Bugtraq: FON Router allows anonymous web access

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

FON Router allows anonymous web access

From: l.friedrichs () gbs nitag de
Date: 6 Jan 2007 19:49:56 -0000

Description:
"La Fonera" routers distributed by FON allow web access to unauthenticated users via DNS tunneling.

Explanation:
The router gives a client an DHCP answer but does not forward ip traffic until the client authenticates via the captive 
portal. The given DNS server address is the router itself so there is a DNS forwarder running on the router. Even an 
unauthorized client is allowed to surf certain sites as of obvious reasons (google, skype and the accesspoint's owner's 
site) but instead of filtering the dns requests for these few domains, it resolves all domains. This is where an DNS 
tunnel comes handy...

Environment:
Tested with router's standard config on 01/04/07. Runs smoothly with NSTX (http://nstx.dereference.de/nstx/ 
Version 1.1-beta6) and an ssh-session for connection testing without any authentication via the FON captive portal.

Impact:
Unauthorized ressource usage (internet bandwidth)

Solution:
New firmware from FON, workaround can be rate limiting DNS traffic on the real router (if possible...)

By Date By Thread

Current thread:

FON Router allows anonymous web access l . friedrichs (Jan 06)
- Re: FON Router allows anonymous web access Thierry Zoller (Jan 08)