DNS exploit for pfSense!!!
-
So teh fact that the word "Sucessful" is listed in the pfsense row should be nothing to worry about?
I'm guessing all this "hack" does it try and login to your router's web gui, is that correct?
-
So teh fact that the word "Sucessful" is listed in the pfsense row should be nothing to worry about?
I'm guessing all this "hack" does it try and login to your router's web gui, is that correct?
Well the login is the component they tested, but it also requires a successful exploit of the router's firmware or OS to do much of anything useful.
As long as you follow even the most basic of security guidelines as outlined by cmb above (and linked in the other thread), the risk is mitigated.
-
Well the login is the component they tested
So literally all they did was bring up the login prompt? Then, if the user still used the default password, or a cookie has cached the login session, they call it "Sucessful"?
If that is the case, then I don't call this an "exploit" at all. All it requires to mitigate this "issue" is due dilligance when surfing the net. Always clicking logout in pfsense is a good bet! (There is a logout button, right?)
-
It was a little more complex than that, as I understand it, but I don't know the full details.
There is no logout in 1.2.x because it uses basic HTTP auth. The credentials are cached by the browser, thus the recommendation that you use a separate browser (or profile/session) for managing routers than for general surfing. 2.0 has a completely different login system, and does have a logout function.
-
So literally all they did was bring up the login prompt? Then, if the user still used the default password, or a cookie has cached the login session, they call it "Sucessful"?
If that is the case, then I don't call this an "exploit" at all. All it requires to mitigate this "issue" is due dilligance when surfing the net. Always clicking logout in pfsense is a good bet! (There is a logout button, right?)
Yeah that's basically what it is. It's really not all it's being made out to be. There are all kinds of ways to accomplish things along these lines, have been for a long time, it's just a somewhat new way of doing it.
There isn't a logout in 1.2.3 and earlier since it uses HTTP basic auth, and that's controlled by your browser (it remembers the credentials and sends on every page load). You have to either tell your browser to log out/forget credentials (I believe only Firefox supports that), or close the browser. Which is partially why you should use a different browser for any web-managed device.
-
Or a different profile in the browser, where supported. I gave an example for Firefox earlier for running a separate process on a different Firefox profile. You could customize the appearance to make the profiles visually distinguishable from each other if you want to be sure you remember which one to use.
-
IETab could be an option?
-
Technically that's a different browser. ;) Also, there are still some parts of the pfSense web gui that don't quite work properly in IE (almost all of it does work, though).
-
Why not just do private browsing. It will not keep anything after you close the browser and no data is kept. I always use firefox and in private mode for entering sensitive areas.
-
In the other browsers that works great if you want to keep your other stuff open. Personally, I don't like that Firefox takes away all of your tabs and windows while in that mode. In the context of using that mode for configuring pfSense, what about if you had a web page open that you were going to use as a reference to help you configure something? I suppose you could copy and paste URLs or bookmark everything that you wanted to transfer over to the private browsing session, but it is much easier if you just open another Firefox process. :)
-
You could use things like xmarks which you dont need to to add plugins and able to access from their website. This way I am not fixed to one computer or browser and not locked into any 1 system. Though using their service may not be what a lot of security conscience person find safe but so far for over 1 year been available 24x7 and free. I am not confined in anyway nor need to leave unnecessary information on any computer. Unless of course that computer is infected with key logger. Just my thoughts and the way I am using now.
