ABE just in time it seems

[Grumpy Old Lady]

http://www.theregister.co.uk/2009/07/21 ... uter_vuln/

A thousand thanks, Prof. :applause:

[Giorgio Maone]

Eh eh, RSNake started to mention ABE as something which needs to be disabled for his POCs to work, too

[therube]

Could you explain that further.

I briefly read about this yesterday, but didn't look into it.
And so, I was under the wrong impression that this was something that can happen from the outside, hacking directly into the router, simply by coming across a vulnerable router.

But that is not the case.

It needs a facilitator. And that facilitator is your browser.

So the exploit has to come across the web & into your browser. Then your browser has to allow the action. So if the action is blocked by the browser (& a NoScript/ABE enabled browser, does - you say), then the exploit is thwarted.

And just how does NoScript/ABE stop this attack?

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

And I guess that is what does it. But just what does that mean, in simple terms?

[Giorgio Maone]

And just how does NoScript/ABE stop this attack?

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

And I guess that is what does it. But just what does that mean, in simple terms?

In simple terms it means that, just like any site can link any other site and even navigate automatically (e.g. when a web site loads a 3rd party image or iframe), a malicious site can let your browser navigate automatically (and invisibly, e.g. using an invisible iframe or a 0 sized image) to your router's web UI (or any web application inside your LAN).
If said router or intranet application lacks of sufficient authorization checks (e.g. because it's confident about hosts in the LAN being trusted by IP) or if you're just already logged in or you're using the default password or, like in this case, it is just vulnerable because of a bug, the malicious web page can interact with the "private" resource just like it was you.

What ABE does with the SYSTEM "LocalRodeo-like" rule is preventing any external (internet) web site/application from initiating requests towards internal (LAN) resources.

[Grumpy Old Lady]

And the thing that I had sweated on before ABE's LOCAL rule, was that even without bugs in wireless code, there is a remote but finite chance that some barstward would guess our router's non-default password.
I have no clue about coding, and configuration of routers is very dependent on the coding skills of their support - and that can be really deficient at times, so to have ABE - which I know I can trust? Great relief.

With all the poor home user desktops getting recruited by botherders, I understand that a compromised home desktop isn't worth much on the black web these days. But a compromised router (usually linux, so a really useful computer to have for nefarious work) commands a premium, so I can hear the hackers keyboards rattling from here. This bug is probably not alone out there.