Text 12276, 110 rader
Skriven 2006-07-29 07:55:10 av /m (1:379/45)
Ärende: JavaScript opens doors to browser-based attacks
=======================================================
From: /m <mike@barkto.com>


http://news.com.com/2100-7349_3-6099891.html?tag=nefd.lede

===
Security researchers have found a way to use JavaScript to map a home or
corporate network and attack connected servers or devices, such as routers or
printers.

The malicious JavaScript can be embedded in a Web page and will run without
warning when the page is viewed in any ordinary browser, the researchers said.
It will bypass security measures such as a firewall because it runs through the
user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the
Web-enabled devices found and send attacks or commands to those devices," said
Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This
technique can scan networks protected behind firewalls such as corporate
networks."

A successful attack could have significant impact. For example, it could scan
your home network, detect a router model and then send it commands to enable
wireless networking and turn off all encryption, Hoffman said. Or it could map
a corporate network and launch attacks against servers that will appear to come
from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman
the chief technology officer at Web application security company WhiteHat
Security. Both SPI Dynamics and WhiteHat Security came up with the
JavaScript-based network scanner at about the same time, he said. The companies
plan to talk about their findings at next week's Black Hat security event in
Las Vegas.

JavaScript, AJAX and the Web
JavaScript has been around for about a decade. The scripting programming
language is used on Web sites and is increasingly popular in recent years
thanks to a programming technique known as AJAX--Asynchronous JavaScript and
XML--that makes sites more interactive. AJAX has its own share of security
pitfalls.

While malicious JavaScript has been possible for a long time, security
researchers have not focused much on it, said Fyodor Vaskovich, creator of the
popular Nmap network port scanning tool. Instead, bug hunters have been focused
on finding Web browser flaws that allow for a quicker and simpler PC hijack, he
said.

"There has been little motivation to explore side-channel attacks such as this
one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is
that it is difficult to fix without breaking many Web applications. So it may
be around for years to come."

There have been similar attempts to craft JavaScript-based network scanners,
but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics
deserves credit for a clever attack vector and a solid demonstration of the
issue. Their method of fingerprinting servers by checking for default image
paths and names is slick."

When run, the JavaScript first determines the internal network address of the
PC. Then, using standard JavaScript objects and commands, it starts scanning
the local network for Web servers. These can be computers that serve Web pages,
but they can also include routers, printers, IP phones and other networked
devices or applications that have a Web interface.

"Everything has a Web server these days," Grossman said.

Pings from the host
The JavaScript scanner determines whether there is a computer at an IP address
by sending a "ping" using JavaScript "image" objects. It then determines what
servers are running by looking for image files stored in standard places, the
traffic it receives back and the error messages it receives, according to a SPI
Dynamics paper.

A malicious JavaScript could be hosted on an attacker's site, but an attack
could also lurk on a trusted Web site by exploiting a common flaw known as
cross-site scripting. Big-name Web companies including Google, Microsoft and
eBay have had to plug such holes. Earlier this week AOL's Netscape.com fixed
such a flaw that let apparent fans of rival Digg.com plant JavaScript on the
Netscape Web site.

At BlackHat, Grossman is slated to demonstrate one attack. "We will be showing
off how to get the internal IP address, how to scan internal networks, how to
fingerprint and how to enter DSL routers," he said. "As we're attacking the
intranet using the browser, we're taking complete control over the browser."

There is little a PC user can do in terms of protection. The burden largely
rests on Web site developers to make sure their users and servers stay safe,
experts said. Some PC security software will detect malicious JavaScript, but
typically only after an attack has surfaced, because they rely on attack
signatures (the "fingerprint" of the threat) to block the attack.

"All our protection recommendations are server-side," Grossman said. Site
operators should fix cross-site scripting flaws and validate any user-submitted
JavaScript. "The users really are at the mercy of the Web sites they visit.
Users could turn off JavaScript, which really isn't a solution because so many
Web sites rely on it," he said.

Also, if you suspect something fishy is going on, surfing to a different Web
page or shutting down your browser will likely stop the JavaScript.

Attacks aren't widespread, Grossman said. "JavaScript malware is still
cutting-edge, and nobody really knows what you can do with it," he said. "Liken
it to the early days of an e-mail virus--that's where we're at now. I think
we're going to see (many) more attacks."
===

 /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)