Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/23/2006
06:00 AM
50%
50%

JavaScript Malware Strikes Firewalls

It's a security hole no one knows how to fix, except by degrading Web browsing to little more than a text-based experience

2:00 PM -- In the beginning, there was application security.

All ports were open to the world and practically every application had holes in it. It was like the Wild West. Eventually application security became a big deal as more serious issues were uncovered and more commerce depended upon secure platforms.

Network security was next on the scene. It made sense to build a single choke point for all security needs. It was slick because it could see all the packets in transit to and from your servers, and turn off all access to anything that had a known hole in it. Those were the good times. Times have since changed.

Network security, in large part, had a huge role to play in creating the newest attacks. Network administrators rightly told their architects to build applications that could be tunneled over hypertext transfer protocol, while at the same time they would close down all access to any other unnecessary inbound services. Can you see the obvious flaw in their logic here?

Even still, aside from the occasional hole in IMAP or BIND, the world of computer security seemed to be calming down quite a bit with the advent of stateful packet inspection and security information management tools. Most of the holes at that time were against the security tools themselves, which most of the hardcore security folks felt was scraping the bottom of the barrel -- the last bunch of entry points to a secured network.

Now there is a new emerging threat: JavaScript malware. Coined by Jeremiah Grossman of WhiteHat Security, JavaScript malware is a concept we have been working on for nearly a year that defeats firewalls completely. To be frank, it's the one security hole no one has figured out how to fix yet without degrading your browsing experience back into the text-based dark ages.

Traditionally every firewall allows one thing by default: outbound access to any Web server on earth. That Web server can either be under the attacker's control or have a cross-site scripting vulnerability in it. When a user inside a corporate LAN visits the malicious Web page, that Web page starts making requests to internal devices behind your firewall.

The first thing the malware does is attempt to locate any machine that responds. Once it does that it attempts to fingerprint things on the machine that might tell the attacker more (like what Web server itself it is running, which might have default issues with it or a particular outdated version of an open sourced package with remote file includes built into it). Using that as a steppingstone, the malware attempts to execute the command on the user on your corporate intranet's behalf. If the attack is successful the machine behind the firewall is compromised.

It has a higher chance of being successful than on the Internet because rarely do corporations patch up internal machines. I mean, why would a company bother to secure its intranet portal? It's just an intranet server and not Web-accessible, right? That's true in principle, but very wrong in practice.

As a side note, most companies almost always alias to http://intranet/YourCompanyNameHere, making the attacker's job extremely easy. This even shortcuts having to scan IP ranges, since it's an easy single name to guess.

After scanning a corporate intranet, the next step is to execute commands on the machines the malware does find for the eventual purpose of gaining access to internal machines. Those internal machines will most likely run a series of commands to gain higher and more permanent access to the machine that was compromised which then could communicate back to a command-and-control node over IRC chat in the same way all botnets do.

The corporate firewall is helpless to protect against this sort of attack. Researchers like myself and others are looking into clever ways to fix the issue, but for now, the only fix is to isolate users from all machines on the corporate LAN. Hopefully there will be much more on this to follow. In the meantime, a text-based world isn't looking so bad after all, huh?

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

  • WhiteHat Security

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17537
    PUBLISHED: 2019-10-13
    Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
    CVE-2019-17538
    PUBLISHED: 2019-10-13
    Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
    CVE-2019-17535
    PUBLISHED: 2019-10-13
    Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
    CVE-2019-17536
    PUBLISHED: 2019-10-13
    Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
    CVE-2019-17533
    PUBLISHED: 2019-10-13
    Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.