RE: Drive-by Pharming Threat

To: "Dennis" <dennislv@xxxxxxxxx>, "Mark Senior" <senatorfrog@xxxxxxxxx>
Subject: RE: Drive-by Pharming Threat
From: "Memisyazici, Aras" <arasm@xxxxxx>
Date: Sat, 17 Feb 2007 01:06:25 -0500
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Importance: normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcdSWbx4dYw5a9gdQZaj6aVZucNJeQ==
Thread-topic: Drive-by Pharming Threat

A very simple solution (for home users at least, although could be implemented 
to commercial/enterprise as well) to this dilemma would be to block 
access/pop-up warning message for all traffic from the Internal LAN IPs to 
Internal LAN based webpages (port 80,81,8080 and 443)... i.e. MOST modems serve 
their mgmt page via http://198.168.100.1 Block all access to that IP, end of 
story :)

Aras "Russ" Memisyazici
arasm@xxxxxx

Outreach Information Services
Virginia Polytechnic Institute & State University (Virginia Tech)

-----Original Message-----
From: "Dennis" <dennislv@xxxxxxxxx>
To: "Mark Senior" <senatorfrog@xxxxxxxxx>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@xxxxxxxxxxxx>; 
"bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: 2/16/07 4:53 PM
Subject: Re: Drive-by Pharming Threat

I also have one of these 2Wire modems.  In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code.  Has anyone ever figured out this algorithm?



On 2/16/07, Mark Senior <senatorfrog@xxxxxxxxx> wrote:
> My ISP issues 2Wire modem/router/WAP boxes now.  I found it very
> interesting to explore what (few) changes require a password and what
> ones do not.
>
> In particular, packet filter and port forwarding changes require no
> password at all - so changing your password on the router wouldn't do
> you any good against driveby changes to those settings.  I'll have to
> look when I get home whether DNS server changes would.
>
> A bit OT, but there's also the fact that since these devices are
> considered ISP equipment - they include the modem that connects to
> telco lines - the ISP has one, global, password for all home routers
> on their network, and can admin them from the 'outside' of your home
> network.  Given big telco security standards, not a very reassuring
> thought.
>
> Regards
> Mark
>
> On 2/15/07, Zulfikar Ramzan wrote:
> > We discovered a new potential threat that we term "Drive-by Pharming".  An 
> > attacker can create a web page containing a simple piece of malicious 
> > JavaScript code.  When the page is viewed, the code makes a login attempt 
> > into the user's home broadband router and attempts to change its DNS server 
> > settings (e.g., to point the user to an attacker-controlled DNS server).   
> > Once the user's machine receives the updated DNS settings from the router 
> > (e.g., after the machine is rebooted) future DNS request are made to and 
> > resolved by the attacker's DNS server.
> >
> > The main condition for the attack to be successful is that the attacker can 
> > guess the router password (which can be very easy to do since these home 
> > routers come with a default password that is uniform, well known, and often 
> > never changed).  Note that the attack does not require the user to download 
> > any malicious software - simply viewing a web page with the malicious 
> > JavaScript code is enough.
> >
> > We've written proof of concept code that can successfully carry out the 
> > steps of the attack on Linksys, D-Link, and NETGEAR home routers.  If users 
> > change their home broadband router passwords to something difficult for an 
> > attacker to guess, they are safe from this threat.
> >
> > Additional details on the attack can be found at:  
> > http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
> >
> > Thanks,
> >
> > Zulfikar Ramzan
> >
> >
> > ________________________________________
> >
> > Zulfikar Ramzan
> > Sr. Principal Security Researcher
> > Advanced Threat Research
> > Symantec Corporation
> > www.symantec.com
> > -----------------------------------------------------
> > -----------------------------------------------------
> > This message (including any attachments) is intended only for the use of 
> > the individual or entity to which it is addressed and may contain 
> > information that is non-public, proprietary, privileged, confidential, and 
> > exempt from disclosure under applicable law or may constitute as attorney 
> > work product. If you are not the intended recipient, you are hereby 
> > notified that any use, dissemination, distribution, or copying of this 
> > communication is strictly prohibited. If you have received this 
> > communication in error, notify us immediately by telephone and (i) destroy 
> > this message if a facsimile or (ii) delete this message immediately if this 
> > is an electronic communication. Thank you.
> >
> >
> >
>

Follow-Ups:
- Re: Drive-by Pharming Threat
  - From: Marcello Barnaba

Prev by Date: Re: Re: Re: Solaris telnet vulnberability - how many on your network?
Next by Date: Re: Solaris telnet vulnberability - how many on your network?
Previous by thread: RE:Drive-by Pharming Threat
Next by thread: Re: Drive-by Pharming Threat
Index(es):
- Date
- Thread