Thursday, October 05, 2006

JavaScript Intranet Scanner

In "Other Things" blog I've found a link to a PDF document which describes a very disturbing security issue with JavaScript:

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.
This scenario is no longer one of fiction.

The document provides more information on how this can be achieved (though the link to their demo page doesn't work, so I can't guarantee that this is not another joke). If the approach, described in this paper, works - then it's scary. It seems like the only possible solution is to turn off JavaScript support in browser and turn it on only for selected sites, which will make Ajax and other modern Web technologies significantly less appealing.

Again, I didn't check the information yet - but the explanation in the document seems realistic enough.

Technorati tags: ,


Anonymous said...

I am skeptical of this. How is the JavaScript supposed to get through the password and ID required to access the router settings? What point is there for someone in let's say Russia to be able to turn off your encryption? If you are running a software firewall you are still protected up to a point.

Dmitriy Kropivnitskiy said...

OK, the demo link actually works, and I just had it scan our subnet. It actually picked up on most hosts and 3 out of 4 web servers (albeit fingerprinting didn't work as well as expected). I am still reading through the script, but some things are realtively obvious for me. First thing is that this is not new. I read about using image loading as a scanning technique in javascript back when I was doing pentests myself. I have to say though that the authors of the article are not very honest and not very bright. From what I can see they are being overly sensationalist about this. They mention that this vulnerability has been around for ages, but they phrase it in such a way that it seems as if they are the first to discover this. They also don't mention (except in the end) that their salary is being paid by a company making an automated code security analyzer for web applications product. So if more people panic from their article more copies of their product they will sell. As to the code itself, they describe this scanning as a two step process, load image to figure out if a server is up, then load iframe to fingerprint. I don't see why they are doing both steps. Image is still going to load using HTTP, so why not just start fingerprinting (with a timeout of course) and if the first probe doesn't answer we stop scanning this host. Now lets take a look at the start of the article, the part you quoted in your post. At the first glance it is panicky in the sort of "oh my god we are all going to die" way, but if you look at it again... Lets imagine that we are trying to write a scanner like this. Lets (for the sake of the argument) assume that we already have a way (and this by itself is not an easy task) to run this code on millions of unsuspecting browsers. 1. You need to guess the IP range of the subnet. You can try and pick it from the client connection, but this is not going to work, since by definition the host we are attacking is behind a NAT router (otherwise we would attack it directly). We can take an educated guess. There are basically three non-routable IP ranges, and chances are that a small home or small business network is going to be on one of them. And chances are, that the range is going to be 192.168.1.x, since that is default on 99% of the small network NAT routers out there. I tried to scan 128 IP addresses, and it took a long time even with almost no fingerprinting (they only tried to detect apache and IIS in default configuration). Here we have twice the address space, and we are trying to determine if the address on the other side is one of 20-40 popular NAT router models and our scanning stops as soon as the user leaves the page. Of course in exchange for accuracy we can only scan the first address in the range, since in default configuration it is going to be the router. And we are going to rely on things being in default config, since after we find the router we need to login to it somehow. The only reasonable thing to do (we don't have time to do brute force) is to try the defaults. So, in the end we are only getting the most primitive default setups. Granted, that more and more people are setting up home networks, so hopefully if we can hit a lot of targets we are going to get some entwork accesses. By the way, the payload described in the article is so stupid, I am not even going to discuss this. I mean, what god is it to you that you turned on an unencrypted wireless network in some small town in Cambodia?! A much better solution, is to open a port forwarding back door into the network and call home with the discovered address. This obviously is not going to be much use if the outside address is dynamic. A few more details. When this script was scanning my subnet, the first web server it hit was one of our printers. HP printers have a web interface, but it can only be accessed via SSL, so when the script hit it with regular HTTP (and considering that HTTP implementation used is that of the browser) it immediately got redirected and browser happily displayed the warning about self signed certificate. The router, generally is also going to have this mechanism (redirect to SSL), so in order for the script to do its thing, the user would have to click away a scary looking warning, but since we are talking about a router with default password (and if the user follows installation directions for the router, the password will be changed) we are probably talking about a rather stupid user. Mind you that I didn't even touch on the question of "how to lure people to view your page and stay there while you scan". It is not NEARLY as easy as some may think. In conclusion, there are two more things. The technique is not all bad. In some scenarios it might actually prove useful. A good example would be to conduct some covert operations on some network when you have your man on the inside. This gives your insider plausible deniability if/when he/she is caught. Another thing, is that 99% of modern browsers, together with javascript are equipped with java and flash both of which are much better equipped for this sort of thing (for example, AFAIK, both java and flash can operate actual network sockets, so instead of relying on image loading you can actually talk HTTP, SSL or any other protocol to any host you want). The idea of making a rather longish flash animation, funny enough (or stupid enough) for a lot of people to watch to the end, while scanning their network in background is not new either. And AFAIK is is much more dificult to detect (until someone actually runs network tracer while this flash is running you are not going to know) and much easier to disseminate.

Aleksey Linetskiy said...

Dmitriy, thanks for the great comment! I agree that this article is unnecessary panicky, and that it's not the end of the world. Couple of notes:

1. Java applets and Flash, while running in a browser, are running in a sandbox, which, if I remember correctly, prohibits them from connecting to any host other than the originating one. So, they are not suitable for this kind of attack.

2. As you pointed out, the script - at least in its current version - is good only to scan very simple networks with default settings - basically, we are talking of poorly configured home networks. It makes the script not very useful for any kind of targeted attack - but it's still perfectly useful for getting into a huge number of simplistic home networks. The payload, of course, should be different - you suggested one possible payload, and, probably, there might be more interesting scenarios. The problem with dynamic IP is not relevant - the broadband providers change users' IPs quite infrequently.

3. Taking all aforementioned in consideration, you may ask me - why did I pay attention to this panic? Well, I think that the most interesting thing here is that the attack is unusual and is using one of the fastest developing technologies. The situation is, in my opinion, somewhat similar to the time when the first macro virus appeared. Ther users didn't stop using Word or Excel - but there were several quite harmful pandemies and some of the security paradigms had to be changed.

Anonymous said...

It's a bunch of HOOWY!
YES it "gets" your "home" IP addess of your router..... NO, they have NOT proven that the information is even "passable" to another area/site.. AKA.. Just because I can see my info DOESN'T mean YOU can see my info.

ALSO...... Using Firefox.. It brought up my "password" prompt for my router. IF I have changed the password (some idiots or newbies don't), then NOONE can get into my router UNLESS they are willing to try to "break" my password.

TOOO much trouble for nothing. The ONLY ones who would suffer are again the IDIOTS who think they are tooo good to do what a "tech" tells them to do, OR someone that has NO IDEA how to use a router or a computer SAFELY, BUT still had one hooked up for them.

Aleksey Linetskiy said...

Yes, but there are quite a lot of those idiots. And they, in turn, can be used to harm even gurus.

business card scanner  said...

All the customers of the site scanner can also contact Go Daddy's Customer Security Advisers. It is a dedicated team of world class security experts available to answer questions and also provide best solutions to your problems. There is lot of customers and small businesses depend on Go Daddy as their personalized security department