[Python-talk] [Fwd: Firefox 3.5 and IE8 Abused to Spy Inside Intranets]

Sat Jul 25 22:46:38 EDT 2009

Hey all:

This (see below) was forwarded to me by a colleague.  Thought it would
be of interest. 

MarkB.

Mark L. Boyajian
Simple Solutions
40 Wheeler Street
2 Beatrice Path
Pepperell, MA  01463
Home/Business:  978-433-5730

Firefox 3.5 and IE8 Abused to Spy Inside Intranets
Two security researchers have devised proof-of-concept "ping sweeping"
attacks, which leverage on the new Cross-Origin Resource Sharing
implementation in Firefox3.5, as well as the one already existing in
Internet Explorer 8. A design weakness can allow attackers to remotely
map Web servers on an internal network by using HTTP requests as pings.

XMLHttpRequest is a common API used in AJAX libraries in order to send
HTTP requests directly to web serversand return the results as XML or
plain text directly into the scripting language. In previous browser
implementations, XMLHttpRequest was limited by the JavaScript same
origin policy, meaning that HTTP or HTTPS requests could only be sent by
an application to the domain that loaded it.

All of that changed with the introduction of the Cross-Origin Resource
Sharing (CORS) specification, which allows such requests to be made
cross-site. For security purposes, the specification requires the
exchange of specific headers, which servers can use to enforce
origin-domain restrictions.

However, as reputed Web security researcher Robert "RSnake" Hansen
points out, even if such resource-accessing restrictions are put in
place, the ability to make the request itself can be abused. "Although
an attacker is not allowed to know if the page was there or not (only if
it was allowed to see the content or not), the attacker is still allowed
to make an initial request. In doing so that initial request can be used
as a pseudo 'ping' sweep," he explains.

Obviously, this is not a real ICMP ping, but an HTTP variant, which can
still be used to "tell if the site is there or not because it will
either return immediately […] or it will wait around much longer […]
before the browser gives up." By leveraging on this architectural weak
spot, Hansen claims that a "substantial amount of internal address
space" can be scanned for web servers rather quickly.

In order to support his theory, the researcher has created a PoC
example, which scans a limited number of intranet IP addresses if the
client visiting the page is behind a local router. It is also worth
mentioning that port 80 does not necessarily have to be opened in order
for this attack to work.

Fortunately, the popular NoScript Firefox extension can be used to
mitigate the issue, because of its ABE (Application Boundaries Enforcer)
component. Disabling JavaScript globally, something which NoScript does
by default, will also block such attacks.

However, Internet Explorer 8 has its own proprietary variant of
XMLHttpRequest too. It is called XDomainRequest and is implemented using
the same Cross-Origin Resource Sharing specification. Inspired by
RSnake's idea, another application security researcher, going by the
online handle of Inferno, has deviseda similar attack against
Microsoft'sbrowser.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dlslug.org/pipermail/python-talk/attachments/20090725/f6820bf5/attachment.html>