RE: Drive-by Pharming Threat

["Memisyazici, Aras" <arasm () vt edu>]

A very simple solution (for home users at least, although could be implemented to commercial/enterprise as well) to 
this dilemma would be to block access/pop-up warning message for all traffic from the Internal LAN IPs to Internal LAN 
based webpages (port 80,81,8080 and 443)... i.e. MOST modems serve their mgmt page via http://198.168.100.1 Block all 
access to that IP, end of story :)

Aras "Russ" Memisyazici
arasm () vt edu

Outreach Information Services
Virginia Polytechnic Institute & State University (Virginia Tech)

-----Original Message-----
From: "Dennis" <dennislv () gmail com>
To: "Mark Senior" <senatorfrog () gmail com>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan () symantec com>; "bugtraq () securityfocus com" <bugtraq () securityfocus com>
Sent: 2/16/07 4:53 PM
Subject: Re: Drive-by Pharming Threat

I also have one of these 2Wire modems.  In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code.  Has anyone ever figured out this algorithm?



On 2/16/07, Mark Senior <senatorfrog () gmail com> wrote:
> My ISP issues 2Wire modem/router/WAP boxes now.  I found it very
> interesting to explore what (few) changes require a password and what
> ones do not.
>
> In particular, packet filter and port forwarding changes require no
> password at all - so changing your password on the router wouldn't do
> you any good against driveby changes to those settings.  I'll have to
> look when I get home whether DNS server changes would.
>
> A bit OT, but there's also the fact that since these devices are
> considered ISP equipment - they include the modem that connects to
> telco lines - the ISP has one, global, password for all home routers
> on their network, and can admin them from the 'outside' of your home
> network.  Given big telco security standards, not a very reassuring
> thought.
>
> Regards
> Mark
>
> On 2/15/07, Zulfikar Ramzan wrote:
> > We discovered a new potential threat that we term "Drive-by Pharming".  An attacker can create a web page 
> > containing a simple piece of malicious JavaScript code.  When the page is viewed, the code makes a login attempt 
> > into the user's home broadband router and attempts to change its DNS server settings (e.g., to point the user to an 
> > attacker-controlled DNS server).   Once the user's machine receives the updated DNS settings from the router (e.g., 
> > after the machine is rebooted) future DNS request are made to and resolved by the attacker's DNS server.
> >
> > The main condition for the attack to be successful is that the attacker can guess the router password (which can be 
> > very easy to do since these home routers come with a default password that is uniform, well known, and often never 
> > changed).  Note that the attack does not require the user to download any malicious software - simply viewing a web 
> > page with the malicious JavaScript code is enough.
> >
> > We've written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and 
> > NETGEAR home routers.  If users change their home broadband router passwords to something difficult for an attacker 
> > to guess, they are safe from this threat.
> >
> > Additional details on the attack can be found at:  
> > http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
> >
> > Thanks,
> >
> > Zulfikar Ramzan
> >
> >
> > ________________________________________
> >
> > Zulfikar Ramzan
> > Sr. Principal Security Researcher
> > Advanced Threat Research
> > Symantec Corporation
> > www.symantec.com
> > -----------------------------------------------------
> > -----------------------------------------------------
> > This message (including any attachments) is intended only for the use of the individual or entity to which it is 
> > addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
> > disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, 
> > you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly 
> > prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy 
> > this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank 
> > you.