[clug] Drive-By Pharming Attack Could Hit Home Networks

[Michael Cohen]

On Sat, Feb 17, 2007 at 11:10:01AM +0100, Kim Holburn wrote:
> Steve Jenkins asked me to post this to clug.  It is of interest  
> because it is a non-platform specific attack.  ie it could  
> potentially work with a linux desktop client.
> 
> The the attack in the article relies on default passwords but I was  
> thinking about this and wondering how many people talk to their home  
> routers using their normal browser and have the password set to be  
> remembered in their browser.  In that case an attack like this might  
> not even need the default password, it could get the browser to to  
> the work itself.

Kim,
  That could normally not happen because the passwords etc are stored in
  firefox's password manager. The attack relies on JS posting a link to a known
  URL with known parameters. Normally JS is unable to get at the password
  manager's store (it would be a vulnrability if it could). Also normally a
  piece of JS on a malicious web site can not access objects on a page
  downloaded from a different domain (again its a vulnerability if it can). So
  a malicious JS can not access the username,password boxes on your routers
  page, even if it opened it and the password manager filled it in.

  That said scarrier things have happened.

  From a security point of view there is little exciting in the article - of
  course its a novel way of putting things together, but in reality if you have
  a default password and configuration of your router the vulnerability is in
  you - not the browser. Its possible to do same sort of things by sending a
  malicious word document, pdf or even a simple HTML email rendered in lookout
  (or sometime called outlook).  You dont need JS necessarily either, simply
  use img tags with the urls in the src attribute and anything that tries to
  render the images will reconfigure your router for you.

  Michael.