Monday, February 26, 2007

router attack by analogy

One of the elements of drive-by pharming attacks (or really any attack that attempts to break into your home's router) is router profiling. Basically, once the IP of your router is discovered (say 192.168.0.1), the malicious script attempts to identify what type of router it may be. This can be done in many ways, including image profiling. In essence, some routers will serve images without requiring an administrator to be authenticated, which is really bad. Additionally, http-auth credentials usually remain until a browser window is closed (if you don't often close your browser, you might want to do that now) and will be used by default when accessing pages from a protected resource. This way, even if a password is required, it has previously been entered by the user and can now be used to get into the router.

Anyhow, using this lack of need for password, a script can attempt to load a few images known to be served by different routers, one at a time. If the loads fail, it tries another one. Here's some code that does this:
<img src="http://192.168.0.1/logo.gif" 
onerror="tryNextImage();">

This image tag would be generated and appended to a document by JavaScript, and then when it fails, a new one is plopped in. When one succeeds (you can set an onload event for the image), the router has been profiled, and the default username/password for it can be pulled from a list.

It can sometimes be difficult to access these images on the routers without a password (not all will provide a logo without the user first logging in). It is surely possible to do that on some routers, but not all. So instead of a linear discovery approach (one step at a time), like what an investigating scientist usually does, an attacker can take another approach too: flood the router with configuration change attempts, hoping one works.

Analogy:

The two methods can be considered in this analogy: Say you are flying somewhere with five of your friends who each speak a different foreign language. When you get there, you need to tell the taxi driver who meets you where to take you. You don't know what country you're in, so you don't know which language/friend to use.

A first method is careful: you look at what he's wearing, the car he's driving, and maybe look inside his pockets for an ID or money. Once you've deduced based on this evidence where you are, you can try giving the driver directions in the language that is your best guess. If that doesn't work you can, one at a time, try speaking to the driver in a different language, but if you've done your research you will be right the first time. This is like the one-step-at-a-time approach that you mention. The problem with this is that the driver may not let you see his pockets' contents, so you might need to resort to guessing.

Alternatively, the six of you can all just walk up and start telling him where to go in different languages all at once. He will be a little confused at first, but will respond to one of you, the one speaking the language he recognizes, and that person can tell him where to go. This is the flood approach. It's messy, but you don't have to coordinate your friends and poke around in his car (where he may not let you go).

To take this back to the technology, lets say for example that ten router models make up a good portion of the market. An attacker can take advantage of this. Instead of "profiling" the router (as discussed in the tech report) he can simply try sending the configuration request for one of the ten most popular. If it fails, the code tries again with another request. This keeps going until it works or all requests have been tried. Additionally, all ten might be attempted at once.

Both methods (linear discovery and multiple requests in parallel) are possible, yet the parallel-flooding attempt seems scarier since it requires less investigative work (and much simpler programming) to work.

To boil this down, the drive-by pharming attack is not a completely specified problem. There are many ways to attack home routers from the inside, and many techniques can be used based on the types of targets an attacker may be interested in.


On a lighter note, here are some fun blog comments from Slashdot regarding drive-by pharming:
1) Drive by pharm,
2) Stop. Park.
3) Milk cows.
4) Feed chickens.
5) Slop pigs.
6) Stack hay.
7) Profit.

(Link)

We'll chase off the Pharmers with our phlaming torches and pitchphorks!
(Link)

(Previously: drive-by pharming)

No comments: