lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6905b1570608080618p2276dd39ta72da68e6c397318@mail.gmail.com>
Date: Tue, 8 Aug 2006 14:18:45 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com,
	webappsec@...urityfocus.com, bugtraq@...urityfocus.com
Subject: XSSing the Lan 3 (web trojans.. not a new idea)

i hope it is not getting boring
http://www.gnucitizen.org/blog/xssing-the-lan-3

In my previous posts I mentioned that in order to compromise LAN
device from the Internet the attacker needs to exploit XSS
vulnerability in the device firmware. The limitations of this kind of
attack are quite obvious.

Let's have a look at the exploitation process again. First of all the
local LAN needs to be explored for live hosts and than each host needs
to be scanned with URL Signature database in order to detect the
firmware type and version. Once the firmware is detected an
appropriate attack can be mounted.

This is time consuming task as most of you may suggest. Unless the
user spends considerable amount of time looking though the malicious
page, the attack will fail. Fortunately or not there are a few other
possible attack vectors that can be used in order to assure
successfully exploitation of your internal LAN and the Internet at
large.

By definition trojan is "a program that appears desirable but actually
contains something harmful" (princeton.edu). Brilliant! The same idea
can be used by malicious users in order to gain trust relationship
with the visiting users. For example, an attack can incorporate
YouTube movie player inside malicious container that will carry the
rest of the attack while the user previews a trailer. Unnoticeably,
the malicious flash container can perform security audit of any
network using JavaScript, ActionScript, Java, XML, XSLT and
combination of these technologies.

The longer the user interacts with the trojan the more successfully
the attack would be.

Of course, trojans can be built pretty much out of anything. In the
most harmless of all harmful activities the visiting user can perform
port scanning for the attacker using JavaScript. The results of the
scan will be shipped back to a collection point when the scan is
completed or when the user leaves the current resource. This type of
scenario is concerning and requires immediate response for all
vendors. Soon or latter distribution of web based trojans will be
reality, but I hope for the "latter".

To investigate the subject a little bit more I spend some time looking
through the Internet Hypes of the past because I believe that they
will be the first targets for distributing web based trojans. For
example, the "crazy frog" (apparently quite popular cartoon character)
was absolutely popular among the young generation mostly in United
Kingdom. The most typical types of transport media for the cartoon
characters were primarily movies, images and sounds. These transport
mechanisms are affected by web based trojans and they can be easily
incorporated into large scale attacks. Moreover, there are already
infrastructures provided by the big software vendors that allows
attacker to mount their malicious activities.

According to Google Trends
(http://www.google.com/trends?q=crazy+frog), the "crazy frog"
phenomenon was at its peak between May 2005 and Jul 2006. This is
exactly 13 months. The highest point was on 29th May 2005. This gives
attackers from 5 to 6 months distribution time for shipping malicious
media containers to pretty much every point on the Internet. The
compromised media could incorporate DDoS attack that activates on
certain date mimicking typical time bomb. Given the right channels, an
attacker can easily make their own digital peace of art a desirable
free product which will be exchanged among pears too, increasing the
success rate of the attack.

-- 
pdp (architect)
http://www.gnucitizen.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ