Saturday, April 12, 2008

Intranet hack targeting AT&T 2Wire DSL modems

Not long after the Web browser intranet hacking incident targeting DSL users in Mexico comes another DNS-pharming attack exploiting AT&T 2Wire DSL modems. Check out how simple these two sample URLs are for CSRFing victims:

http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin
http://192.168.1.254/xslt?PAGE=A02_POST&PASSWORD=admin&THISPAGE=J38&NEXTPAGE=J38_SET&ADDR=127.0.0.1&NAME=ww.example.com


First URL appears to set the users password to “admin”, probably if none exists (I didn’t double check). The second takes over a domain name by hard coding in an arbitrary IP Address. The attacker could easily put in a ton of these for the websites of banks, webmail, retailers, payment gateways, social networks, etc. and all your traffic would flow to them. Talk about owned. Pure CSRF, doesn’t even require XSS or JavaScript malware.

This type of intranet CSRF hack is super easy to pull off since you only need to place specially-crafted URLs inside of an HTML image tag and post it to any public website. MySpace, WebMail, blogs, message boards, etc. all would make great avenues for snare the unsuspecting. Who knows where the victims in this case were originally exploited. The first person to notice only did so by using ping and spotted an odd IP address.

If we get a third event in rapid succession, I’d say that’s the start of a trend. Perhaps we should start advocating a new best practice, host-based egress rules. Little Snitch works great on OS X. In fact, I’ve already started implicitly blocking intranet connections from my browser specifically to my DSL router IP. Hopefully the browser vendors will give the remaining 99.99% something soon by default.

4 comments:

Awesome AnDrEw said...

I love CSRF, because it is both simple and effective. First thing anyone should do when purchasing a router (or actually any type of device) is to change all of the settings from the factory defaults, or what some like to call, "Secured Defaults".

planetheidi said...

How much you wanna bet these new round of Hotmail spam attacks are a CSRF attack?

Yash Kadakia said...

CSRF is great; most people security don't seem to understand it leave alone the developers of the world.

I've seen tons of Intranet attacks via CSRF; atleast in India.

Most broadband companies here provide custom routers with OLD firmware. Lot of CSRF bugs that are slowly picking up pace with exploitation.

--
Yash Kadakia
CTO, Security Brigade
http://www.securitybrigade.com
Penetration Testing, PCI DSS Compliance, Security Consulting etc.

Comp Cracker said...

Actually The First One Gave An Error And Asked me To Set A New Pass If Someone managed to allow multiple accounts used at once in windows and created an acoount and changed the settings in the registry so you can't see the account i wonder what kind of servers they would like to run on your computer ... =0