Re: Drive-by Pharming Threat

[<auto400208 () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks.

This is what I am struggling with

1. On my firefox I have the router password saved:

<iframe src="http://192.168.0.1";>  from remote site brings up
password manager all nicely filled in, I still have to hit ok

<iframe src="http://foo:foo@192.168.0.1";> remote site brings up a
security warning do you want to blah blah LINKSYS with foo

I haven't seen away around this.

2. I understand setting up a series of iframes for each type of
router. What I mean is the vuln in the first instance to get inside
the html in order to diddle it. You effectively have remote site
scriting to remote sight. Nothing more. Have you tried to do this
even locally with your router's index.html (a) you need to find a
viable "xss" error entry point, and then achieve this from
different domains, and then test each and every router's index.html
for the same thing. On top of that you'll need to determine each
target browser and adjust accordingly.

Frankly the whole vuln sounds far fetched in practice. Certainly
not anything "drive by" that I can see. So far.

On Mon, 19 Feb 2007 16:48:58 -0500 Andrew Farmer
<andfarm () gmail com> wrote:
> On 19 Feb 07, at 09:54, <auto400208 () hushmail com> wrote:
> > I am curious as to how one "automatically" logs on?
>
> Memorized passwords.
>
> Also, if a password is required for a subsidiary resource, the
> browser will ask the user for it. In IE, at least, a sequence like

> the one I describe below will pop up a series of password dialogs
> if
> the user attempts to cancel. Most users will eventually try typing

> in
> the correct password to try to make the password dialogs go away.
>
> > Also when you do reset or
> > change parameters in the router, does it not require a reboot of
> > the router (auto after you hit save), whereby your connection is
> > lost for x amount of time?
>
> Depends on the router. It doesn't really matter much, though -
> once the settings are saved the damage's been done.
>
> > Also not to mention find a method to cross domains into the
> routers
> > html, for each and every router out there.
>
> Try them all at once:
>
> <iframe src="http://192.168.0.1/csrf-for-one-router";></iframe>
> <iframe src="http://192.168.0.1/csrf-for-another-router";></iframe>
> <iframe src="http://192.168.0.1/csrf-for-a-third-router";></iframe>
> <iframe src="http://192.168.0.1/csrf-for-a-fourth-
> router"></iframe>
> ...
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkXaPacACgkQ8swcuoVgWHBFTgP/eD3Reb/8pgWMGrsgIR8wLPG/bKv6
J7bVvnJTNj7jD9fL+SXaWyf4zmgwh2KepFjDE9rh3hBWxPHWL6B2qHobVBbJEDKYEW8O
hDWB6KXUGCsLvemSKjCNJEel3qECXgQjMpNqHctlwQ5i119EfzBYEmuym6EpdNWQfcnv
8HAHcQQ=
=O0rH
-----END PGP SIGNATURE-----



--
Click for online loan, fast & no lender fee, approval today
http://tagline.hushmail.com/fc/CAaCXv1QXD1xzTKHDwpaS3VeSycenuZW/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/