On CHOW: Cook with spring ingredients
BNET Business Network:

By Joris Evers, News.com
Posted on ZDNet News: Jul 28, 2006 7:44:00 PM

Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."

A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

JavaScript, AJAX and the Web
JavaScript has been around for about a decade. The scripting programming language is used on Web sites and is increasingly popular in recent years thanks to a programming technique known as AJAX--Asynchronous JavaScript and XML--that makes sites more interactive. AJAX has its own share of security pitfalls.

While malicious JavaScript has been possible for a long time, security researchers have not focused much on it, said Fyodor Vaskovich, creator of the popular Nmap network port scanning tool. Instead, bug hunters have been focused on finding Web browser flaws that allow for a quicker and simpler PC hijack, he said.

"There has been little motivation to explore side-channel attacks such as this one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."

There have been similar attempts to craft JavaScript-based network scanners, but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics deserves credit for a clever attack vector and a solid demonstration of the issue. Their method of fingerprinting servers by checking for default image paths and names is slick."

When run, the JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.

"Everything has a Web server these days," Grossman said.

Pings from the host
The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives, according to a SPI Dynamics paper.

A malicious JavaScript could be hosted on an attacker's site, but an attack could also lurk on a trusted Web site by exploiting a common flaw known as cross-site scripting. Big-name Web companies including Google, Microsoft and eBay have had to plug such holes. Earlier this week AOL's Netscape.com fixed such a flaw that let apparent fans of rival Digg.com plant JavaScript on the Netscape Web site.

At BlackHat, Grossman is slated to demonstrate one attack. "We will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers," he said. "As we're attacking the intranet using the browser, we're taking complete control over the browser."

There is little a PC user can do in terms of protection. The burden largely rests on Web site developers to make sure their users and servers stay safe, experts said. Some PC security software will detect malicious JavaScript, but typically only after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) to block the attack.

"All our protection recommendations are server-side," Grossman said. Site operators should fix cross-site scripting flaws and validate any user-submitted JavaScript. "The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it," he said.

Also, if you suspect something fishy is going on, surfing to a different Web page or shutting down your browser will likely stop the JavaScript.

Attacks aren't widespread, Grossman said. "JavaScript malware is still cutting-edge, and nobody really knows what you can do with it," he said. "Liken it to the early days of an e-mail virus--that's where we're at now. I think we're going to see (many) more attacks."

  • Talkback
  • Most Recent of 90 Talkback(s)
java scripting
Only one way to stop this garbage....death by hanging....Hangem High!!!! (Read the rest)
Posted by: webnews10@... Posted on: 08/05/06 You are currently: Logged In | Log out
O'damn , things aren't getting any better nowadays . Beyond the Vista, a Leopard is stalking .   | 07/28/06
TV is already happening, but appliances... OliverSeal   | 07/28/06
They are already at the mercy... bitflippper1   | 07/28/06
They Are ! IceTheNet@...   | 07/29/06
As we know... im_chaz@...   | 07/28/06
That's why we shouldn't use any type of scripting. pjones   | 07/28/06
<noscript> OliverSeal   | 07/28/06
Horse. LowGenius   | 07/28/06
What about paper cuts? MovieMaker   | 07/29/06
NoScript JDThompson   | 07/29/06
Well... flatliner   | 07/29/06
A bit mellow dramatic! IceTheNet@...   | 07/29/06
JS vs PHP Peopleunit   | 08/01/06
Ask yourself, "Will I go to hell?" OliverSeal   | 07/28/06
Why do think Organized Crime Edward Meyers   | 07/28/06
Absolutes are not Absolutely Absolute. IceTheNet@...   | 07/29/06
Sure we can add those also Edward Meyers   | 07/29/06
Yes you will! IceTheNet@...   | 07/29/06
Rep and I are gloating.... Mike Cox   | 07/28/06
Any script is insecure TripleII   | 07/28/06
Fish On! (nt) LoCal   | 07/28/06
Good one! Gerald Quaglia   | 07/28/06
Agreed, LOL! LoCal   | 07/28/06
(LMAO) I hope 999ad@...   | 07/28/06
Rep and I are gloating.... dshans@...   | 07/28/06
Alright who let the Cox-A-Roach out of the woodwork ? Beyond the Vista, a Leopard is stalking .   | 07/29/06
Someone's having a hell of a time flatliner   | 07/29/06
Face it John Zern   | 07/30/06
Hey Mikey My Ex-wife still loves you Squawkie is Back   | 07/29/06
Java Applets Rize mighetto   | 07/28/06
So we need to download huge Java applets? balsover   | 07/28/06
Take it with a grain of salt John Zern   | 07/30/06
On Java Applications CFSD mighetto   | 07/31/06
Then why did the EU make no mention John Zern   | 07/30/06
Facts Assumptions Truth Theory mighetto   | 07/31/06
End of AJAX smartyram   | 07/28/06
Wash your mouth out with AJAX IceTheNet@...   | 07/29/06
Trivial to fix - it's the js compiler stupid! tdhorlando   | 07/28/06
stupid again smartyram   | 07/28/06
smarter than you think tdhorlando   | 07/28/06
An Easier Solution - IceTheNet@...   | 07/29/06
Is not IE integrated mighetto   | 07/28/06
Your understanding of Windows and IE is lacking severely toadlife   | 07/29/06
Bwwwwhaaaa Edward Meyers   | 07/29/06
So? NonZealot   | 07/29/06
KHTML Can be removed Edward Meyers   | 07/29/06
I agree NonZealot   | 07/29/06
priviledge elevation? toadlife   | 07/29/06
You have a short memory Edward Meyers   | 07/31/06
ie: the browser jlhenry62   | 07/29/06
The situation in Windows is hardly unique toadlife   | 07/29/06
And you don't have to use KDE Edward Meyers   | 07/29/06
Not the point toadlife   | 07/29/06
Small Correction IceTheNet@...   | 07/29/06
There is no JS Compiler Edward Meyers   | 07/28/06
Interpreter/Compiler tdhorlando   | 07/28/06
ok i got it in mine alandee4   | 07/28/06
you have to goto the folder and delete it manually IceTheNet@...   | 07/29/06
javascript too? vger_z   | 07/28/06
It's not them it is people. IceTheNet@...   | 07/29/06
Furthermore IceTheNet@...   | 07/29/06
modern applications are hacks Daniel Cremer   | 07/28/06
It's a BROWSER! TonyMcS   | 07/30/06
And yet you all are forgetting Linux User 147560   | 07/28/06
Exactly! JDThompson   | 07/28/06
Yep Greenknight_z   | 07/29/06
I'v been thinking about this IceTheNet@...   | 07/29/06
Did you even look at the SPI script... john.gruber@...   | 07/28/06
Ok, I tried the "proof of concept" JDThompson   | 07/28/06
Wow. Imagine that. John Zern   | 07/28/06
That should be Edward Meyers   | 07/29/06
Oops, you're right John Zern   | 07/30/06
JavaScript? Lock memory allocation. Pazooza   | 07/29/06
Fine, just use Java from now on Boot_Agnostic   | 07/29/06
Port .NET to J2EE mighetto   | 07/31/06
If you think this is new then your skill level is very low IceTheNet@...   | 07/29/06
Javascript has same security as client OneDayMatt   | 07/29/06
Crank Up The Ol' Linotype, Boys! I'll Melt Some Lead! Rumpled_Foreskin   | 07/29/06
The more they change Squawkie is Back   | 07/29/06
Java What? philscbx@...   | 07/30/06
Some sanity - please! Fred Fredrickson   | 07/30/06
In the beginning there were no fences WinnebagoBoy   | 07/30/06
Ya'll Not Much Help jerelsr@...   | 07/30/06
JavaScript is dreadful webDevx   | 07/31/06
Javascript is fast-easy-cheap, it will stay nospam@...   | 08/01/06
Javascript attacks lynnerufus   | 08/01/06
its getting mnore interesting ...wow zeero   | 08/01/06
Just run Firefox with NoScript extension kcstech   | 08/03/06
Absolutely! sah42   | 08/04/06
java scripting webnews10@...   | 08/05/06

What do you think?


Whitepapers & Webcasts

I/O Virtualization

From our sponsors

HP StorageWork 4400 Enterprise Virtual Array

Click Here