EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit |  Article on JavaSCRIPT based attacks
Below is a link to a nice article and reports some newer developments in Java exploits. Being able to "walk through the firewall" to the intranet, map and analyse the network and devices is a significant advantage for serious hackers of valuable networks. Gaining control of a browser within the network offers additional benefits to those seeking to control devices or capture information.
The success of this kind of exploit depends on the browser configuration and activity of users within the intranet, and gives more reason to log and analyse user browsing and to restrict function and access to untrusted sites.
said by article :
While malicious JavaScript has been possible for a long time, security researchers have not focused much on it, said Fyodor Vaskovich, creator of the popular Nmap network port scanning tool. Instead, bug hunters have been focused on finding Web browser flaws that allow for a quicker and simpler PC hijack, he said.
"There has been little motivation to explore side-channel attacks such as this one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."
Article link;
»www.zdnetasia.com/news/security/···9000005c
--
1, 2, 3, 4, 5, Whoop, BOING! Flippo the Clown, 1927-2006 |
|
SpannerITWks
Premium
join:2005-04-22
1 edit | Re: Article on Java based attacks
Yes let's lose Java too ! Except this is about JS.
Well what do you know, even more good news about JavaScript, not !
Thanx for the link etc.
Spanner |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France
| reply to EGeezer
EGeezer  , that article seems to be a reprint of the article being discussed here: »CSS beats JS 4 safer website design !
»www.zdnetasia.com/news/security/···4,00.htm
(your link is to the printer-friendly version)
»news.com.com/JavaScript+opens+do···ubj=news
And I believe the article is about javascript rather than java? |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| reply to EGeezer
I think it's important to make the distinction that the article is about JavaScript not Java. They are completely different animals.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to sybille
Leave it to my compatriots to nudge me in the right direction  - Thanks for the corrections ( javaMan too!) -
Note topic subject changed to reflect reality.
I hope that here or in the other topic, the possibilities and uses of the scripting to compromise routers and other devices from behind the wall is discussed.
Lock OK if that's deemed best.
--
1, 2, 3, 4, 5, Whoop, BOING! Flippo the Clown, 1927-2006 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
 ·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
1 edit | reply to EGeezer
Re: Article on JavaSCRIPT based attacks
A "proof of concept" for this "exploit" is available for testing at: »www.spidynamics.com/spilabs/educ···can.html
This seems to be mostly FUD designed to sell "protection". The only "proof of concept" I saw was a belief that "there is another one born every minute".
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to EGeezer
Well as I said in the locked thread users already have sufficient tools to protect against malicious scripts. Those who make use of them will be safe, those who do not have only themselves to blame.
--
Get hpHOSTS!
Peace, Propaganda & The Promised Land |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
3 edits | reply to NetFixer
I'm aware that the article was largely from a vendor. However, I don't perceive Fyodor as a FUD monger, feel his observation and concern has merit. That's why I quoted him from the article.
What I'm hoping to see in this thread is not yet another flame war on platforms, but rather some discussion on the possibilities, high level methods and considerations for using Javascript as a tool for network mapping and subsequent penetrations of the devices and systems behind the wall.
With that in mind, in the words of Frazier Crane, "Go ahead - I'm listening".
If all we're going to see are repeats of the locked thread, I'll Hey Mod to lock this one too and save everyone the trouble of typing.
--
1, 2, 3, 4, 5, Whoop, BOING! Flippo the Clown, 1927-2006 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
| I was not trying to flame anyone, I just actually looked at the published "proof of concept" code and I don't see any stealth JavaScript threat in the published code. Perhaps the author has found an additional vulnerability but has not yet published it, but there is no credible threat in the code that was actually published.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
| reply to EGeezer
I gave it an exact IP and it correctly reported that there is an Apache Webserver there. But what does that prove? Not much to do with a router attack...
The whole thing reminds me of the trick that shows the horrified user the contents of their "C" drive.
--
A silver bullet without a gun is just a fancy rock. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
1 edit | Yes, and you had to manually input the IP address. That is not a JavaScript vulnerability; that is a classic end-user vulnerability of the type that real and cyber scammers have exploited for thousands of years.
EDIT: Put the word real into bold type to alleviate the confusion factor.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| said by NetFixer :Yes, and you had to manually input the IP address. That is not a JavaScript vulnerability; that is a classic end-user vulnerability of the type that real and cyber scammers have exploited for thousands of years. Well, at least the last 10 or 15 anyway.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to NetFixer
When I first tested this it didn't work and I still have yet to find the time to analyze it. In my case it didn't work because it tried to connect via my Proxomitron proxy which didn't understand the requests. Taking Proxo out of the mix helped. The script was able to detect the host it was running on (duh!) and might have detected the other host on my lan if the firewall on that machine hadn't dropped the (http) packets. For the same reason it was unable to detect my cable modem or router because I block local http access to those.
I should add that Proxo foobarred the attempt to access my network while it was in bypass mode. I use white-listing to decide which sites can run JS so apart from adding the POC site to the list the only way to test it was to bypass Proxo.
--
Get hpHOSTS!
Peace, Propaganda & The Promised Land |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
| reply to javaMan
said by javaMan :said by NetFixer :Yes, and you had to manually input the IP address. That is not a JavaScript vulnerability; that is a classic end-user vulnerability of the type that real and cyber scammers have exploited for thousands of years. Well, at least the last 10 or 15 anyway. I assume you mean 10 or 15 thousand years, because there have been scam artists since before the beginning of recorded history.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
1 edit | said by NetFixer :said by javaMan :said by NetFixer :Yes, and you had to manually input the IP address. That is not a JavaScript vulnerability; that is a classic end-user vulnerability of the type that real and cyber scammers have exploited for thousands of years. Well, at least the last 10 or 15 anyway. I assume you mean 10 or 15 thousand years, because there have been scam artists since before the beginning of recorded history. Sorry, I thought you were referring exclusively to computer scams since you referred to cyber scammers. 
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
| reply to EGeezer
I just noticed that the title of the SPI Labs article is "Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript".
JavaScript has different privileges when operating on the same domain which the word Intranet would imply. However the actual SPI Labs article mostly talks about Internet access. 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| said by NetFixer :JavaScript has different privileges when operating on the same domain which the word Intranet would imply. However the actual SPI Labs article mostly talks about Internet access. Now you're starting to get where I'm hoping to see some technical discussion (I've already seen the nontechnical opinions and generalised statements).
I work in intranets, including but not limited to Windows Domains, and who have ever-increasing bsiness needs for VPNs, road warrior access, "bring-in" PCs of mobile workers as well as internal applications with browser interfaces that require Javascript enablement.
We are looking for the exposures that may be implied by this admittedly basic proof of concept. As for "Just say no" to javascript, don't tell me to tell some of my customers to disable Javascript - when a customer has $50-100K in, for example, a critical document workflow implementation requiring JS enabled browsers, throwing that out the window is not a real world option.
I can envision a JS based "N-Map-like" function that could be quite useful to a skilled hacker in fingerprinting devices, patch levels, O/Ss etc. I think that's what Fyodor is thinking about. No, not the script kiddie or automated malware, but skilled determined hackers implementing the concept as part of a process of discovery, penetration and malicious access of specifcally targeted high value systems.
If I'm lucky, some of the enterprise, academic or government network or secaudit people will stop by and brainstorm. If not, well, I tried.
--
1, 2, 3, 4, 5, Whoop, BOING! Flippo the Clown, 1927-2006 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
1 edit | Have you actually looked at the "proof of concept" on the SPI Labs site?
Even when browser based JavaScript code is executed on the same domain, there is no magical way to increase the access privilege to root or administrator for an non-administrator/root user. There is also no way with browser based JavaScript to give that client access to network resources that are not otherwise available, and I see nothing in the published "proof of concept" code that says or does otherwise.
I too, would like to hear from someone who can demonstrate that this magical exploit exists.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
2 edits | I agree. After reading the SPI article I didn't see anything in it that is cause for any concern, especially as it was quite vague on exactly how the more serious intrusions might be accomplished. They have a proof of concept that relies on information inferred from returned errors from the img object; no wonder it only works with a couple of servers. That doesn't prove or even imply for example, that there is going to be some way for JavaScript to send commands to disable a wireless network. That stretches the bounds of credibility and unless they can provide more evidence than they have so far I will remain unimpressed by their "discovery." There are certainly ways to do what they claim but not simply with XSS and JavaScript but that has always been the case.
In fact, they don't need to go to all that trouble. If they send me an email I'll be glad to tell them what server and router I'm using for all the good it will do them. There is no JavaScript that will be able to exploit that information which I believe is their contention.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| If it's this part of the .js that's identifying the OS it's not much to write home about.
//Define out signatures object!
this.signatures = [ ["/pagerror.gif", [36, 48], "Microsoft IIS"],
["/icons/c.gif", [20, 22], "Apache"] ];
this.currSignature = 0; |
|
