Posted on 07/30/2002 6:16:48 AM PDT by JameRetief
Bug opens up Javascript browsers to hackers
Microsoft unmoved
By : Tuesday 30 July 2002, 11:03
But Microsoft has chosen to ignore it.
The hole was discovered by Adam Megacz and the details posted here yesterday.
"The exploit," says the posting, "allows an attacker to use any JavaScript-enabled web browser behind a firewall to retrive content from (HTTP GET) and interact with (HTTP POST) any HTTP server behind the firewall. If the client in use is Microsoft Internet Explorer 5.0+, Mozilla, or Netscape 6.2+, the attacker can also make calls to SOAP or XML-RPC web services deployed behind the firewall."
As is usual, Mr Megacz made the browser makers aware of the problem thirty days ago but, as yet, none has come up with a fix. Expect hackers vereywhere to be fiddling with this little chink in the armoured Web, just because they can.
Microsoft PR department apparently said it would not issue a patch or hotfix, but would prefer to downplay the severity of the vulnerability instead.
SecurityFocus suggested the following work-around: "Web servers behind firewalls, " said Dave Ahmad, "should be configured to reject any HTTP requests with an unrecognized 'Host' header, rather than serving pages from the "default" virtual host. This can be accomplished without patches by creating a "default" virtual host with no content, and creating a name-based virtual server for each hostname which the server is intented to serve as."
Sysadmins, having had a glory day on Friday, may earn their bread today. µ
Exploit1) Attacker controls DNS zone *.baz.com, configuring it as follows:
a) foo.bar.baz.com -> some web server operated by the attacker b) bar.baz.com -> 10.0.0.9 (some address behind BigCo's firewall)
The attacker will have to know that 10.0.0.9 is running a web server.
Hit megacorporation.com with a simple spider script written in Perl, for instance and have it follow every link it finds that points to that domain, then grep your packet filter logs for private IPs that were logged while the script was running. Some of the IPs will probably belong to ad server providers, but some will probably belong to megacorporation.com. One IP address is all you need to start with, then just guess up/down from there, since most admins probably allocate IPs in a nice, ordered fashion.
Find one web server running Apache, for instance, with permissive access to the /server-status or /server-info page and you can collect a lot of information that shouldn't be revealed to non-admins. There are also a lot of devices with embedded httpds now and most of them are probably wide open. I know that most cable modems include httpds (try http://192.168.1.100/ if you have a Motorola) that will reveal the modem configuration and stats. There are probably routers, printers, server appliances, etc. that are sitting there waiting to give out information, too.
This isn't a catastrophic hole, but it is one that could allow the bad guys to recon your network for months without you even realizing it. This is not a good thing.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.