Full Disclosure mailing list archives
Re: [inbox] Re: Drive-by Pharming
From: "Exibar" <exibar () thelair com>
Date: Sun, 18 Feb 2007 20:25:30 -0500
I feel this whole thing simply serves as a reminder to simply change your default passwords on your devices. REgardless of the type of device, CHANGE THE DEFAULT PASSWORD! Exibar
-----Original Message----- From: pagvac [mailto:unknown.pentester () gmail com] Sent: Saturday, February 17, 2007 6:32 PM To: Fabian (Lists) Cc: full-disclosure () lists grok org uk Subject: [inbox] Re: [Full-disclosure] Drive-by Pharming I'm sorry, this looks to me like plain CSRF against web interfaces of intranet network devices. If someone knows your router's password (i.e.: default password) and the router's HTTP requests are NOT tokenized (vulnerable to CSRF), then an attacker can most certainly do anything on your behalf by tricking you to visit an evil webpage. Changing DNS settings is just one of the many evil things you could do. Others include changing password to a new one (DoS to legitimate router admin user), exposing the admin web interface to the Internet, disabling security, exposing internal hosts to the Internet through port-forwarding, etc... Of course, if the web interface is designed really badly you might not even need a password to CSRF it. Some of you might recall the CSRF issue on Linksys WRT54g reported by Ginsu Rabbit back in August 2006 which allowed you to turn off the security of the device completely. Ginsu Rabbit's Advisory: http://www.securityfocus.com/archive/1/442452/30/0/threaded PoC for the vuln: http://ikwt.com/projects/linksys/linksys-unauth-csrf.html CSRFing intranet devices research published in the past: http://www.whitehatsec.com/home/resources/presentations/files/java
script_malware.pdf Am I missing something guys? On 2/16/07, Fabian (Lists) <lists () sevenlayers org> wrote:
Larry Seltzer wrote:This "response" doesn't seem to address any Linksys (and therefore Cisco) routers, does it?Seems so... Maybe because they are not IOS based and therefore not real "Cisco Routers" as we all know them? --Fabian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- pagvac [http://ikwt.com/] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drive-by Pharming Oliver Friedrichs (Feb 15)
- Re: Drive-by Pharming James Matthews (Feb 16)
- Re: Drive-by Pharming Knud Erik Højgaard (Feb 16)
- Re: Drive-by Pharming McCarty, Eric C. (Feb 16)
- Re: Drive-by Pharming Knud Erik Højgaard (Feb 16)
- <Possible follow-ups>
- Re: Drive-by Pharming psirt (Feb 16)
- Re: Drive-by Pharming Brian Eaton (Feb 16)
- Re: Drive-by Pharming Larry Seltzer (Feb 16)
- Re: Drive-by Pharming Dario Ciccarone (dciccaro) (Feb 16)
- Re: Drive-by Pharming Fabian (Lists) (Feb 16)
- Re: Drive-by Pharming pagvac (Feb 17)
- Re: [inbox] Re: Drive-by Pharming Exibar (Feb 18)
- Re: Drive-by Pharming James Matthews (Feb 16)