[dns-operations] Drive-by Pharming Threat (fwd)

Fergie fergdawg at netzero.net
Fri Feb 16 01:48:43 UTC 2007

Hash: SHA1

I don't know -- I found this whole "report" somewhat dubious, if
not downright opportunist: hasn't this "vulnerability" basically
existed since, like, forever?

I write it off as marketing opportunism... among other things. :-)

- - ferg

- -- Gadi Evron <ge at linuxbox.org> wrote:

- ---------- Forwarded message ----------
Date: Thu, 15 Feb 2007 13:02:46 -0800
From: Zulfikar Ramzan <Zulfikar_Ramzan at symantec.com>
To: bugtraq at securityfocus.com
Subject: Drive-by Pharming Threat

We discovered a new potential threat that we term "Drive-by Pharming".  An
attacker can create a web page containing a simple piece of malicious
JavaScript code.  When the page is viewed, the code makes a login attempt
into the user's home broadband router and attempts to change its DNS server
settings (e.g., to point the user to an attacker-controlled DNS server).  
Once the user's machine receives the updated DNS settings from the router
(e.g., after the machine is rebooted) future DNS request are made to and
resolved by the attacker's DNS server.   

The main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed).  Note that the attack does not require the user to download
any malicious software - simply viewing a web page with the malicious
JavaScript code is enough.  

We've written proof of concept code that can successfully carry out the
steps of the attack on Linksys, D-Link, and NETGEAR home routers.  If users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat. 

Additional details on the attack can be found at: 


Zulfikar Ramzan


Zulfikar Ramzan
Sr. Principal Security Researcher
Advanced Threat Research
Symantec Corporation
- -----------------------------------------------------
- -----------------------------------------------------
This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney
work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and (i) destroy
this message if a facsimile or (ii) delete this message immediately if this
is an electronic communication. Thank you.



Version: PGP Desktop 9.5.3 (Build 5003)


"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 ferg's tech blog: http://fergdawg.blogspot.com/

More information about the dns-operations mailing list