Drive-by Pharming Threat

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Drive-by Pharming Threat
From: "Zulfikar Ramzan" <Zulfikar_Ramzan@xxxxxxxxxxxx>
Date: Thu, 15 Feb 2007 13:02:46 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcdRRKReFkLSA2csR6eDUwi9IV/h6g==
Thread-topic: Drive-by Pharming Threat

We discovered a new potential threat that we term "Drive-by Pharming". An
attacker can create a web page containing a simple piece of malicious
JavaScript code. When the page is viewed, the code makes a login attempt into
the user's home broadband router and attempts to change its DNS server settings
(e.g., to point the user to an attacker-controlled DNS server). Once the
user's machine receives the updated DNS settings from the router (e.g., after
the machine is rebooted) future DNS request are made to and resolved by the
attacker's DNS server.

The main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed). Note that the attack does not require the user to download any
malicious software - simply viewing a web page with the malicious JavaScript
code is enough.

We've written proof of concept code that can successfully carry out the steps
of the attack on Linksys, D-Link, and NETGEAR home routers. If users change
their home broadband router passwords to something difficult for an attacker to
guess, they are safe from this threat.

Additional details on the attack can be found at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

Thanks,

Zulfikar Ramzan

________________________________________

Zulfikar Ramzan
Sr. Principal Security Researcher
Advanced Threat Research
Symantec Corporation
www.symantec.com
-----------------------------------------------------
-----------------------------------------------------
This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information that
is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If
you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. Thank
you.

Follow-Ups:
- Re: Drive-by Pharming Threat
  - From: Mark Senior

Prev by Date: Re: Apache Multiple Injection Vulnerabilities
Next by Date: [USN-422-1] ImageMagick vulnerabilities
Previous by thread: MSN redirect Bug
Next by thread: Re: Drive-by Pharming Threat
Index(es):
- Date
- Thread