[clug] Drive-By Pharming Attack Could Hit Home Networks
Kim Holburn
kim.holburn at gmail.com
Sat Feb 17 14:41:44 GMT 2007
On 2007/Feb/17, at 12:04 PM, Michael Cohen wrote:
> On Sat, Feb 17, 2007 at 11:10:01AM +0100, Kim Holburn wrote:
>> Steve Jenkins asked me to post this to clug. It is of interest
>> because it is a non-platform specific attack. ie it could
>> potentially work with a linux desktop client.
>>
>> The the attack in the article relies on default passwords but I was
>> thinking about this and wondering how many people talk to their home
>> routers using their normal browser and have the password set to be
>> remembered in their browser. In that case an attack like this might
>> not even need the default password, it could get the browser to to
>> the work itself.
>
> Kim,
> That could normally not happen because the passwords etc are
> stored in
> firefox's password manager. The attack relies on JS posting a
> link to a known
> URL with known parameters. Normally JS is unable to get at the
> password
> manager's store (it would be a vulnrability if it could). Also
> normally a
> piece of JS on a malicious web site can not access objects on a page
> downloaded from a different domain (again its a vulnerability if
> it can). So
> a malicious JS can not access the username,password boxes on your
> routers
> page, even if it opened it and the password manager filled it in.
>
> That said scarrier things have happened.
If a javascript got the router interface opened in an invisible
iframe and somehow got an enter or a click to the iframe after the
password manager filled in the details?
> From a security point of view there is little exciting in the
> article - of
> course its a novel way of putting things together, but in reality
> if you have
> a default password and configuration of your router the
> vulnerability is in
> you - not the browser. Its possible to do same sort of things by
> sending a
> malicious word document, pdf or even a simple HTML email rendered
> in lookout
> (or sometime called outlook). You dont need JS necessarily
> either, simply
> use img tags with the urls in the src attribute and anything that
> tries to
> render the images will reconfigure your router for you.
Hmmm... Ouch.
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3342707610
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list