Popular router firmware allows DNS hijacking exploit
Thu 29 Jan 2015

A member of the Bulgarian security research group Ethical Hacker has identified a vulnerability in widely-used router firmware which could permit a third party to direct a router’s DNS to a rogue server.
Todor Donev found the vulnerability in Zyxeltech’s ZynOS firmware, which means that the exploit is widely available to hackers via D-Link’s legacy DSL-2740R ADSL modem/wireless router, which uses the firmware. However, other manufacturers also use the affected code, including ZTE and and TP-Link Technologies, according to an email from Donev.
The attack will work most easily on affected routers which are configured for remote administration, but can also be implemented via Cross-Site Request Forgery (CSRF), a technique which involves gaining access to local networks by sending specific HTTP requests to a LAN IP address – usually via infected sites containing malicious hyperlinks.
Once successful, an actor using the exploit will be able to intercept, monitor and affect all traffic going through the vulnerable router, with the possibility to collect personal data including passwords.
Donev published the exploit code on Tuesday as a zero-day release without prior warning to D-Link or other router manufacturers using the firmware version.
The DSL-2740R ADSL model in question has been discontinued, according to D-Link’s website, but no details on other affected models from other manufacturers seem to have emerged yet.
Routers, router protocols and firmware seem to have become increasingly popular targets in the last year; metaphorically, a shift from attacking roads or road users to targeting on-ramps. Routerpwn chronicle vulnerabilities quite exhaustively through their website and Twitter account – and even offer a firmware configuration decompressor to analyse ZynOS firmware code, among others.
Earlier this month another major router vulnerability emerged when security firm Accuvant found a code vulnerability in ASUS wireless models which enabled attackers to gain control of router traffic by sending a user datagram protocol (UDP) package to the device.