Wireless “Drive-by Pharming Threat”

update:

read this before reading this blog entry.

this was posted to bugtraq today. let’s see what this is about…

date: thu, 15 feb 2007 13:02:46 -0800
from: zulfikar ramzan
subject: drive-by pharming threat

we discovered a new potential threat that we term “drive-by pharming”. an attacker can create a web page containing a simple piece of malicious javascript code. when the page is viewed, the code makes a login attempt into the user’s home broadband router and attempts to change its dns server settings (e.g., to point the user to an attacker-controlled dns server).
once the user’s machine receives the updated dns settings from the router (e.g., after the machine is rebooted) future dns request are made to and resolved by the attacker’s dns server.

the main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed).  note that the attack does not require the user to download
any malicious software – simply viewing a web page with the malicious
javascript code is enough.

we\’ve written proof of concept code that can successfully carry out the
steps of the attack on linksys, d-link, and netgear home routers.  if users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat.

additional details on the attack can be found at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

thanks,

zulfikar ramzan

________________________________________

zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation
- —————————————————–
- —————————————————–
this message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney

the main condition for the attack to be successful is that the attacker can guess the router password (which can be very easy to do since these home routers come with a default password that is uniform, well known, and often never changed). note that the attack does not require the user to download any malicious software – simply viewing a web page with the malicious javascript code is enough.

we’ve written proof of concept code that can successfully carry out the steps of the attack on linksys, d-link, and netgear home routers. if users change their home broadband router passwords to something difficult for an attacker to guess, they are safe from this threat.

additional details on the attack can be found at:
drive-by phraming

thanks,

zulfikar ramzan
__________

zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation
www.symantec.com

in discussions of this issue, fergie (paul ferguson) said, and i replied:

on fri, 16 feb 2007, fergie wrote:
>
> i don’t know — i found this whole “report” somewhat dubious, if
> not downright opportunist: hasn’t this “vulnerability” basically
> existed since, like, forever?
>
> i write it off as marketing opportunism… among other things. :-)

well duh. think rsa and a brand new idea they did a pr about – phishing mitm kit (think phishing: user >> fake site >> bank).

nothing is really new in security, we have seen malware/etc. change the hosts file for years now, not to mention domain hijacking.

we have also seen wireless brute-forcing/etc./what-not.

the one thing about the folks at symc who did this release is that they actually know their ****. meaning, someone took these two technology ideas and made something new from them, which is:
break into wireless routers and put your dns server in them for hijacking purposes. symantec just reported it to us.

it’s cool, it’s “new” and it won’t be a huge problem quite yet.

i remember a thread from nanog a couple of years back when i mentioned google and all these other national/international wireless providers better be ready with physical operational folks that will track down rougeaps, etc. cop cars with triangulation devices? :)

it was a vulnerability waiting to happen which wasn’t exploited, meaning it didn’t get much attention. this is much like the days when bots weretrojan horses as botnets didn’t yet exist.

wireless used to be used for hacking into a network-connected machine, now it is suddenly used for the sake of it being wireless. still network-connected as a goal, but it is no longer just tcp/ip which playsthe game.

good news: these are dns servers we can take-down. fun, yet another escalation war.

sunshine.

this is very interesting, although not too exciting. nice work by the guys at symantec.

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.BeyondSecurity.com Aviram

    “Nothing New Under the Sun” (Ecclesiastes)

  • arzun

    By that they do not publish the source code?

    ——————————————-
    The human knowledge is of all