[22425] in bugtraq
Re: @Home network subject to DHCP hijacking
daemon@ATHENA.MIT.EDU (Matthew Caron)
Sun Aug 26 04:11:06 2001
Message-ID: <3B88623E.288CB907@ele.uri.edu>
Date: Sat, 25 Aug 2001 22:43:10 -0400
From: Matthew Caron <matt@ele.uri.edu>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
> It is also trivial to acquire this hostname parameter,
> since all it requires is 'host @HomeIPaddress' to determine
> what the customer ID is.
It is more trivial than that, in fact..
nslookup <random @home hostname>
If the number is active, it will be in the @home DNS tables. (If not,
it's not active.) You then have the IP address of the hostname.
ping <@home hostname>
If you don't get a reply, the IP address isn't being used, and you can
steal it.
This is, of course, very easy to automate and profile when a group of
hostnames are typically on, pattens of usage, etc.
> I have notified @Home of this problem twice in the last two
> months. Not being an expert in DHCP, I do not know what
> could be done to fix this.
A problem I've often considered. However, it's right up there with the
whole "anyone can walk into your building, jack a laptop into an active
port, and set his IP address to be one of your servers" problem. How do
you stop this aside from physically deactivating all your unused wall
jacks?
> I figure at least using something different than my actual
> hostname for my hostname parameter would at least raise the
> bar to sniffing for DHCP packets, instead of the trivial
> hack it currently is.
Actually, if the switches can be configured to only allow traffic from
certain IP addresses from specific modems, then only your modem could
get your IP addresses. Anyone else trying to use your IP would get
blocked really fast. However, this would present the problem of not
being able to go down the street to my friend's house with my laptop and
plug in there and use my hostname. However, this approach would fix the
above problem as well. This IP = This MAC address. Period. No one else
can have it. Not being one who configures switches often, I'm not sure
if this functionality even exists, but it might be something worth
looking into.
> Reason for this message:
> I have had my @Home connection hijacked from me repeatedly
> in the last six months. Given @Home's aparent lack of
> concern for this problem,
Are we surprised? Hell, they portscan their users on port 119 to try and
contain any NNTP servers running. (Remember the Usenet debacle?)
> and the current mood of ISPs shutting down users without
> warning whenever the MPAA rattles it saber,
Don't even get me started on that one. That has lawsuit potential
written all over it. At least with TelCo, there has to be an
investigation started and some paperwork filled out. All this takes is a
certified letter... easy enough to forge.
> I felt that the larger community needed to be aware of
> this potential problem. It should not be this trivially
> easy for someone to break the law in your name.
Not to be cynical, but welcome to the wonderful world of the negacorps
chummer. (Anyone here play Shadowrun? It's not just a game, it's
becoming a way of life.)
--
IIS = Intrinsically Insecure Server
~~ Matt Caron ~~
