lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 17 Feb 2007 01:06:25 -0500
From: "Memisyazici, Aras" <arasm@...edu>
To: "Dennis" <dennislv@...il.com>,
	"Mark Senior" <senatorfrog@...il.com>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@...antec.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Drive-by Pharming Threat

A very simple solution (for home users at least, although could be implemented to commercial/enterprise as well) to this dilemma would be to block access/pop-up warning message for all traffic from the Internal LAN IPs to Internal LAN based webpages (port 80,81,8080 and 443)... i.e. MOST modems serve their mgmt page via http://198.168.100.1 Block all access to that IP, end of story :)

Aras "Russ" Memisyazici
arasm@...edu

Outreach Information Services
Virginia Polytechnic Institute & State University (Virginia Tech)

-----Original Message-----
From: "Dennis" <dennislv@...il.com>
To: "Mark Senior" <senatorfrog@...il.com>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@...antec.com>; "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Sent: 2/16/07 4:53 PM
Subject: Re: Drive-by Pharming Threat

I also have one of these 2Wire modems.  In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code.  Has anyone ever figured out this algorithm?



On 2/16/07, Mark Senior <senatorfrog@...il.com> wrote:
> My ISP issues 2Wire modem/router/WAP boxes now.  I found it very
> interesting to explore what (few) changes require a password and what
> ones do not.
>
> In particular, packet filter and port forwarding changes require no
> password at all - so changing your password on the router wouldn't do
> you any good against driveby changes to those settings.  I'll have to
> look when I get home whether DNS server changes would.
>
> A bit OT, but there's also the fact that since these devices are
> considered ISP equipment - they include the modem that connects to
> telco lines - the ISP has one, global, password for all home routers
> on their network, and can admin them from the 'outside' of your home
> network.  Given big telco security standards, not a very reassuring
> thought.
>
> Regards
> Mark
>
> On 2/15/07, Zulfikar Ramzan wrote:
> > We discovered a new potential threat that we term "Drive-by Pharming".  An attacker can create a web page containing a simple piece of malicious JavaScript code.  When the page is viewed, the code makes a login attempt into the user's home broadband router and attempts to change its DNS server settings (e.g., to point the user to an attacker-controlled DNS server).   Once the user's machine receives the updated DNS settings from the router (e.g., after the machine is rebooted) future DNS request are made to and resolved by the attacker's DNS server.
> >
> > The main condition for the attack to be successful is that the attacker can guess the router password (which can be very easy to do since these home routers come with a default password that is uniform, well known, and often never changed).  Note that the attack does not require the user to download any malicious software - simply viewing a web page with the malicious JavaScript code is enough.
> >
> > We've written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and NETGEAR home routers.  If users change their home broadband router passwords to something difficult for an attacker to guess, they are safe from this threat.
> >
> > Additional details on the attack can be found at:  http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
> >
> > Thanks,
> >
> > Zulfikar Ramzan
> >
> >
> > ________________________________________
> >
> > Zulfikar Ramzan
> > Sr. Principal Security Researcher
> > Advanced Threat Research
> > Symantec Corporation
> > www.symantec.com
> > -----------------------------------------------------
> > -----------------------------------------------------
> > This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> >
> >
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ