| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Aug 2006 09:59:56 +0100 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: "Georgi Guninski" <guninski@...inski.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Attacking the local LAN via XSS In most cases JavaScript is required. Flash 7 has the flexibility to perform cross domain requests, however this is fixed in Flash 8. Java Object are quite the same in that respect. Of course, in certain situations it might be possible to trick the browser. The proposed scenario takes advantage of the fact the Internal device is vulnerable to XSS attack. In this case all the attacker needs to do is to make an iframe call to the vulnerable URL in order to inject JavaScript code withing the device domain. When this is achieved the browser happily will allow you to make XmlHttpRequests. In the Ajax world this is the most well proven technology. Both POST and GET are allowed. Performing PUT, HEAD, DELETE and other server methods are possible as well. All the attacker needs to do is to perform iframe call to the vulnerable to XSS url that will embed Java Object which will perform the desired operations. More sophisticated attack vectors are also possible (tcp, udp, icmp scanning, sockets, etc...). In case the current browser has outdated Flash plugin, the malicious site can perform the desired attack without the need of the internal device being vulnerable to XSS. However this will work in very closed environments because most of the time plugin updates are enforced on regular basis. In case sensitive information needs to be transferred from the local LAN to a remote collection point a few other methods can be employed. A Flash object can store a lot of information by using the AJAX MAssive Storage System (AMASS) technique <http://codinginparadise.org/projects/storage/README.html>. When the storage reach a critical mass (99K) the content can be automatically dumped at the remote collection point via POST. All this can be achieved from Flash (all versions). Of course the remote collection point needs to have "crossdomain.xml" file located in the document root to allow cross domain requests in case the Flash plugin is in its latest version. All of these checks can be performed at runtime. The attacker can detect what version of Flash is currently used and whether Java is enabled. Based on that the best attack vector will be selected. Moreover, this can be trivially achieved by using well known AJAX based libraries. On 8/4/06, Georgi Guninski <guninski@...inski.com> wrote: > On Fri, Aug 04, 2006 at 12:35:48AM +0100, pdp (architect) wrote: > > For that purpose three prerequisites are needed: > > > > 1. page that is controlled by the attacker, lets call it evil.com > > 2. border router vulnerable to XSS > > do you need javascript in all cases? unless you badly need http POST, doing > blind <img src=http://ip/cgi-bin/readmailreallyfast>, iframe src=, may have > interesting side effects. > > -- > where do you want bill gates to go today? > > EOM > > > > > > > > > > > > -- pdp (architect) http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists