[Full-disclosure] Attacking the local LAN via XSS
pdp.gnucitizen at googlemail.com
Fri Aug 4 00:35:48 BST 2006
this is my humble opinion
I didn't go to BlackHat but since a lot of people are getting really
interested in XSS attacks, right now when it is sort of blooming, I
will try to put in theory how border routers/gateways can be trivially
compromised (over the web).
For that purpose three prerequisites are needed:
1. page that is controlled by the attacker, lets call it evil.com
2. border router vulnerable to XSS
3. user attending evil.com
tries to figure out what machines are alive on local LAN and where the
border router is located. This is usually achieved in a similar way
Once the router is identified, the malicious script needs to figure
out the software version. This is not quite trivial task since most
modern browsers have cross domain restrictions which means that fancy
Ajax techniques such as the XmlHttpRequest object wont work. The
attack vector explained by SPI Dynamics though, should work on all
requests against the router looking for common image files. Different
types of routers have different images, so, obviously this is a way of
identifying the server software.
Depending on the results collected by the scanning process, an already
published XSS flow is flagged. This XSS flow is used by the malicious
step is crucial since modern browsers wont allow you to perform cross
domain requests unless a forth prerequisite is introduced – the buggy
evil.com that carries the attack. The iframe src (source) attribute
contains a URL that will exploit the XSS flow in the border router.
Since the code is executed of the border router domain, no cross
domain restrictions are applied. This means that the malicious logic
can be constructed out of XMLHttpRequest objects which provide greater
control on the input and the output.
At the final stage the logic transported by the border router XSS flow
performs login and retrieves the user credentials which are submitted
to a remote resource that is controlled by the attacker. However, in
corporate environments the attacker might wish to put down the
security level of the exploited device and open a worm hole.
It is quite simple and it is less complicated then it sounds.
Full-Disclosure is hosted and sponsored by Secunia.