ZyXEL Communications P-335WT Manual de usuario descargar pdf (Pagina 9)

From the context it is not entirely clear if “that client” should always be the request-

ing device. It should be clear that this is a security bug and that this behaviour

should explicitely be denied in the speciﬁcation.

The speciﬁcations mention that it should be possible to set InternalClient to

255.255.255.255, a broadcasting address.

In some of the implementations (Alcatel Speedtouch 510) that were examined this

particular behaviour could be triggered.

4.2 Using UPnP to create proxies and hijack ports

At least one implementation of the Internet Gateway Device proﬁle allows any-

one on the internal network to set the InternalClient parameter as used by the

AddPortMapping SOAP function to any machine on the Internet. This implemen-

tation was developed by Broadcom for their router platform. It can be found in

certain revisions of the Linksys WRT54G(S) and a lot of other Linux-based routers

and access points (the hardware list on the OpenWrt Wiki[6] gives a good indication

which devices are based on the platforms Broadcom makes).

In this particular implementation the Internet Gateway Device does not check

whether or not the InternalClient parameter really is a machine on the LAN.

The Internet Gateway Device, will happily perform Network Address Translation

(NAT) on the incoming packets to InternalClient, even if InternalClient is

located on an external network. The result is that the headers of the incoming

packets will be rewritten and resent from the router.

This means that ports on the external interface of the Internet Gateway Device can

be used to forward traﬃc to other machines that are also on the external interface.

An attacker can exploit this bug to have his own traﬃc routed through the Internet

Gateway Device of the victim to masquerade his own traﬃc and thus create his

own onion routing system[7][8], but without the permission or knowledge (logging

is turned oﬀ by default) of the owner of the router.

4.2.1 Case: make your own onion router

With a small bit of hacking it is possible to forward ports on the external interface

of an ADSL router, that in itself is not directly vulnerable to the attack described

above, to another host on the Internet, where it will appear as if all traﬃc is coming

from the ADSL router. This can be done as long as there is some router in the

network that is vulnerable.

The machines involved are:

• Alcatel/Thomson Speedtouch ADSL router (using PPPoA), internal IP ad-

dress 10.0.0.138

• machine A, IP address 10.0.0.151

• Linksys WRT54G, external IP address 10.0.0.152 and internal IP address

192.168.1.1

• machine B, IP address 192.168.1.100

1 2 3 4 5 6 7 8 9 10 11 12 13 14 ... 17 18

Sin comentarios

ZyXEL Communications P-335WT Manual de usuario Pagina 9