Network Security: Detailed info on Re: [Full-disclosure] [inbox] Re: Drive-by Pharming

Subject:	Re: [Full-disclosure] [inbox] Re: Drive-by Pharming
Date:	Sun, 18 Feb 2007 20:25:30 -0500

I feel this whole thing simply serves as a reminder to simply change your
default passwords on your devices.  REgardless of the type of device, CHANGE
THE DEFAULT PASSWORD!

 Exibar

-----Original Message-----
From: pagvac [mailto:unknown.pentester@gmail.com]
Sent: Saturday, February 17, 2007 6:32 PM
To: Fabian (Lists)
Cc: full-disclosure@lists.grok.org.uk
Subject: [inbox] Re: [Full-disclosure] Drive-by Pharming

I'm sorry, this looks to me like plain CSRF against web interfaces of
intranet network devices. If someone knows your router's password
(i.e.: default password) and the router's HTTP requests are NOT
tokenized (vulnerable to CSRF), then an attacker can most certainly do
anything on your behalf by tricking you to visit an evil webpage.

Changing DNS settings is just one of the many evil things you could
do. Others include changing password to a new one (DoS to legitimate
router admin user), exposing the admin web interface to the Internet,
disabling security, exposing internal hosts to the Internet through
port-forwarding, etc...

Of course, if the web interface is designed really badly you might not
even need a password to CSRF it. Some of you might recall the CSRF
issue on Linksys WRT54g reported by Ginsu Rabbit back in August 2006
which allowed you to turn off the security of the device completely.

Ginsu Rabbit's Advisory:

http://www.securityfocus.com/archive/1/442452/30/0/threaded

PoC for the vuln:

http://ikwt.com/projects/linksys/linksys-unauth-csrf.html

CSRFing intranet devices research published in the past:

http://www.whitehatsec.com/home/resources/presentations/files/java

script_malware.pdf

Am I missing something guys?

On 2/16/07, Fabian (Lists) <lists@sevenlayers.org> wrote:

Larry Seltzer wrote:

This "response" doesn't seem to address any Linksys (and therefore
Cisco) routers, does it?


Seems so... Maybe because they are not IOS based and therefore not real
"Cisco Routers" as we all know them?

--Fabian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
pagvac
[http://ikwt.com/]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] Drive-by Pharming, Oliver Friedrichs Re: [Full-disclosure] Drive-by Pharming, James Matthews Re: [Full-disclosure] Drive-by Pharming, Knud Erik Højgaard Re: [Full-disclosure] Drive-by Pharming, McCarty, Eric C. Re: [Full-disclosure] Drive-by Pharming, psirt Re: [Full-disclosure] Drive-by Pharming, Brian Eaton Re: [Full-disclosure] Drive-by Pharming, Larry Seltzer Re: [Full-disclosure] Drive-by Pharming, Dario Ciccarone \(dciccaro\) Re: [Full-disclosure] Drive-by Pharming, Fabian (Lists) Re: [Full-disclosure] Drive-by Pharming, pagvac Re: [Full-disclosure] [inbox] Re: Drive-by Pharming, Exibar <=

Previous by Date:	[Full-disclosure] XSS & SQL bugs in Conference website, Scarlet Pimpernel
Next by Date:	[Full-disclosure] Remote DoS in libevent DNS parsing <= 1.2a, Jon Oberheide
Previous by Thread:	Re: [Full-disclosure] Drive-by Pharming, pagvac
Next by Thread:	iDefense Security Advisory 02.15.07: Multiple Vendor ClamAV MIME Parsing Directory Traversal Vulnerability, iDefense Labs
Indexes:	[Date] [Thread] [Top] [All Lists]