DNS vulnerability

Valter Douglas Lisbôa Jr. douglas at trenix.com.br
Tue Jul 29 09:55:40 PDT 2008


On Tuesday 29 July 2008 10:51:41 Chris Buxton wrote:
> Some of what you missed was in a private conversation between Marty
> and me. Neither side was convinced.
> You can find good information about the exploit here:
> http://www.doxpara.com/
> Specifically, the blog post called "Details". The take-away is that an
> attacker, once successful, has changed the value of one single domain
> name to point to a different address. This doesn't by itself get him
> much. But combine that with:
> - Most people don't bother to type "https://" into their browsers.
> They let the "http://" website redirect them to "https://". What if
> the non-secure site never tells the browser to go to the secure site?
> Suddenly "http://www.paypal.com" leads to the attacker's look-alike
> site, which then conducts a simple man-in-the-middle attack. Organized
> crime has been conducting these attacks using other vectors for
> several years now - it's called "pharming". But this vector is much,
> much easier to use.
> - Mail delivery. 'nuff said.
> - Search engines. Suddenly you're searching using the bad guy's
> engine. He can do whatever he wants to your searches.
> There is no browser bug or XSS bug directly involved in the exploit.
> However, nothing says that the attacker can't continue on to that kind
> of thing (trying to plant malware on your machine, for example) once
> you're using his fake version of Google.
> Chris Buxton
> Professional Services
> Men & Mice

Valter Douglas Lisbôa Jr.
Trenix - IT Solutions
"Nossas Idéias, suas Soluções!"
contato at trenix.com.br
Tel. +55 19 3402.2957
Cel. +55 19 9183.4244

More information about the hlfs-dev mailing list