Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Drive-by Pharming Threat

from [Memisyazici, Aras] Network Security [Permanent Link]
Subject: RE: Drive-by Pharming Threat
Date: Sat, 17 Feb 2007 01:06:25 -0500 
A very simple solution (for home users at least, although could be implemented 
to commercial/enterprise as well) to this dilemma would be to block 
access/pop-up warning message for all traffic from the Internal LAN IPs to 
Internal LAN based webpages (port 80,81,8080 and 443)... i.e. MOST modems serve 
their mgmt page via http://198.168.100.1 Block all access to that IP, end of 
story :)

Aras "Russ" Memisyazici
arasm@vt.edu

Outreach Information Services
Virginia Polytechnic Institute & State University (Virginia Tech)

-----Original Message-----
From: "Dennis" <dennislv@gmail.com>
To: "Mark Senior" <senatorfrog@gmail.com>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@symantec.com>; 
"bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Sent: 2/16/07 4:53 PM
Subject: Re: Drive-by Pharming Threat

I also have one of these 2Wire modems.  In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code.  Has anyone ever figured out this algorithm?



On 2/16/07, Mark Senior <senatorfrog@gmail.com> wrote:

My ISP issues 2Wire modem/router/WAP boxes now.  I found it very
interesting to explore what (few) changes require a password and what
ones do not.

In particular, packet filter and port forwarding changes require no
password at all - so changing your password on the router wouldn't do
you any good against driveby changes to those settings.  I'll have to
look when I get home whether DNS server changes would.

A bit OT, but there's also the fact that since these devices are
considered ISP equipment - they include the modem that connects to
telco lines - the ISP has one, global, password for all home routers
on their network, and can admin them from the 'outside' of your home
network.  Given big telco security standards, not a very reassuring
thought.

Regards
Mark

On 2/15/07, Zulfikar Ramzan wrote:

We discovered a new potential threat that we term "Drive-by Pharming".  An 
attacker can create a web page containing a simple piece of malicious 
JavaScript code.  When the page is viewed, the code makes a login attempt 
into the user's home broadband router and attempts to change its DNS server 
settings (e.g., to point the user to an attacker-controlled DNS server).   
Once the user's machine receives the updated DNS settings from the router 
(e.g., after the machine is rebooted) future DNS request are made to and 
resolved by the attacker's DNS server.

The main condition for the attack to be successful is that the attacker can 
guess the router password (which can be very easy to do since these home 
routers come with a default password that is uniform, well known, and often 
never changed).  Note that the attack does not require the user to download 
any malicious software - simply viewing a web page with the malicious 
JavaScript code is enough.

We've written proof of concept code that can successfully carry out the 
steps of the attack on Linksys, D-Link, and NETGEAR home routers.  If users 
change their home broadband router passwords to something difficult for an 
attacker to guess, they are safe from this threat.

Additional details on the attack can be found at:  
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

Thanks,

Zulfikar Ramzan


________________________________________

Zulfikar Ramzan
Sr. Principal Security Researcher
Advanced Threat Research
Symantec Corporation
www.symantec.com
-----------------------------------------------------
-----------------------------------------------------
This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain 
information that is non-public, proprietary, privileged, confidential, and 
exempt from disclosure under applicable law or may constitute as attorney 
work product. If you are not the intended recipient, you are hereby 
notified that any use, dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, notify us immediately by telephone and (i) destroy 
this message if a facsimile or (ii) delete this message immediately if this 
is an electronic communication. Thank you.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Re: Solaris telnet vulnberability - how many on your network?, Gadi Evron
Next by Date:  Re: Solaris telnet vulnberability - how many on your network?, Nate Eldredge
Previous by Thread:  RE:Drive-by Pharming Threat, psirt
Next by Thread:  Re: Drive-by Pharming Threat, Marcello Barnaba
Indexes:  [Date] [Thread] [Top] [All Lists]