The main goal of DNS hijacking is to secretly redirect user’s traffic from a legitimate websites to a malicious one controlled by hackers. The vulnerability might also affects other devices because it is located in the same, widely-used wireless router firmware used by different manufacturers.
Bulgarian security researcher Todor Donev discovered the flaw which exists in a widely deployed ZynOS firmware from ZyXEL Communications Corporation, that is used in network hardware from TP-Link Technologies, ZTE and D-Link.
According to the security researcher, D-Link’s popular DSL2740R wireless router and a number of other D-Link routers, particularly the DLS-320B, are vulnerable.
Late last year, similar router vulnerability was discovered in the web server "RomPager" from AllegroSoft, which is typically embedded into the firmware of routers, modems and other "gateway devices" from about every leading manufacturer.
The flaw put 12 million homes and offices routers from a variety of different manufacturers vulnerable to DNS hijacking attack, which also included kit from D-Link, along with Edimax, Huawei, TP-Link, ZTE, and ZyXEL.
The latest bug discovered in wireless routers running the vulnerable firmware could reveal their internal web servers to the open Internet, and according to an email from Donev, this could allow a remote attacker to configure the devices without authentication to access its administrative interface.
Donev claimed that once attackers succeeded in modifying systems' DNS settings, they could perform a handful of malicious tasks, including:
- Redirecting unknown users to malicious sites – These sites could lead victim to a phishing page that could masquerade as a well-known site in order to trick users into handing out their personal and sensitive information.
- Replacing advertisements on legitimate sites – Hackers could manipulate ads that users see, replacing legitimate ads with malicious ones on the sites they visit.
- Controlling and redirecting network traffic – Hackers could also prevent users of infected systems from receiving important operating system updates and other software and security updates.
- Pushing additional malware – Attackers could directly push malware onto the infected systems.
In order to exploit the router vulnerability, a malicious hacker would have to either be on the router’s network or the wireless router would have to be publicly accessible. Now that administrative interface is exposed to the Internet, the risk of exploitation is higher.
But even if the wireless router is accessible within the local area network, hackers can still use Cross-Site Request Forgery (CSRF), a technique which involves gaining access to local networks by sending specific HTTP requests to a LAN IP address that usually associates with the wireless router.
Donev released the details of the D-Link wireless router vulnerability publicly without notifying the affected vendors. He has also published a proof-of-concept exploit for the D-Link DSL-2740R, a dual-function ADSL modem/wireless router device. As of now, this particular device has been discontinued from sale but is still supported.