Hackers exploiting Router vulnerabilities to hack Bank accounts through DNS Hijacking

In past months, we have reported about critical vulnerabilities in many wireless Routers including Netgear, Linksys, TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide.

Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users.

Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack.

'After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all.' CERT Polska researchers said.

That DNS Hijacking trick is not new, neither most of the router vulnerabilities are, but still millions of routers are not patched or upgraded to the latest firmware version.

The Domain Name System, or DNS, the Internet’s method of converting Web page names into IP address numbers can be hijacked just by changing the server address to a malicious DNS server from router's settings; and that which malicious DNS server should be in control of the hacker to facilitate interception, inspection and modification of the traffic between users and the online banking websites they wanted to target.

"It looks like criminals are primarily targeting e-banking users as they modify DNS responses for several banking domains, while resolving other domain names normally." they said.

Most of the Banking and E-commerce sites are using HTTPS with SSL encryption, making it impossible to impersonate them without a valid digital certificate issued by a Certificate Authority (CA), but to bypass such limitation cyber criminals are also using the SSL strip technique to spoof digital certificates. 

“While criminals intercept the unencrypted request, they simply modify links to clear HTTP, adding “ssl-“ String to a hostname, apparently in an attempt to fool casual users (Note that the nonexistent ssl-. hostnames would only be resolved by malicious DNS servers) While the connection is proxied through malicious servers, SSL is terminated before it reaches the user. Decrypted content is then modified and sent unencrypted to the customer.”

"In cases we have seen, they produced a self-signed certificate for thawte.com domain, which causes a browser to complain about both domain name mismatch and lack of a trusted CA in the certificate chain. This should be a clear indicator of the fraud for most users."

Demonstration of Exploitation:
Penetration tester and Computer Science Student, ABDELLI Nassereddine from Algerian, who reported previously about critical unauthorized access and password disclosure vulnerability in the TP-LINK Routers provided by Algerie Telecom, has also published the practical demonstration on 'How to Hack Victim's computer and accounts by hijacking Router's DNS server'.

To perform this, he used DNS Proxy tool 'Dnschef' and exploitation tools including Metasploit, webmitm and Burp Suite. Steps to follow:

• Install these tools and run following command:

./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106 

(where interface is the original IP address and fakeip is the resolution of the DNS query)

• Run 'webmitm tool' that will handle the HTTP requests and responses and also forward the traffic to Burp Suite Proxy to inject an iframe of the Metasploit's Browser AUTOPWN Server.
• Launch the Bowser AUTOPWN module on Metasploit and get access.

Our readers can get detailed explanations of exploitation technique on the Nassereddine's blog.

How to Protect?
Now that you know how hackers can target routers to mess up the internet connection or even steal banking, Facebook, Google passwords, the next best thing to do is to secure your own routers:

• Change the default username and password.
• Update the Router's firmware to latest patched version.
• Users can spot fake sites by pay attention to the browser’s address bar and HTTPS indicators.
• Disable Remote Administration feature, especially from WAN. The router should be configurable only from the local network or LAN.

Author : Shivam Kotwalia, CodeKill

Buffer Overflow Exploit Discovered In Android SDK

Android SDK also suffers lack of compile-time hardening.

The droidsec security group has discovered and patched a buffer overflow issue and a lack of compile-time hardening in the Android Debug Bridge, with the team deciding to publicly disclose the issues and patches after a lack of communication from Google. The buffer overflow exploit discovered in the Android software development kit effects all versions of the Android Debug Bridge on Linux x86_64.

According to droidsec the exploit has been confirmed on version 18.0.1 of the Android SDK platform tools on x86_64 Ubuntu Linux 12.04. Meanwhile, attempts of exploitation on a 32-bit Linux system and the adb binary found on the Nexus 4 were unsuccesful. Windows systems were kept out of the test.

The exploit starts with an attacker starting a malicious Android Debug Bridge (ADB) server. This ADB server then interfaces with Android devices on a multi-user system and waits for ADB clients to connect. Any command that communicates with the ADB Server will lead to 'successful' exploitation. Further, it has been found that the ADB binary failed to have a non-executable stack. Also the executable was not position independent.

"It should also be noted that host compilation also seems to intentionally opt out of the FORTIFY_SOURCE protections. It's not clear why this is the case since the comment near this line of code references an internal only bug number." " droidsec was quoted as saying.

Shivam Kotwalia, CodeKill