lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070106194956.2163.qmail@securityfocus.com>
Date: 6 Jan 2007 19:49:56 -0000
From: l.friedrichs@....nitag.de
To: bugtraq@...urityfocus.com
Subject: FON Router allows anonymous web access

Description:
"La Fonera" routers distributed by FON allow web access to unauthenticated users via DNS tunneling.

Explanation:
The router gives a client an DHCP answer but does not forward ip traffic until the client authenticates via the captive portal. The given DNS server address is the router itself so there is a DNS forwarder running on the router. Even an unauthorized client is allowed to surf certain sites as of obvious reasons (google, skype and the accesspoint's owner's site) but instead of filtering the dns requests for these few domains, it resolves all domains. This is where an DNS tunnel comes handy...

Environment:
Tested with router's standard config on 01/04/07. Runs smoothly with NSTX (http://nstx.dereference.de/nstx/ 
Version 1.1-beta6) and an ssh-session for connection testing without any authentication via the FON captive portal.

Impact:
Unauthorized ressource usage (internet bandwidth)

Solution:
New firmware from FON, workaround can be rate limiting DNS traffic on the real router (if possible...)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ