Full Disclosure mailing list archives

Re: Drive-by Pharming Threat

From: <auto400208 () hushmail com>
Date: Mon, 19 Feb 2007 19:19:37 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks.

I'm sure there are many ways to achieve each step separately (see
my reply to Andrew), to build this each and everything into
functional "drive by" attack seems far fetched. Your details below
add even more hurdles IMO. You'll be build a monster all
encompassing, browser, version, plus router mega exploit. Unless
the first two I mention to Andrew can be overcome easily. This is
all very far from a "drive by" vuln.

On Mon, 19 Feb 2007 16:23:29 -0500 Martin Johns
<martin.johns () gmail com> wrote:

On 2/19/07, auto400208 () hushmail com < auto400208 () hushmail com>
wrote:

I am curious as to how one "automatically" logs on?


There are several potential methods (depending on the victim's
browser):
1) Older versions of Flash allow the spoofing of arbitrary http
headers [1] thus allowing the creation of attacker controlled
Authorization-headers.
2) Firefox does not display http-authentication warnings if the
http
request was generated by the browser's link-prefetch mechanism
[2].
3) An anti-DNS-pinning attack [3] can be executed to break the
same-origin policy. Then the low-level socket functions of either
Flash (all browsers) [4] or Java (Firefox and Opera) [5] could be
employed to create arbitrary http requests.

[1] http://www.securityfocus.com/archive/1/441014/30/0/threaded
[2] http://blog.php-security.org/archives/56-Bruteforcing-HTTP-
Auth-in-Firefox-with-JavaScript.html
[3] http://shampoo.antville.org/stories/1451301/
[4] http://www.jumperz.net/index.php?i=2&a=1&b=8
[5] http://shampoo.antville.org/stories/1566124/

--
Martin Johns
http://shampoo.antville.org

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkXaPpUACgkQ8swcuoVgWHDTrgP/WU4bKcaAal+0pZoQ5HXw4J+lY/yg
vgxUf/70VxLo/XyePAWy/Gz1+A5eAg1sq3kX40a1Et7f0lf9VsHhP72WaJYVsaUYC0Nt
IZM/nQmqVj2mn2D9KpB2p5vewpsY1TgmORS91QHCUDQBHgTM0mCZdLXnlO50GD0vm8SG
LezrSAY=
=i8sj
-----END PGP SIGNATURE-----



--
Click to consolidate your debt and lower your monthly expenses
http://tagline.hushmail.com/fc/CAaCXv1QPRPcBJzTcaarTIE0MlLYCRdr/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Drive-by Pharming Threat auto400208 (Feb 19)
- Re: Drive-by Pharming Threat Andrew Farmer (Feb 19)
- Re: Drive-by Pharming Threat Martin Johns (Feb 19)
  - Re: Drive-by Pharming Threat Gaurang Pandya (Feb 19)
    - Re: Drive-by Pharming Threat mikeiscool (Feb 19)
    - Re: Drive-by Pharming Threat Gaurang Pandya (Feb 19)
    - Re: Drive-by Pharming Threat Andrew Farmer (Feb 19)
    - Re: Drive-by Pharming Threat Gaurang Pandya (Feb 19)
- Re: Drive-by Pharming Threat Jeremy Saintot (Feb 20)
- <Possible follow-ups>
- Re: Drive-by Pharming Threat auto400208 (Feb 20)
- Re: Drive-by Pharming Threat auto400208 (Feb 20)