| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Aug 2006 14:18:45 +0100 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com, webappsec@...urityfocus.com, bugtraq@...urityfocus.com Subject: XSSing the Lan 3 (web trojans.. not a new idea) i hope it is not getting boring http://www.gnucitizen.org/blog/xssing-the-lan-3 In my previous posts I mentioned that in order to compromise LAN device from the Internet the attacker needs to exploit XSS vulnerability in the device firmware. The limitations of this kind of attack are quite obvious. Let's have a look at the exploitation process again. First of all the local LAN needs to be explored for live hosts and than each host needs to be scanned with URL Signature database in order to detect the firmware type and version. Once the firmware is detected an appropriate attack can be mounted. This is time consuming task as most of you may suggest. Unless the user spends considerable amount of time looking though the malicious page, the attack will fail. Fortunately or not there are a few other possible attack vectors that can be used in order to assure successfully exploitation of your internal LAN and the Internet at large. By definition trojan is "a program that appears desirable but actually contains something harmful" (princeton.edu). Brilliant! The same idea can be used by malicious users in order to gain trust relationship with the visiting users. For example, an attack can incorporate YouTube movie player inside malicious container that will carry the rest of the attack while the user previews a trailer. Unnoticeably, the malicious flash container can perform security audit of any network using JavaScript, ActionScript, Java, XML, XSLT and combination of these technologies. The longer the user interacts with the trojan the more successfully the attack would be. Of course, trojans can be built pretty much out of anything. In the most harmless of all harmful activities the visiting user can perform port scanning for the attacker using JavaScript. The results of the scan will be shipped back to a collection point when the scan is completed or when the user leaves the current resource. This type of scenario is concerning and requires immediate response for all vendors. Soon or latter distribution of web based trojans will be reality, but I hope for the "latter". To investigate the subject a little bit more I spend some time looking through the Internet Hypes of the past because I believe that they will be the first targets for distributing web based trojans. For example, the "crazy frog" (apparently quite popular cartoon character) was absolutely popular among the young generation mostly in United Kingdom. The most typical types of transport media for the cartoon characters were primarily movies, images and sounds. These transport mechanisms are affected by web based trojans and they can be easily incorporated into large scale attacks. Moreover, there are already infrastructures provided by the big software vendors that allows attacker to mount their malicious activities. According to Google Trends (http://www.google.com/trends?q=crazy+frog), the "crazy frog" phenomenon was at its peak between May 2005 and Jul 2006. This is exactly 13 months. The highest point was on 29th May 2005. This gives attackers from 5 to 6 months distribution time for shipping malicious media containers to pretty much every point on the Internet. The compromised media could incorporate DDoS attack that activates on certain date mimicking typical time bomb. Given the right channels, an attacker can easily make their own digital peace of art a desirable free product which will be exchanged among pears too, increasing the success rate of the attack. -- pdp (architect) http://www.gnucitizen.org
Powered by blists - more mailing lists