Full Disclosure mailing list archives

Re: Drive-by Pharming

From: "James Matthews" <nytrokiss () gmail com>
Date: Thu, 15 Feb 2007 21:11:21 -0500

SO we are screwed what else! Wait till this has a big effect on the end user
then people will care But for us how can we defend against it!

On 2/15/07, Oliver Friedrichs <oliver_friedrichs () symantec com> wrote:

Everyone,

I'm posting this on behalf of Zulfikar Ramzan who isn't subscribed to this
list.

We discovered a new potential threat that we term "Drive-by Pharming". An
attacker can create a web page containing a simple piece of malicious
JavaScript code. When the page is viewed, the code makes a login attempt
into the user's home broadband router and attempts to change its DNS server
settings (e.g., to point the user to an attacker-controlled DNS server).
Once the user's machine receives the updated DNS settings from the router
(e.g., after the machine is rebooted) future DNS request are made to and
resolved by the attacker's DNS server.

The main condition for the attack to be successful is that the attacker
can guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed). Note that the attack does not require the user to download
any malicious software – simply viewing a web page with the malicious
JavaScript code is enough.

We've written proof of concept code that can successfully carry out the
steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat.

Additional details on the attack can be found at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html.

Oliver

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Drive-by Pharming Oliver Friedrichs (Feb 15)
- Re: Drive-by Pharming James Matthews (Feb 16)
  - Re: Drive-by Pharming Knud Erik Højgaard (Feb 16)
    - Re: Drive-by Pharming McCarty, Eric C. (Feb 16)
- <Possible follow-ups>
- Re: Drive-by Pharming psirt (Feb 16)
  - Re: Drive-by Pharming Brian Eaton (Feb 16)
  - Re: Drive-by Pharming Larry Seltzer (Feb 16)
    - Re: Drive-by Pharming Dario Ciccarone (dciccaro) (Feb 16)
    - Re: Drive-by Pharming Fabian (Lists) (Feb 16)
    - Re: Drive-by Pharming pagvac (Feb 17)
    - Re: [inbox] Re: Drive-by Pharming Exibar (Feb 18)