Re: Drive-by Pharming Threat

[Dennis <dennislv () gmail com>]

I also have one of these 2Wire modems.  In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code.  Has anyone ever figured out this algorithm?



On 2/16/07, Mark Senior <senatorfrog () gmail com> wrote:
> My ISP issues 2Wire modem/router/WAP boxes now.  I found it very
> interesting to explore what (few) changes require a password and what
> ones do not.
>
> In particular, packet filter and port forwarding changes require no
> password at all - so changing your password on the router wouldn't do
> you any good against driveby changes to those settings.  I'll have to
> look when I get home whether DNS server changes would.
>
> A bit OT, but there's also the fact that since these devices are
> considered ISP equipment - they include the modem that connects to
> telco lines - the ISP has one, global, password for all home routers
> on their network, and can admin them from the 'outside' of your home
> network.  Given big telco security standards, not a very reassuring
> thought.
>
> Regards
> Mark
>
> On 2/15/07, Zulfikar Ramzan wrote:
> > We discovered a new potential threat that we term "Drive-by Pharming".  An attacker can create a web page containing a simple piece 
> of malicious JavaScript code.  When the page is viewed, the code makes a login attempt into the user's home broadband router and attempts to 
> change its DNS server settings (e.g., to point the user to an attacker-controlled DNS server).   Once the user's machine receives the updated 
> DNS settings from the router (e.g., after the machine is rebooted) future DNS request are made to and resolved by the attacker's DNS server.
> >
> > The main condition for the attack to be successful is that the attacker can guess the router password (which can be 
> very easy to do since these home routers come with a default password that is uniform, well known, and often never 
> changed).  Note that the attack does not require the user to download any malicious software - simply viewing a web page 
> with the malicious JavaScript code is enough.
> >
> > We've written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and 
> NETGEAR home routers.  If users change their home broadband router passwords to something difficult for an attacker to guess, 
> they are safe from this threat.
> >
> > Additional details on the attack can be found at:  
> http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
> >
> > Thanks,
> >
> > Zulfikar Ramzan
> >
> >
> > ________________________________________
> >
> > Zulfikar Ramzan
> > Sr. Principal Security Researcher
> > Advanced Threat Research
> > Symantec Corporation
> > www.symantec.com
> > -----------------------------------------------------
> > -----------------------------------------------------
> > This message (including any attachments) is intended only for the use of the individual or entity to which it is 
> addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
> disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are 
> hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you 
> have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile 
> or (ii) delete this message immediately if this is an electronic communication. Thank you.
> >
> >
> >