FON Router allows anonymous web access (fwd)
---------- Forwarded message ---------- Date: 6 Jan 2007 19:49:56 -0000 From: l.friedrichs@gbs.nitag.de To: bugtraq@securityfocus.com Subject: FON Router allows anonymous web access Description: "La Fonera" routers distributed by FON allow web access to unauthenticated users via DNS tunneling. Explanation: The router gives a client an DHCP answer but does not forward ip traffic until the client authenticates via the captive portal. The given DNS server address is the router itself so there is a DNS forwarder running on the router. Even an unauthorized client is allowed to surf certain sites as of obvious reasons (google, skype and the accesspoint's owner's site) but instead of filtering the dns requests for these few domains, it resolves all domains. This is where an DNS tunnel comes handy... Environment: Tested with router's standard config on 01/04/07. Runs smoothly with NSTX (http://nstx.dereference.de/nstx/ Version 1.1-beta6) and an ssh-session for connection testing without any authentication via the FON captive portal. Impact: Unauthorized ressource usage (internet bandwidth) Solution: New firmware from FON, workaround can be rate limiting DNS traffic on the real router (if possible...)
Gadi Evron wrote: [..]
Environment: Tested with router's standard config on 01/04/07. Runs smoothly with NSTX (http://nstx.dereference.de/nstx/ Version 1.1-beta6) and an ssh-session for connection testing without any authentication via the FON captive portal.
Any smart user can get around most silly blocks, what is so special about this. This is the same deal used for getting around a large majority of 'firewalls' and of course most airport hotspots and most other places where geek people need connectivity and don't want to bother getting a silly registration card for it or pulling their visa card number from that text file they keep somewhere. Nothing new there... except that maybe these things where supposed to be really closed per default and in other cases the administrator of the box is just not doing his job correctly as the tools provided don't allow him to ;) Greets, Jeroen
participants (2)
-
Gadi Evron
-
Jeroen Massar