JavaScript malware
I had lunch with Gary and Matt the other day. After politely reminding me that I hadn’t blogged at all lately (it seems del.icio.us doesn’t count), they listened to me blather on about what’s been occupying my thoughts and time lately, especially 1) JavaScript malware, and 2) dynamic languages in thhe JVM and CLR. Thanks, guys. Once I get started on a topic I can be hard to shut up, so I appreciate your patience. Here’s that blog post you asked for.
So. JavaScript malware? Three presentations at Black Hat caught my attention.
- Jeremiah Grossman and T.C Niedzialkowski on Intranet hacking wiith JavaScript malware.
- Billy Hoffman’s “Analysis of Web Application Worms and Viruses” (PDF slides). Shortly before Black Hat, SPI Dynamics (where Hoffman works) released a paper and proof of concept code on “Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript Malware.”
- Tom Ptacek and Dave Goldsmith, “Do Enterprise Management Applications Dream of Electric Sheep?” If enterprise agents don’t make you nervous yet, they will.
The first two talks explore different aspects of what Grossman is calling JavaScript malware. The upshot is that cross-site scripting is much, much worse than we had ever thought — “the new buffer overflow” — and opens the door to internal network scanning, JavaScript worms and viruses, and all sorts of other excitement.
This is bad enough, but taken as a backdrop to the Matasano presentation on attacks behind the firewall — ridiculously insecure enterprise management agents — it’s terrifying enough to send me whimpering into a corner.
Subsequent work has made it even worse. JavaScript is everywhere, and its environmental restrictions vary. PDF, QuickTime, MP3 (!), Flash, RSS feeds… dang. The outlook is not good. From a recent email exchange in which I responded to an assertion that PDFs don’t yet have the ability to transmit worms/viruses:
Because PDFs can run JavaScript, whether they can themselves transmit worms/viruses isn’t terribly important. PDFs can make web services calls over HTTP & HTTPS, they can connect to databases, they can retrieve and play backdoored media files like Quicktime and Flash (QT can run JavaScript, btw), they can cause a web browser to launch and make arbitrary HTTP requests. With JavaScript (in the browser, at least), I can scan an internal network, probing and fingerprinting network devices (or intranet sites) use them as a launching pad for a more devious attack. Is that printer vulnerable? Quite possibly. Does that router have a web interface? Ooh, that’s interesting. Does that intranet portal have XSS vulnerabilities that can help me transmit a JavaScript worm? Quite probably.
The usual network admin concern with perimeter security is insufficient. The likelihood of running across cross-site scripting over the course of a day of surfing is pretty high; cross-site request forgeries are likely everywhere. They can blast undetected right through your network perimeter and tackle all the fun stuff on the inside. Even trusted web sites are not safe, and the consequences are getting worse every day. Remember: script kiddies are not the danger anymore. The real threat is well-trained and funded crime syndicates motivated by scads of cash.
I’m barely scratching the surface but wanted to give you at least some idea of what’s been banging around in my head. Read Jeremiah Grossman, RSnake, pdp (architect) to start if you’re interested in studying up.
27 Sep 2006 Sam 2 comments