Re: [Full-disclosure] Drive-by Pharming Threat



auto400208@xxxxxxxxxxxx wrote:
I am curious as to how one "automatically" logs on?

1. Internet Explorer disallows username:pass@http://192.168.1.0
2. Opera has a very clear warning that you are logging on
3. Firefox has a very clear warning that you are logging on

Are there any other methods to log on without any warning? If so
does it work with Internet Explorer? Also when you do reset or
change parameters in the router, does it not require a reboot of
the router (auto after you hit save), whereby your connection is
lost for x amount of time?


I did not test that, but I think some routers use HTML forms to log in to
the admin panel. In this case, you should be able to use CSRF with AJAX xhr
objects, or simple Javascript to auto-submit the form. Once the browser is
logged in, it could use the same process and submit forms to change
configuration settings such as DNS servers (for this attack) and more.

Regards,

Jeremy Saintot

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Drive-by Pharming Threat
    ... Internet Explorer disallows username:pass@http://192.168.1.0 ... Firefox has a very clear warning that you are logging on ... the router, ...
    (Bugtraq)
  • Re: [Full-disclosure] Drive-by Pharming Threat
    ... Internet Explorer disallows username:pass@http://192.168.1.0 ... Firefox has a very clear warning that you are logging on ... the router, ... After you are informed you will lose your connection for a short ...
    (Full-Disclosure)
  • Re: Drive-by Pharming Threat
    ... Internet Explorer disallows username:pass@http://192.168.1.0 ... Firefox has a very clear warning that you are logging on ... the router, ... After you are informed you will lose your connection for a short ...
    (Bugtraq)
  • Re: Trojan infection
    ... I did not think this was an Office problem, but I figured you guys would have ... as my browser is Internet Explorer 8. ... ignore the warning and immediately run your AV on ...
    (microsoft.public.office.misc)
  • RE: Publisher Unknown for lnk?
    ... Start Internet Explorer on the Terminal Server, ... 815141 - Internet Explorer Enhanced Security Configuration Changes ... > I get Open File - Security Warning pop up on TS 2003 when I ...
    (microsoft.public.windows.server.setup)