Vulnerabilities / Threats
6/19/2012
05:24 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Advanced JavaScript Attack Threatens SOHO Routers

Using JavaScript and cross-site request forgery, two researchers plan to show it's possible to attack routers leveraging computers on the internal network

A technique for sending requests to devices on an internal network could be used by online attackers to compromise home and small-business routers, according to two researchers who plan to demonstrate the attack at the Black Hat security conference next month.

Click here for more of Dark Reading's Black Hat articles.

The two researchers, Phil Purviance and Joshua Brashars of AppSec Consulting, build on a technique showed at the Black Hat conference in 2006, using a combination of JavaScript and cross-site request forgery to send requests to devices on an internal network from an external Web site. The attack will be able to send a compromised binary to an internal router, reflashing the router's memory with the malicious firmware, according to the researchers.

"With this attack, you can actually start compromising network devices with little to zero user intervention," says Brashars, a senior security consultant at AppSec. "At that point, once a network device is compromised, you are no longer reliant on a user keeping their Web browser open."

At the Black Hat security conference in 2006, and again in 2007, Web security experts Jeremiah Grossman and Robert Hansen showed that cross-site request forgery (CSRF) could be used to force browsers to send requests from a malicious website to devices on the internal network. Yet Grossman and Hansen never refined the technique to allow binaries to be communicated through the CSRF channel. Instead, the attacker would have to social engineer victims into entering in their usernames and passwords for internal devices.

"There was quite a bit of social engineering that had to be done in order to make it work," says AppSec's Purviance, a security consultant. He and Brashars have cleared that hurdle. "The advantage of this attack is that there is no social engineering required."

[ Stopping malware is so yesterday -- eclectic groups of security people have banded together to make life difficult for attackers. See Security Startups Focusing On Threats, Not Malware. ]

While the pair of researchers declined to give details of the technique, their attack will allow fully automated infection of devices on the network, they claim. Because the attack makes use of HTML 5 and other new browser technologies, more modern browsers are more susceptible to the attack, Purviance says.

After the browser is conscripted by the attacker, the second part of the attack is uploading the rogue firmware to the router. The two researchers have found ways to get past the requirement of authenticating to the router. Purviance and Brashars would not discuss details, but there are three possibilities, Grossman says: The device authentication could be bypassed, the password could be guessed, or a vulnerability in the router could be exploited.

The internal interfaces of routers make perfect targets. While they are inside the network, they present a Web interface just like any other site on the Internet and buggier than most, says Grossman, who is chief technology officer of Whitehat Security.

"You have to get past the notion that these are routers," Grossman says. "They are really just websites with the same Web applications flaws as everything else. And they are never updated."

While enterprise routers may not be easily compromised, home and small-office routers could be compromised at the firmware level with an attacker's software, making recovery extremely difficult.

"Once a device is compromised, there is no good way to determine that it has been compromised," AppSec's Purviance says. "And once the network device is infected, how can you remove it? The firmware on a network device has full control."

Fixing the general issue of CSRF has also posed problem. Grossman and Hansen have discussed the problem with browser vendors since their original 2006 presentation, but failed to get the software makers to adopt restrictions to prevent browsers from sending requests from the external Internet to internal nonroutable addresses.

"We talked to the browser vendors year after year, and didn't get any movement on this," Grossman says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web