black hats.

Re:dis guy

[jones_supa]

Ah, now I hear that he actually published the vulnerability without informing the manufacturer(s) first. Thus, let me cancel that comment.

"Ethical Hacker"?

[Nanoda]

"The exploit was created by Todor Donev, member of a Bulgarian security research outfit called Ethical Hacker[...]"
"Donev did not report the vulnerability to D-Link and as far as he knows it is currently a zero-day[...]"

I don't think that word means what you think it means. :-/