JavaScript opens doors to browser-based attacks

[RobG]

Seems JavaScript is getting some bad press:
"Security researchers have found a way to use JavaScript
to map a home or corporate network and attack connected
servers or devices, such as printers or routers."

<URL: http://news.zdnet.com/2100-1009_22-6099891.html >

There seems to be quite a bit of FUD happening in regard to this issue
- as far as I can see, JavaScript could have been used for this for
years, it's only now someone has decided it's a security risk.

I'm not sure what anyone can do with knowing that my printer's IP is
10.1.1.5, but maybe someone else has a suggestion?

 

[Richard Cornford]

Seems JavaScript is getting some bad press:
"Security researchers have found a way to use JavaScript
to map a home or corporate network and attack connected
servers or devices, such as printers or routers."

<URL: http://news.zdnet.com/2100-1009_22-6099891.html >

There seems to be quite a bit of FUD happening in regard to
this issue - as far as I can see, JavaScript could have been
used for this for years, it's only now someone has decided
it's a security risk.

I'm not sure what anyone can do with knowing that my printer's
IP is 10.1.1.5, but maybe someone else has a suggestion?

The article includes the statement; "When run, the JavaScript first
determines the internal network address of the PC", which is not
information that javascript can get directly from a web browser. Java
can tell you that (though the security manager for its use inside a web
browser should prevent it from doing so) and ActiveX components can tell
you that (though only the type of ActiveX objects that should be
disabled in the Internet security zone). Apart from that the only
approach I can think of would be trial and error, and that appears to be
the approach taken in article. Specifically; loading the SRC of an Image
object with a likely address and seeing what happens, presumably whether
its onerror or onload handlers are fired (onerror; look elsewhere,
onload; you have learnt something about the system).

A trial and error approach is potentially going to be slow (and may
build up large runtime memory consumption). It is not going to be
practical to scan the entire possible IP range, so I imagine that you
start with variations of likely internal network addresses.

Of course loading an Image SRC with a local network address from a
script originating on the Internet should provoke cross-domain security
restrictions, and as I recall those restrictions apply to Image objects
on Mozilla/Gecko browsers even if IE doesn't seems quite so concerned
(or didn't last time I tried, which was a couple of years ago now).

Richard.

 

[news]

A trial and error approach is potentially going to be slow (and may
build up large runtime memory consumption). It is not going to be
practical to scan the entire possible IP range, so I imagine that you
start with variations of likely internal network addresses.

Their proof of concept requires you to give the script a start and
stop IP address.

Of course loading an Image SRC with a local network address from a
script originating on the Internet should provoke cross-domain security
restrictions, and as I recall those restrictions apply to Image objects
on Mozilla/Gecko browsers even if IE doesn't seems quite so concerned
(or didn't last time I tried, which was a couple of years ago now).

It appears to "work" on Firefox1.5.0.5 - it was able to determine
some
of our hosts existed although not all. Lots of false negatives. It
failed to
identify our only IIS server even though it is supposed to specifically
look
for one.

The status bar was full of "connecting to 10.10.xxx.xxx" messages so
you can't really fail to notice it running.