[Sussex] JavaScript is no longer secure: TURN IT OFF NOW!

Jon Fautley jfautley at redhat.com
Mon Aug 14 10:26:18 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Dobson wrote:
> Al
> 
> On Sun, 2006-08-13 at 23:28 +0100, Al Bennett wrote:
>> Hello from Edinburgh!  (Hoots mon, see you Jimmy, you'll have had your tea 
>> etc)
> 
> Hope you like your new home.
> 
>>> This is a proof of concept.  It isn't trying to be malicious.
>> Is it just me, or does this proof of concept not prove very much?
> <snip>
>> Or am I missing something?
> 
> I think you're missing something.

I'm not so sure he is - Al makes a good point. All you can do with this
code is exploit misconfigured devices. If you allow misconfigured
devices on your network, there are many other avenues of attack.

> Many devices are network configurable these days.  It has just be
> released, but there is a bug in some Linksys routers that would allow a
> JavaScript virus to cause a buffer overrun in the router and thus
> compomise your router/firewall.

So *if* you happen to visit a website with the correct JavaScript and
*if* you have a vulnerable Linksys device, then you *may* be exploited.
The code didn't work for me here, either (or if it did, it took a VERY
long time to scan 10 IP addresses - so long, that I navigated away from
the page).

> Anyway do you want someone else's code looking at the data on your LAN.
> I don't know about you but I assumes that anything connected to my LAN
> is trustworthy.  I don't trust systems in my DMZ as much, and I
> definitly don't trust anything on the WAN mat all, but my LAN - that I
> trust.

You really need to readdress your security measures then. No network
should ever be considered completely trusted unless you are 100% certain
of what data is being passed by it. You can never do this on a network
connected to the Internet. Rolling your own firewall rules helps a lot,
but it's not perfect.

Remember, most consumer wireless devices/routers/etc are specifically
designed without security in mind - they go for ease of use. "Proper"
wireless access points (3com/Cisco/etc) will not activate the wireless
device until you've logged in and configured the device (more than just
setting a password) - but then, they're not aiming for the world and his
dog who think wireless is 'kinda cool'.

Personally, I don't see any real problem with this JS code. Couple it
with other attacks and you may have a potential to attack large numbers
of people, but realistically, you could only use this as part of a
larger, more targetted attack on specific networks.

Just my 2p...

/j
- --
Jon Fautley RHCE, RHCX <jfautley at redhat.com>   direct: +44 1483 739615
 Technical Account Manager                     office: +44 1483 300169
 Red Hat UK                                    mobile: +44 7841 558683
 10 Alan Turing Road, Surrey Research Park, Guildford, Surrey, GU2 7YF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFE4E+6kRG1dDyibUQRAusRAKCeI8E1UY9BSHljlflV6+pC7hwVdgCcD1Ni
K2gPvOiQosB2jVmesGndUQM=
=OyLb
-----END PGP SIGNATURE-----

More information about the Sussex mailing list