All your base are belong to us

Discussion in 'NZ Computing' started by Shane, Jul 29, 2006.

  1. Shane

    Shane Guest

    http://news.zdnet.com/2100-1009_22-6099891.html?tag=nl.e589

    Security researchers have found a way to use JavaScript to map a home or
    corporate network and attack connected servers or devices, such as printers
    or routers.

    The malicious JavaScript can be embedded in a Web page and will run without
    warning when the page is viewed in any ordinary browser, the researchers
    said. It will bypass security measures such as a firewall because it runs
    through the user's browser, they said.

    "We have discovered a technique to scan a network, fingerprint all the
    Web-enabled devices found and send attacks or commands to those devices,"
    said Billy Hoffman, lead engineer at Web security specialist SPI
    Dynamics. "This technique can scan networks protected behind firewalls such
    as corporate networks."




    If Im reading this properly, its any browser, any os, and the attack vector
    can come from 'trusted' websites (XSS anyone?)
    Good old Javascript :)
    For those who dont read the page..
    This vulnerability will affect home users (an attack has been mentioned
    where the home users wireless encryption for example could be turned off)
    This attack will affect corporate users (An outside attacker will be
    attacking your network from the inside)
    The saving grace,

    "All our protection recommendations are server-side," Grossman said. Site
    operators should fix cross-site scripting flaws and validate any
    user-submitted JavaScript. "The users really are at the mercy of the Web
    sites they visit. Users could turn off JavaScript, which really isn't a
    solution because so many Web sites rely on it," he said.

    Also, if you suspect something fishy is going on, surfing to a different Web
    page or shutting down your browser will likely stop the JavaScript.


    Theres a POC on the researchers site
    http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html


    I ran it on my box ([K]ubuntu dapper Mozilla Firefox 1.5.0.1, Copyright (c)
    1998 - 2006 mozilla.org)
    It found slackers webserver (localhost), but didnt find my DMZ webserver, I
    will reconf my lan and retest later
    It also produced multiple false positives
    (claiming hosts exist that dont)
    This is early days, and I dont foresee things getting any easier for admins

    --
    Rule 6: There is no rule 6

    Blog: http://shanes.dyndns.org
     
    Shane, Jul 29, 2006
    #1
    1. Advertising

  2. Shane

    -=rjh=- Guest

    Shane wrote:
    > http://news.zdnet.com/2100-1009_22-6099891.html?tag=nl.e589
    >
    > Security researchers have found a way to use JavaScript to map a home or
    > corporate network and attack connected servers or devices, such as printers
    > or routers.
    >
    > The malicious JavaScript can be embedded in a Web page and will run without
    > warning when the page is viewed in any ordinary browser, the researchers
    > said. It will bypass security measures such as a firewall because it runs
    > through the user's browser, they said.
    >
    > "We have discovered a technique to scan a network, fingerprint all the
    > Web-enabled devices found and send attacks or commands to those devices,"
    > said Billy Hoffman, lead engineer at Web security specialist SPI
    > Dynamics. "This technique can scan networks protected behind firewalls such
    > as corporate networks."
    >
    >
    >
    >
    > If Im reading this properly, its any browser, any os, and the attack vector
    > can come from 'trusted' websites (XSS anyone?)
    > Good old Javascript :)
    > For those who dont read the page..
    > This vulnerability will affect home users (an attack has been mentioned
    > where the home users wireless encryption for example could be turned off)
    > This attack will affect corporate users (An outside attacker will be
    > attacking your network from the inside)


    How is this different from much malware (apart from the difference of
    running in a trusted browser)?


    > The saving grace,
    >
    > "All our protection recommendations are server-side," Grossman said.


    I must be missing something here, because that ignores the issue of
    visiting "untrustworthy" websites (which will be websites built by
    anyone who doesn't know exactly what they are doing, as well as
    malicious websites) and also ignores the inclusion of the JS attack by
    email.


    Site
    > operators should fix cross-site scripting flaws and validate any
    > user-submitted JavaScript. "The users really are at the mercy of the Web
    > sites they visit. Users could turn off JavaScript, which really isn't a
    > solution because so many Web sites rely on it," he said.
    >


    I really hope this doesn't turn people away from js,
    as it is really quite amazing what is being done with js at present.


    > Also, if you suspect something fishy is going on, surfing to a different Web
    > page or shutting down your browser will likely stop the JavaScript.
    >
    >
    > Theres a POC on the researchers site
    > http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html
    >
    >
    > I ran it on my box ([K]ubuntu dapper Mozilla Firefox 1.5.0.1, Copyright (c)
    > 1998 - 2006 mozilla.org)
    > It found slackers webserver (localhost), but didnt find my DMZ webserver, I
    > will reconf my lan and retest later
    > It also produced multiple false positives


    same here - about 50%

    Did correctly identify apache on my CentOS box, also brought up the
    login dialog for my ADSL router. Wonder if passwords saved by a web
    browser are available to jscript?


    > (claiming hosts exist that dont)
    > This is early days, and I dont foresee things getting any easier for admins
    >
     
    -=rjh=-, Jul 30, 2006
    #2
    1. Advertising

  3. In <eagnbo$8dc$> Shane wrote:
    > http://news.zdnet.com/2100-1009_22-6099891.html?tag=nl.e589
    >
    > I ran it on my box ([K]ubuntu dapper Mozilla Firefox 1.5.0.1,
    > Copyright (c) 1998 - 2006 mozilla.org) It found slackers webserver (
    > localhost), but didnt find my DMZ webserver, I will reconf my lan and
    > retest later It also produced multiple false positives (claiming
    > hosts exist that dont) This is early days, and I dont foresee things
    > getting any easier for admins


    According to the test my Mac and Apple router are both running Microsoft
    IIS webserver. Who knew?

    --
    * Roger Johnstone, Invercargill, New Zealand -> http://roger.geek.nz
    * PS/2 Mouse Adapter for vintage Apple II or Mac
    * SCART RGB cable for Apple IIGS
     
    Roger Johnstone, Jul 30, 2006
    #3
  4. Shane

    Shane Guest

    -=rjh=- wrote:

    > Shane wrote:
    >> http://news.zdnet.com/2100-1009_22-6099891.html?tag=nl.e589


    >> If Im reading this properly, its any browser, any os, and the attack
    >> vector can come from 'trusted' websites (XSS anyone?)
    >> Good old Javascript :)
    >> For those who dont read the page..
    >> This vulnerability will affect home users (an attack has been mentioned
    >> where the home users wireless encryption for example could be turned off)
    >> This attack will affect corporate users (An outside attacker will be
    >> attacking your network from the inside)

    >
    > How is this different from much malware (apart from the difference of
    > running in a trusted browser)?
    >
    >


    The flexibility this attack offers
    It appears to me that combined with your email suggestion, a targetted
    attack could be launched, whereby an email is sent to accounts (or someone
    in their) with javascript designed to, for example, make out a cheque to
    anonymous company with accounts held in liberia.

    Ye olde standard attack is also possible, the javascript could made to
    download something more persistant.
    <troll> Some browsers run code with administrator privileges .. need I say
    more</troll>

    The magnitude of the issue (perhaps more than normal) is limited only by the
    imagination of the attacker

    >> The saving grace,
    >>
    >> "All our protection recommendations are server-side," Grossman said.

    >
    > I must be missing something here, because that ignores the issue of
    > visiting "untrustworthy" websites (which will be websites built by
    > anyone who doesn't know exactly what they are doing, as well as
    > malicious websites) and also ignores the inclusion of the JS attack by
    > email.



    Big-name Web companies including Google, Microsoft and eBay have had to plug
    such holes. Earlier this week AOL's Netscape.com fixed such a flaw that let
    apparent fans of rival Digg.com plant JavaScript on the Netscape Web site.

    Its just my opinion, but Id bet those companies should have a fair idea
    about what they were doing (or rather *should* have)

    Email is yet another vector to be wary of.

    Untrustworthy sites are always an issue, usually dealt with at the corporate
    firewall. Trustworthy sites present more of an issue, because the admins
    are now faced with the possibility of shutting off port 80 altogether
    (in this day and age, almost unworkable)

    > Site
    >> operators should fix cross-site scripting flaws and validate any
    >> user-submitted JavaScript. "The users really are at the mercy of the Web
    >> sites they visit. Users could turn off JavaScript, which really isn't a
    >> solution because so many Web sites rely on it," he said.
    >>

    >
    > I really hope this doesn't turn people away from js,
    > as it is really quite amazing what is being done with js at present.


    Theres the rub, is it too powerful?

    --
    Rule 6: There is no rule 6

    Blog: http://shanes.dyndns.org
     
    Shane, Jul 30, 2006
    #4
  5. Shane

    Chris Lim Guest

    I've been trying to figure out what the subject line means... but I
    give up. Is it a play on hackers with poor english or something??
     
    Chris Lim, Jul 30, 2006
    #5
  6. Craig Whitmore, Jul 30, 2006
    #6
  7. Shane

    Chris Lim Guest

    Chris Lim, Jul 30, 2006
    #7
  8. Chris Lim wrote:
    > I've been trying to figure out what the subject line means... but I
    > give up. Is it a play on hackers with poor english or something??
    >


    Search for it on Google Chris. Try Wiki.
     
    Komrade Klark, Jul 30, 2006
    #8
  9. Shane

    Earl Grey Guest

    Chris Lim wrote:
    > I've been trying to figure out what the subject line means... but I
    > give up. Is it a play on hackers with poor english or something??
    >


    Sort of

    http://en.wikipedia.org/wiki/All_your_base
     
    Earl Grey, Jul 30, 2006
    #9
  10. Shane

    Shane Guest

    Roger Johnstone wrote:

    > In <eagnbo$8dc$> Shane wrote:
    >> http://news.zdnet.com/2100-1009_22-6099891.html?tag=nl.e589
    >>
    >> I ran it on my box ([K]ubuntu dapper Mozilla Firefox 1.5.0.1,
    >> Copyright (c) 1998 - 2006 mozilla.org) It found slackers webserver (
    >> localhost), but didnt find my DMZ webserver, I will reconf my lan and
    >> retest later It also produced multiple false positives (claiming
    >> hosts exist that dont) This is early days, and I dont foresee things
    >> getting any easier for admins

    >
    > According to the test my Mac and Apple router are both running Microsoft
    > IIS webserver. Who knew?
    >



    The test page says they only test for IIS and Apache, and that there are
    some disclaimers (weird reports if a login is called but not entered)
    I emailed them yesterday about their false positives, but, since then I see
    they have been /.ed so even *if* they were going to email me back, its now
    under a fairly big to do pile

    --
    Rule 6: There is no rule 6

    Blog: http://shanes.dyndns.org
     
    Shane, Jul 31, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Zombie

    All Your Bases Are Belong To Us

    Zombie, Aug 31, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    479
    Zombie
    Aug 31, 2003
  2. AnonGoo
    Replies:
    10
    Views:
    547
  3. Bucky Breeder

    Re: All my base belong to me...

    Bucky Breeder, Jan 22, 2009, in forum: Computer Support
    Replies:
    0
    Views:
    378
    Bucky Breeder
    Jan 22, 2009
  4. Beauregard T. Shagnasty

    Re: All my base belong to me...

    Beauregard T. Shagnasty, Jan 22, 2009, in forum: Computer Support
    Replies:
    0
    Views:
    380
    Beauregard T. Shagnasty
    Jan 22, 2009
  5. Bucky Breeder

    All Your Refund Checks Are Belong to Santa Now

    Bucky Breeder, Dec 4, 2009, in forum: Computer Support
    Replies:
    3
    Views:
    359
    Bucky Breeder
    Dec 6, 2009
Loading...

Share This Page