Cenzic 232 Patent
Paid Advertising
web application security lab

JavaScript Malware Talk at Blackhat is a Success

Jeremiah Grossman’s talk about JavaScript malware was a success! He said that somewhere near 1000 people showed, an around 100 people came up to him afterwards. To quote him, “It was like shock and awe.” People were amazed at some of the stuff. This goes beyond simple port scanning, but he is showing how to hack routers, printers, IP phones, websites, etc… etc… Anything with a web based interface. Web application security finally has come into it’s own, in my mind.

Using a combination of CSS, JavaScript, Java and images, you can detect the internal IP address, locate which servers the user has been on, detect what is running on them, and actually exploit them, even if they are behind a firewall and non-routable. Holy crap! Anyone who says XSS isn’t worth talking about really clearly doesn’t know what they’re talking about. Cross site scripting now has access to almost everything, everywhere.

So how did this all come to be? Several years ago I was playing around with looking glasses and it occured to me how strange it was that a webserver hack could affect a network device. Then I started toying with the idea of injecting JavaScript onto internal interfaces of security devices (I found several that eventually I got patched). Then it occured to me that it’s not just annoying to have JavaScript injected and it doesn’t just mess with logs, it can also be used to read anything from that internal host. And indeed, to connect that user’s host to any other machine of your choosing. Including other sites on the internal interfaces. Forget simple port scanning. How about hacking the router itself and adding all the sites inside of it to the DMZ? So I started talking with Jeremiah Grossman about it. At that time I wanted to just have a proof of concept to hack a router, and do a port scan, but he took the ball and ran with it, taking it the extra mile.

Think about our cross site scripting worm again for a second. If I could get even a small percentage of the SAMY worm to expose their machine to the world (say 10%) we are still talking about 100,000 new machines that are completely exposed to the world. If you take a bigger worm, like a cross site scripting warhol worm, the potential for global compromise is tremendous. It would be virtually a free reign. This could be the largest attack vector the world has ever seen, not just to run some JavaScript on a machine, but actually hack millions of users’ home networks.

Okay back to earth again. What if I’m a malicious user and I want access to examplecompany.com. All I need to do is find some XSS in a website that gets a fair amount of traffic and simply wait until I see someone coming from the IP range of examplecompany.com. Once I get that user to visit my site, I can begin my probing of their network, to disclose simple information about what machines are where. I can find if they have PHP installed, I can see which version of what stupid CMS system they are using. Chaining multiple XSS vectors together I can start reading information off of those machines, and eventually probably find some remote shell compromise to open a port to the world. You name it, unless the company blocks all internet access to all employees, you can gain access.

Suddenly, JavaScript is enabling me to see from the eyes of any user who executes it. The power to exploit this is absolutely amazing. I’m gushing a little, but I’ve been thinking about this for a long long time, and it’s really exciting to see it finally published in the correct way.

This is probably my last post for a few days, I’m off to DefCon today. I may or may not post while I’m there, I haven’t decided yet. But stay out of trouble while I’m gone. No parties until I get back!

6 Responses to “JavaScript Malware Talk at Blackhat is a Success”

  1. Blad3 Says:

    In theory sounds cool but in practice things are different.
    Most of these network devices have basic or another type of authentication.
    The basic authentication will kill your attack. You can use http://user:pass@url only on Firefox. And it will work only if you guess the right credentials from the first try. Otherwise, a popup window will be displayed and you are doomed. Unless somebody will figure out a way to bruteforce this authentication without popup windows, this attack is not very practical.

  2. Brian Says:

    Network devices may be a harder spot to attack, because fewer users have authentication credentials for those sites. Online brute force attacks on authentication are noisy. Corporate intranet web sites, OTOH, are likely to have some kind of a single-sign-on solution in use, or at the very least a persistent cookie so that their users aren’t forced to log in frequently. They are softer targets than network devices, and potentially much more lucrative.

    This changes the threat landscape a bit. Today, corporations worry about spyware on their user’s machines. They deal with that threat through antivirus, patch policies, and host-based firewalls. None of those techniques are effective against javascript malware port scanning your intranet web site and using XSS vulnerabilities to read your company directory.

  3. RSnake Says:

    Blad3…. yes, basic auth will stop you unless you get the password right on the first try. But I’ve actually found a huge chunk of machines that aren’t protected by basic auth. But by “doomed” what do you mean? One of two things will happen. They’ll either enter a username and password (pass and you’re in or fail and they get the popup again) or two, they’ll hit cancel and your attack continues. Not that bad of a circumstance. Most people would just be confused by that experience, although I’d agree it’s less than ideal. Give us a while, we’re still developing some tools to mitigate that problem. :)

  4. Blad3 Says:

    Yes, I’m sure you are:)

    What kind of machines don’t require basic auth? No authentication at all? That’s very stupid if you ask me.

    No, you are right. I was also thinking that probably they will enter the username and password just to get rid of that annyoing popup :P
    However, at this point there has to be some small web fingerprinter to figure out what kind of network device you have to be able to attack that device. Basic auth will stop this first step and you will not be able to have a generic attack script.

  5. Blad3 Says:

    BTW, any of you guys know where I can find the Defcon presentations?
    On http://164.106.251.250/docs/bh2006/ most of the interesting stuff is corrupted :(

  6. ha.ckers.org web application security lab - Archive » Social Networking Corporate Security Compromise Says:

    […] I’m not aware of a web application scanner on earth that would find something so strange, but indeed, if you want to start spamming someone directly, or issuing targeted viruses/worms to mega companies, this is a perfect conduit for finding people in these huge companies, and targeting them directly. Remember our JavaScript scanner? “Hey, Joe, check out my new company, I just went to, I’d appreciate any feedback you could give since I know this is your area of expertise.” Even if they don’t know you, 9 out of 10 times they’ll click, and you’re in. […]