Re: Drive-by Pharming Threat

["Mark Senior" <senatorfrog@xxxxxxxxx>]

My ISP issues 2Wire modem/router/WAP boxes now.  I found it very
interesting to explore what (few) changes require a password and what
ones do not.

In particular, packet filter and port forwarding changes require no
password at all - so changing your password on the router wouldn't do
you any good against driveby changes to those settings.  I'll have to
look when I get home whether DNS server changes would.

A bit OT, but there's also the fact that since these devices are
considered ISP equipment - they include the modem that connects to
telco lines - the ISP has one, global, password for all home routers
on their network, and can admin them from the 'outside' of your home
network.  Given big telco security standards, not a very reassuring
thought.

Regards
Mark

On 2/15/07, Zulfikar Ramzan wrote:
> We discovered a new potential threat that we term "Drive-by Pharming".  An 
> attacker can create a web page containing a simple piece of malicious JavaScript code.  
> When the page is viewed, the code makes a login attempt into the user's home broadband 
> router and attempts to change its DNS server settings (e.g., to point the user to an 
> attacker-controlled DNS server).   Once the user's machine receives the updated DNS 
> settings from the router (e.g., after the machine is rebooted) future DNS request are 
> made to and resolved by the attacker's DNS server.
>
> The main condition for the attack to be successful is that the attacker can 
> guess the router password (which can be very easy to do since these home 
> routers come with a default password that is uniform, well known, and often 
> never changed).  Note that the attack does not require the user to download any 
> malicious software - simply viewing a web page with the malicious JavaScript 
> code is enough.
>
> We've written proof of concept code that can successfully carry out the steps 
> of the attack on Linksys, D-Link, and NETGEAR home routers.  If users change 
> their home broadband router passwords to something difficult for an attacker to 
> guess, they are safe from this threat.
>
> Additional details on the attack can be found at:  
> http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
>
> Thanks,
>
> Zulfikar Ramzan
>
>
> ________________________________________
>
> Zulfikar Ramzan
> Sr. Principal Security Researcher
> Advanced Threat Research
> Symantec Corporation
> www.symantec.com
> -----------------------------------------------------
> -----------------------------------------------------
> This message (including any attachments) is intended only for the use of the 
> individual or entity to which it is addressed and may contain information that 
> is non-public, proprietary, privileged, confidential, and exempt from 
> disclosure under applicable law or may constitute as attorney work product. If 
> you are not the intended recipient, you are hereby notified that any use, 
> dissemination, distribution, or copying of this communication is strictly 
> prohibited. If you have received this communication in error, notify us 
> immediately by telephone and (i) destroy this message if a facsimile or (ii) 
> delete this message immediately if this is an electronic communication. Thank 
> you.