lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <78206369ABE25F4BAFC3FBC8858B09D00243FAED@SVL1XCHCLUPIN01.enterprise.veritas.com>
Date: Thu, 15 Feb 2007 09:02:55 -0800
From: "Oliver Friedrichs" <oliver_friedrichs@...antec.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Drive-by Pharming

Everyone,

I'm posting this on behalf of Zulfikar Ramzan who isn't subscribed to
this list.

We discovered a new potential threat that we term "Drive-by Pharming".
An attacker can create a web page containing a simple piece of malicious
JavaScript code.  When the page is viewed, the code makes a login
attempt into the user's home broadband router and attempts to change its
DNS server settings (e.g., to point the user to an attacker-controlled
DNS server).   Once the user's machine receives the updated DNS settings
from the router (e.g., after the machine is rebooted) future DNS request
are made to and resolved by the attacker's DNS server.   

The main condition for the attack to be successful is that the attacker
can guess the router password (which can be very easy to do since these
home routers come with a default password that is uniform, well known,
and often never changed).  Note that the attack does not require the
user to download any malicious software - simply viewing a web page with
the malicious JavaScript code is enough.  

We've written proof of concept code that can successfully carry out the
steps of the attack on Linksys, D-Link, and NETGEAR home routers.  If
users change their home broadband router passwords to something
difficult for an attacker to guess, they are safe from this threat. 

Additional details on the attack can be found at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driv
eby_pharming_how_clicking_1.html
<http://www.symantec.com/enterprise/security_response/weblog/2007/02/dri
veby_pharming_how_clicking_1.html> .  

Oliver
 

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ