DNS exploit for pfSense!!!



  • Has everyone (anyone) seen this???

    http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

    pfSense (along w/ DD-WRT, OpenWRT, & Tomato) are listed as vulnerable. Hopefully a strong passwd will help prevent this, but the article doesn't give much detail. Does anyone have any more info on how to deal w/ this???

    Thanks



  • Saw this too on Slashdot. I don't see that many options:

    First, use the NoScript extension for Firefox and only allow connection to your pfSense temporary. If you're already using it, you might need to get paranoid and delete all whitelisted domains (=unconvenient and only a temporary measure).

    Then of course, a secure password.

    Other than that I don't really know.


  • Rebel Alliance Developer Netgate

    While not technically a fault in the router (It's more of a problem with the browser) we added code in 2.0 to help protect against this.

    See the discussion in this thread:
    http://forum.pfsense.org/index.php/topic,26368.0.html


  • Rebel Alliance Developer Netgate

    @comi:

    First, use the NoScript extension for Firefox and only allow connection to your pfSense temporary. If you're already using it, you might need to get paranoid and delete all whitelisted domains (=unconvenient and only a temporary measure).

    Other than that I don't really know.

    Use a separate browser installation for pfSense than one you use for normal browsing. :-)

    With so many choices out there (Firefox, Opera, Chrome, Safari, IE, etc) it would be easy to install one just to use for accessing router GUIs and not general surfing.



  • @jimp:

    @comi:

    First, use the NoScript extension for Firefox and only allow connection to your pfSense temporary. If you're already using it, you might need to get paranoid and delete all whitelisted domains (=unconvenient and only a temporary measure).

    Other than that I don't really know.

    Use a separate browser installation for pfSense than one you use for normal browsing. :-)

    Right :-) And thanks for the information.



  • There is also a way to start Firefox with a different profile path.  For example:

    "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile "C:\Alternate Firefox Profile"

    The -no-remote parameter allows you to run it as a different process so you can open a window with your alternate profile even when you already have another Firefox window open with your normal profile.



  • This isn't a vulnerability in the software, and it's not specific to any vendor. There are things we can do to help protect against it that have been added to 2.0. The only thing this allows someone to do is compromise a vulnerability should one exist on your router (of which there are none known in 1.2.3), or get into it if you're using the default password or an easily guessed password.

    Just do what we've been suggesting for years (use strong passwords, don't use the same browser to administer ANY web managed device as you do for general Internet browsing), and you're fine.



  • So teh fact that the word "Sucessful" is listed in the pfsense row should be nothing to worry about?

    I'm guessing all this "hack" does it try and login to your router's web gui, is that correct?


  • Rebel Alliance Developer Netgate

    @jonnytabpni:

    So teh fact that the word "Sucessful" is listed in the pfsense row should be nothing to worry about?

    I'm guessing all this "hack" does it try and login to your router's web gui, is that correct?

    Well the login is the component they tested, but it also requires a successful exploit of the router's firmware or OS to do much of anything useful.

    As long as you follow even the most basic of security guidelines as outlined by cmb above (and linked in the other thread), the risk is mitigated.



  • @jimp:

    Well the login is the component they tested

    So literally all they did was bring up the login prompt? Then, if the user still used the default password, or a cookie has cached the login session, they call it "Sucessful"?

    If that is the case, then I don't call this an "exploit" at all. All it requires to mitigate this "issue" is due dilligance when surfing the net. Always clicking logout in pfsense is a good bet! (There is a logout button, right?)


  • Rebel Alliance Developer Netgate

    It was a little more complex than that, as I understand it, but I don't know the full details.

    There is no logout in 1.2.x because it uses basic HTTP auth. The credentials are cached by the browser, thus the recommendation that you use a separate browser (or profile/session) for managing routers than for general surfing. 2.0 has a completely different login system, and does have a logout function.



  • @jonnytabpni:

    So literally all they did was bring up the login prompt? Then, if the user still used the default password, or a cookie has cached the login session, they call it "Sucessful"?

    If that is the case, then I don't call this an "exploit" at all. All it requires to mitigate this "issue" is due dilligance when surfing the net. Always clicking logout in pfsense is a good bet! (There is a logout button, right?)

    Yeah that's basically what it is. It's really not all it's being made out to be. There are all kinds of ways to accomplish things along these lines, have been for a long time, it's just a somewhat new way of doing it.

    There isn't a logout in 1.2.3 and earlier since it uses HTTP basic auth, and that's controlled by your browser (it remembers the credentials and sends on every page load). You have to either tell your browser to log out/forget credentials (I believe only Firefox supports that), or close the browser. Which is partially why you should use a different browser for any web-managed device.



  • Or a different profile in the browser, where supported.  I gave an example for Firefox earlier for running a separate process on a different Firefox profile.  You could customize the appearance to make the profiles visually distinguishable from each other if you want to be sure you remember which one to use.



  • IETab could be an option?



  • Technically that's a different browser. ;)  Also, there are still some parts of the pfSense web gui that don't quite work properly in IE (almost all of it does work, though).



  • Why not just do private browsing. It will not keep anything after you close the browser and no data is kept. I always use firefox and in private mode for entering sensitive areas.



  • In the other browsers that works great if you want to keep your other stuff open.  Personally, I don't like that Firefox takes away all of your tabs and windows while in that mode.  In the context of using that mode for configuring pfSense, what about if you had a web page open that you were going to use as a reference to help you configure something?  I suppose you could copy and paste URLs or bookmark everything that you wanted to transfer over to the private browsing session, but it is much easier if you just open another Firefox process. :)



  • You could use things like xmarks which you dont need to to add plugins and able to access from their website. This way I am not fixed to one computer or browser and not locked into any 1 system. Though using their service may not be what a lot of security conscience person find safe but so far for over 1 year been available 24x7 and free. I am not confined in anyway nor need to leave unnecessary information on any computer. Unless of course that computer is infected with key logger. Just my thoughts and the way I am using now.


Log in to reply