A very simple solution (for home users at least, although could be =
implemented to commercial/enterprise as well) to this dilemma would be =
to block access/pop-up warning message for all traffic from the Internal =
LAN IPs to Internal LAN based webpages (port 80,81,8080 and 443)... i.e. =
MOST modems serve their mgmt page via http://198.168.100.1 Block all =
access to that IP, end of story :)
Aras "Russ" Memisyazici
arasm@vt.edu
Outreach Information Services
Virginia Polytechnic Institute & State University (Virginia Tech)
-----Original Message-----
From: "Dennis" <dennislv@gmail.com>
To: "Mark Senior" <senatorfrog@gmail.com>
Cc: "Zulfikar Ramzan" <Zulfikar_Ramzan@symantec.com>; =
"bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Sent: 2/16/07 4:53 PM
Subject: Re: Drive-by Pharming Threat
I also have one of these 2Wire modems. In my endeavors I've noticed
that if the admin password is lost, it can be recovered by a
challenge/response code. Has anyone ever figured out this algorithm?
On 2/16/07, Mark Senior <senatorfrog@gmail.com> wrote:
> My ISP issues 2Wire modem/router/WAP boxes now. I found it very
> interesting to explore what (few) changes require a password and what
> ones do not.
>
> In particular, packet filter and port forwarding changes require no
> password at all - so changing your password on the router wouldn't do
> you any good against driveby changes to those settings. I'll have to
> look when I get home whether DNS server changes would.
>
> A bit OT, but there's also the fact that since these devices are
> considered ISP equipment - they include the modem that connects to
> telco lines - the ISP has one, global, password for all home routers
> on their network, and can admin them from the 'outside' of your home
> network. Given big telco security standards, not a very reassuring
> thought.
>
> Regards
> Mark
>
> On 2/15/07, Zulfikar Ramzan wrote:
> > We discovered a new potential threat that we term "Drive-by =
Pharming". An attacker can create a web page containing a simple piece =
of malicious JavaScript code. When the page is viewed, the code makes a =
login attempt into the user's home broadband router and attempts to =
change its DNS server settings (e.g., to point the user to an =
attacker-controlled DNS server). Once the user's machine receives the =
updated DNS settings from the router (e.g., after the machine is =
rebooted) future DNS request are made to and resolved by the attacker's =
DNS server.
> >
> > The main condition for the attack to be successful is that the =
attacker can guess the router password (which can be very easy to do =
since these home routers come with a default password that is uniform, =
well known, and often never changed). Note that the attack does not =
require the user to download any malicious software - simply viewing a =
web page with the malicious JavaScript code is enough.
> >
> > We've written proof of concept code that can successfully carry out =
the steps of the attack on Linksys, D-Link, and NETGEAR home routers. =
If users change their home broadband router passwords to something =
difficult for an attacker to guess, they are safe from this threat.
> >
> > Additional details on the attack can be found at: =
http://www.symantec.com/enterprise/security_response/weblog/2007/02/drive=
by_pharming_how_clicking_1.html
> >
> > Thanks,
> >
> > Zulfikar Ramzan
> >
> >
> > ________________________________________
> >
> > Zulfikar Ramzan
> > Sr. Principal Security Researcher
> > Advanced Threat Research
> > Symantec Corporation
> > www.symantec.com
> > -----------------------------------------------------
> > -----------------------------------------------------
> > This message (including any attachments) is intended only for the =
use of the individual or entity to which it is addressed and may contain =
information that is non-public, proprietary, privileged, confidential, =
and exempt from disclosure under applicable law or may constitute as =
attorney work product. If you are not the intended recipient, you are =
hereby notified that any use, dissemination, distribution, or copying of =
this communication is strictly prohibited. If you have received this =
communication in error, notify us immediately by telephone and (i) =
destroy this message if a facsimile or (ii) delete this message =
immediately if this is an electronic communication. Thank you.
> >
> >
> >
>