Archive for July, 2010

Web-based router hacking is hardly a new topic, but new variants pop up from time to time.

The most obvious attacks against a router which malicious web sites can pull are CSRF, XSS and DNS Rebinding. Of course changing the default password of your router helps mitigating these threats a lot, but unfortunately it's not enough if you happen to be already logged in the administrative console, or if your device is affected by any of the commonplace holes which are left open by an unsafe development attitude, on the flawed assumption that just because a vulnerable service is not exposed on the internet side it can't be reached by an internet attacker (see this HNAP D-Link Hack for a glaring example).

NoScript's ABE module has been protecting routers and intranet web resources against this kind of attacks for a long time, thanks to the following built-in SYSTEM rule:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

However security researcher Craig Heffner, interviewed by Andy Greenberg on his "The Firewall" Forbes blog, recently announced a new DNS Rebinding variant which can be used to remotely control your router and (the scary part) allegedly bypasses the defenses provided by NoScript against this class of attacks.

Even though the details are still to be presented -- together with an automated attack tool! -- at the BlackHat USA 2010 conference (today or tomorrow), al_9x, one of the most active members of the NoScript community, provided a very convincing speculative assessment of the new threat, based on the sparse data found in this briefing summary, and also a simple and clever suggestion for a remedy:

Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.

I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.

And so it does now :)

Since version 2.0rc5, released past week, NoScript detects your public (WAN) IP by sending a completely anonymous query on a secure channel to https://secure.informaction.com/ipecho, then treats it as a local address when enforcing its policies against CSRF and DNS Rebinding.

There are a few optimizations, meant to reduce the traffic to less than two hundreds of bytes per user per day (and prevent my servers from melting down), but if you do notice this background request, now you know what it is about (it is also mentioned in the NoScript's Privacy Policy, BTW). This new feature, enabled by default, can be disabled at any time by clearing the NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL checkbox *.

Now, let's just hope al_9x's guess is correct.
I'm quite confident it is, but if it's not, expect a brand new ABE protection feature in a week or so, anyway :)

Update

Looks like al_9x was entirely correct, indeed :)

* Note for network administrators

This feature tries to be nice: device fingerprinting can be turned off by sending a "X-ABE-Fingerprint: Off" HTTP header, and fingerprinting requests are identified by a "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" User-Agent header. Furthermore, custom local subnets or IPs can be configured as a space-separated list in the noscript.abe.localExtras about:config preference.

As a result of recent changes in Xmarks you may experience some problems if you're also a NoScript user.

Xmark's login dialog and setup wizard ask you to "Allow JavaScript on login.xmarks.com", or directly come out broken as HTML source. You cannot exit the dialog (the browser seems stalled), and even if you manage to, you discover that allowing login.xmarks.com or even the whole xmarks.com does not help.

The solution

  1. Use the "Esc" key to exit the dialog
  2. Click the NoScript icon and look in the "Recently blocked sites" submenu.
  3. Select Allow googleapis.com, Allow xmarks.com or both (whathever you find there).

Alternatively, you can open NoScript Options|Whitelist and manually allow xmarks.com and googleapis.com. Looks like the Xmarks folks overlooked the need of allowing the latter.

Extensions developers!

More in general, extensions developers who need some web site to be allowed in NoScript for their extension to work, may want to use some code like this:

if ("@maone.net/noscript-service;1" in Components.classes) {
  let ns =  Components.classes["@maone.net/noscript-service;1"]
    .getService().wrappedJSObject;
 
  let myWhitelist = ["xmarks.com", "googleapis.com"]
    .filter(function(s) {
      return !ns.isJSEnabled(s);
    });
 
  if (myWhitelist.length > 0) {
    let prompt = Components.classes["@mozilla.org/embedcomp/prompt-service;1"]
      .getService(Components.interfaces.nsIPromptService);
    if (prompt.confirm(null, "Xmarks Permission Request",
       "Xmarks needs to add\n" + myWhitelist.join(" and ") +
       "\nto your NoScript whitelist.\nProceed?")) {
       ns.setJSEnabled(myWhitelist, true);
    }
  }
}

I'm quite surprised (albeit happy) to see a capitalist corporation actually contributing to social progress, and with a politically bold move, rather than with the usual hairy tax-deductible alms.

But after all Mozilla itself is a foundation, but a corporation too, isn't it?

Interesting times we're living in...

Bad Behavior has blocked 3282 access attempts in the last 7 days.