[clug] Drive-By Pharming Attack Could Hit Home Networks

Kim Holburn kim.holburn at gmail.com
Sun Feb 18 19:49:32 GMT 2007 

On 2007/Feb/17, at 11:19 PM, Michael Cohen wrote:
> On Sat, Feb 17, 2007 at 03:41:44PM +0100, Kim Holburn wrote:
>> If a javascript got the router interface opened in an invisible
>> iframe and somehow got an enter or a click to the iframe after the
>> password manager filled in the details?
>
> Kim,
>   Thats the whole point of the javascript security model (if it  
> works that is).

I seem to remember that java was designed with security in mind but I  
believe javascript came out of netscape as an afterthought very  
basically based on the idea of java and has grown rather like topsy  
ever since (and been embraced and extended ;-).  There are different  
javascripts in different browsers and none have a good security  
reputation.

>   JS is not supposed to have access to windows or iframes which  
> open to a
>   different domain from where it came from, otherwise you could do  
> same with
>   internet banking sites, or any other log in pages.

No-one seems to have thought of this scam yet but I expect you will  
see it.

javascript can write just about what it wants into the current page.   
You  can create a whole page with javascript or rewrite one.  How  
could the browser really test for this?  JS can hijack all the links  
on a page, it can create a link that will appear to a cgi script that  
someone filled in a correct username and password and changed  
settings.  If it can't open a page from another site it can entice  
you to open it and make the page look like something else.  It can  
make a page that gets all it's resources from another site.   
Javascript is not secure in hostile hands.

As we do more and more business and system administration on-line and  
through browsers and use more and more AJAX this sort of thing is  
going to become more dangerous.

>   From time to time people find vulnerabilities in this model, but  
> they are
>   more implementation problems than fundamental problems with the  
> security
>   model.

Hmmm...  I think there are fundamental flaws in javascript.  I still  
use it though.

> Occassionally the model gets in the way too - especially when trying
>   to implement single sign on type stuff from different domains. It  
> assumes
>   that domains are security boundaries - i.e. all scripts hosted by  
> a certain
>   domain are to be trusted with the same data, this fails for example:
>
>   1) When a site is spead across a number of domains (e.g. sister  
> sites in
>   iframes etc)
>
>   2) When a single site hosts code from multiple sources - not all  
> of which are
>   trusted - e.g. if a site uses the /~usersname/ convension to host  
> different
>   usernames - one users js can access another users frames (because  
> they both
>   share the same domain). This type of problem is called cross site  
> scripting
>   (XSS) - which in its widest form means how to get scripting to  
> cross site
>   boundaries.
>
>   For example if a forum software is vulnerable to XSS, one user  
> may be able to
>   post to the forum some JS which get users cookies and sends then  
> off. Then
>   every user that views that post in the forum becomes compromised  
> - this is
>   becuase the script runs in the same domain as the forum.

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3342707610
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the linux mailing list