RE: Drive-by Pharming Threat
A very simple solution (for home users at least, although could be implemented
to commercial/enterprise as well) to this dilemma would be to block
access/pop-up warning message for all traffic from the Internal LAN IPs to
Internal LAN based webpages (port 80,81,8080 and 443)... i.e. MOST modems serve
their mgmt page via http://198.168.100.1 Block all access to that IP, end of
story :)
Aras "Russ" Memisyazici
arasm@xxxxxx
Outreach Information Services
Virginia Polytechnic Institute & State University (Virginia Tech)
-----Original Message-----
From: "Dennis" <dennislv@xxxxxxxxx>
To: "Mark Senior" <senatorfrog@xxxxxxxxx>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@xxxxxxxxxxxx>;
"bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: 2/16/07 4:53 PM
Subject: Re: Drive-by Pharming Threat
I also have one of these 2Wire modems. In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code. Has anyone ever figured out this algorithm?
On 2/16/07, Mark Senior <senatorfrog@xxxxxxxxx> wrote:
> My ISP issues 2Wire modem/router/WAP boxes now. I found it very
> interesting to explore what (few) changes require a password and what
> ones do not.
>
> In particular, packet filter and port forwarding changes require no
> password at all - so changing your password on the router wouldn't do
> you any good against driveby changes to those settings. I'll have to
> look when I get home whether DNS server changes would.
>
> A bit OT, but there's also the fact that since these devices are
> considered ISP equipment - they include the modem that connects to
> telco lines - the ISP has one, global, password for all home routers
> on their network, and can admin them from the 'outside' of your home
> network. Given big telco security standards, not a very reassuring
> thought.
>
> Regards
> Mark
>
> On 2/15/07, Zulfikar Ramzan wrote:
> > We discovered a new potential threat that we term "Drive-by Pharming". An
> > attacker can create a web page containing a simple piece of malicious
> > JavaScript code. When the page is viewed, the code makes a login attempt
> > into the user's home broadband router and attempts to change its DNS server
> > settings (e.g., to point the user to an attacker-controlled DNS server).
> > Once the user's machine receives the updated DNS settings from the router
> > (e.g., after the machine is rebooted) future DNS request are made to and
> > resolved by the attacker's DNS server.
> >
> > The main condition for the attack to be successful is that the attacker can
> > guess the router password (which can be very easy to do since these home
> > routers come with a default password that is uniform, well known, and often
> > never changed). Note that the attack does not require the user to download
> > any malicious software - simply viewing a web page with the malicious
> > JavaScript code is enough.
> >
> > We've written proof of concept code that can successfully carry out the
> > steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users
> > change their home broadband router passwords to something difficult for an
> > attacker to guess, they are safe from this threat.
> >
> > Additional details on the attack can be found at:
> > http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
> >
> > Thanks,
> >
> > Zulfikar Ramzan
> >
> >
> > ________________________________________
> >
> > Zulfikar Ramzan
> > Sr. Principal Security Researcher
> > Advanced Threat Research
> > Symantec Corporation
> > www.symantec.com
> > -----------------------------------------------------
> > -----------------------------------------------------
> > This message (including any attachments) is intended only for the use of
> > the individual or entity to which it is addressed and may contain
> > information that is non-public, proprietary, privileged, confidential, and
> > exempt from disclosure under applicable law or may constitute as attorney
> > work product. If you are not the intended recipient, you are hereby
> > notified that any use, dissemination, distribution, or copying of this
> > communication is strictly prohibited. If you have received this
> > communication in error, notify us immediately by telephone and (i) destroy
> > this message if a facsimile or (ii) delete this message immediately if this
> > is an electronic communication. Thank you.
> >
> >
> >
>