[clug] Drive-By Pharming Attack Could Hit Home Networks

Kim Holburn kim.holburn at gmail.com
Sat Feb 17 14:41:44 GMT 2007 

On 2007/Feb/17, at 12:04 PM, Michael Cohen wrote:
> On Sat, Feb 17, 2007 at 11:10:01AM +0100, Kim Holburn wrote:
>> Steve Jenkins asked me to post this to clug.  It is of interest
>> because it is a non-platform specific attack.  ie it could
>> potentially work with a linux desktop client.
>>
>> The the attack in the article relies on default passwords but I was
>> thinking about this and wondering how many people talk to their home
>> routers using their normal browser and have the password set to be
>> remembered in their browser.  In that case an attack like this might
>> not even need the default password, it could get the browser to to
>> the work itself.
>
> Kim,
>   That could normally not happen because the passwords etc are  
> stored in
>   firefox's password manager. The attack relies on JS posting a  
> link to a known
>   URL with known parameters. Normally JS is unable to get at the  
> password
>   manager's store (it would be a vulnrability if it could). Also  
> normally a
>   piece of JS on a malicious web site can not access objects on a page
>   downloaded from a different domain (again its a vulnerability if  
> it can). So
>   a malicious JS can not access the username,password boxes on your  
> routers
>   page, even if it opened it and the password manager filled it in.
>
>   That said scarrier things have happened.

If a javascript got the router interface opened in an invisible  
iframe and somehow got an enter or a click to the iframe after the  
password manager filled in the details?

>   From a security point of view there is little exciting in the  
> article - of
>   course its a novel way of putting things together, but in reality  
> if you have
>   a default password and configuration of your router the  
> vulnerability is in
>   you - not the browser. Its possible to do same sort of things by  
> sending a
>   malicious word document, pdf or even a simple HTML email rendered  
> in lookout
>   (or sometime called outlook).  You dont need JS necessarily  
> either, simply
>   use img tags with the urls in the src attribute and anything that  
> tries to
>   render the images will reconfigure your router for you.

Hmmm...  Ouch.

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3342707610
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the linux mailing list