lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6905b1570608040159g6edc33e8j56d3d6d4f9ccfa44@mail.gmail.com>
Date: Fri, 4 Aug 2006 09:59:56 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Georgi Guninski" <guninski@...inski.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Attacking the local LAN via XSS

In most cases JavaScript is required. Flash 7 has the flexibility to
perform cross domain requests, however this is fixed in Flash 8. Java
Object are quite the same in that respect. Of course, in certain
situations it might be possible to trick the browser.

The proposed scenario takes advantage of the fact the Internal device
is vulnerable to XSS attack. In this case all the attacker needs to do
is to make an iframe call to the vulnerable URL in order to inject
JavaScript code withing the device domain. When this is achieved the
browser happily will allow you to make XmlHttpRequests. In the Ajax
world this is the most well proven technology. Both POST and GET are
allowed.

Performing PUT, HEAD, DELETE and other server methods are possible as
well. All the attacker needs to do is to perform iframe call to the
vulnerable to XSS url that will embed Java Object which will perform
the desired operations. More sophisticated attack vectors are also
possible (tcp, udp, icmp scanning, sockets, etc...).

In case the current browser has outdated Flash plugin, the malicious
site can perform the desired attack without the need of the internal
device being vulnerable to XSS. However this will work in very closed
environments because most of the time plugin updates are enforced on
regular basis.

In case sensitive information needs to be transferred from the local
LAN to a remote collection point a few other methods can be employed.
A Flash object can store a lot of information by using the AJAX
MAssive Storage System (AMASS) technique
<http://codinginparadise.org/projects/storage/README.html>. When the
storage reach a critical mass (99K) the content can be automatically
dumped at the remote collection point via POST. All this can be
achieved from Flash (all versions). Of course the remote collection
point needs to have "crossdomain.xml" file located in the document
root to allow cross domain requests in case the Flash plugin is in its
latest version.

All of these checks can be performed at runtime. The attacker can
detect what version of Flash is currently used and whether Java is
enabled. Based on that the best attack vector will be selected.
Moreover, this can be trivially achieved by using well known AJAX
based libraries.

On 8/4/06, Georgi Guninski <guninski@...inski.com> wrote:
> On Fri, Aug 04, 2006 at 12:35:48AM +0100, pdp (architect) wrote:
> > For that purpose three prerequisites are needed:
> >
> >   1. page that is controlled by the attacker, lets call it evil.com
> >   2. border router vulnerable to XSS
>
> do you need javascript in all cases? unless you badly need http POST, doing
> blind <img src=http://ip/cgi-bin/readmailreallyfast>, iframe src=, may have
> interesting side effects.
>
> --
> where do you want bill gates to go today?
>
> EOM
>
>
>
>
>
>
>
>
>
>
>
>


-- 
pdp (architect)
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ