Senior NoScript community contributor Grumpy Old Lady finally sent me a link to these notes, taken live at BlackHat USA during Graig Heffner’s “How to Hack Millions of Routers” talk, and to the tool he released, allowing to remotely control the many models of routers found vulnerable to a specific kind of DNS Rebinding attack.
Since I couldn’t attend the L.A. conference, I’ve been anxiously in search of something like that to confirm al_9x’s speculative forecast, i.e. that the exploited vulnerability was about routers exposing their administrative interface to the LAN on their WAN IP (even if remote administration is explicitly disabled), and now I’m delighted to find he was entirely correct!
Of course I must be happy, because I don’t need to rush out another ABE feature like the WAN IP protection which I baked inside NoScript 2.0 last week, and because my own home router had been vulnerable as well :)
Some clarifications are still needed, though.
Among the mitigations reportedly enumerated by Heffner (even if he had previously claimed that NoScript couldn’t help), there’s
Use NoScript (disable javascript?) Maybe not practical to most users
Now, it is true that Heffner’s attack fails if the attacker’s domain, bound on the fly to user’s WAN IP, is not allowed to run JavaScript (very likely, when you use NoScript). This means that most users of older NoScript versions (1.10 and below) were already protected against Heffner’s tool and this kind of “XSS via DNS Rebinding”.
However, like for many other “emerging threats”, NoScript provides a specific protection against this class of vulnerabilities (in this case via its ABE module), completely independent from script blocking: in other words, it just works, no matter if you decide to keep JavaScript, plugins and frames enabled everywhere (“Allow Scripts Globally“). There’no reasonable excuse to renounce this protection, since it does not imply the alleged “non-practicality” of enabling JavaScript selectively.
So, since security experts themselves sometimes seem confused about NoScript’s real “convenience vs security” tradeoffs, taking for granted that all the security it offers depends on and requires script blocking, recapping here a (non exhaustive) list of attacks blocked by NoScript even in “Allow Scripts Globally” mode may be useful:
- XSS, thanks to its “Injection Checker”, the first anti-XSS filter ever released in a web browser.
- Clickjacking — NoScript’s ClearClick feature is still the only effective protection entirely implemented inside the browser and requiring no server-side cooperation.
- CSRF (and especially, by default, cross-zone attacks against intranet resources) via the ABE module.
- MITM, courtesy of HSTS and other HTTPS-enhancing features
These are just some of the many additional protections provided by NoScript which do not depend on scripting being disabled. So next time you hear people saying “yes, browsing with NoScript is safer but having to pick trusted sites to run JavaScript is a pain“, point them to these good reasons for running NoScript, even if they give up the extra security provided by plain old script blocking.
Noscript with "Allow script globally (dangerous)" indeed offers great non-disruptive protection, I have it installed on my wife’s and father-in-law’s PC’s that way.
So wouldn’t it be great if there was alternative version of noscript that came with a minimal UI and non-script-blocking out of the box, aimed at non-techie users? call it "Secure browsing" & start protecting the non-geeky masses (even if not as thorough as in blocking mode)? :)
@frank goossens
Best and least disruptive protection would be if Firefox shipped with these additional features as default prefs, with the more user-troublesome ones exposed in the Firefox gui and the more dangerous ones kept under the hood.
But that would mean Mozilla committing actual funds and staff to handing back a lot more control of the browser to the user than the Web wants them to..because the Web wants the lazy path to get at people’s money and wants users to remain nice and ignorant about just how many holes most Web pages contain.
http://hackademix.net/2008/01/12/malware-20-is-now/
Just saying :-) I’m pleased that Mozilla remain committed to the anarchy of Firefox overall. It could have been so much worse when they went corporate.
> my own home router had been vulnerable as well
Please excuse my smartarseness, but I would argue that your home router is still vulnerable and you are now merely protected against attacks against your router utilising your Firefox installation.
I value NoScript and I am happy about this feature but protecting silly home routers is nothing NoScript will ever be able to reliably achieve. Therefore you should make clear that this is only some sort of workaround for an issue which in most cases can only be fixed with a firmware upgrade.
Thank you.
@Hänsel Würstchen:
Let me disagree. The issue at hand (which may be rectified by a firmware upgrade or, in some cases, specific firewall rules) is not a vulnerability per se, but it does become a vulnerability as soon as my web browser acts as a “proxy” between the internet and my LAN.
Therefore if I browse the web only with Firefox + NoScript my router is safe, as the title says.
This doesn’t mean that as soon as a firmware upgrade is available I will refuse to install it ;)
@Giorgio:
@Hänsel Würstchen makes a valid point that the security vulnerability existing in the router is NOT fixed by NoScript. NoScript is only able to prevent your browser exploiting the vulnerability. But when your mother-in-law comes to stay and plugs her laptop running IE into your network, the routers vulnerability becomes a problem again, and there’s nothing you can do about it.
@Keith G:
In fact, I never said that NoScript “fixes” your router.
I just said that MY router is safe, since I browse the web only with Firefox + NoScript :)
@ Keith G
Maybe you’re having a wrong/bad router :-) My router only support’s Windows or Linux with Firefox incl. noscript and nothing else ;-)
I’m glad I ran across this post – the original exploit had me worried. Glad, first, to find that I’m not the only one who took this seriously, and second, to find that there is a counter to it.
> my own home router had been vulnerable as well