JavaScript Breaks Free

Zulfikar RamzanSymantec Security Response

Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

2Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

Outline

The Web 2.0 Security Picture11

Position: Boundary Challenges22

Example: Drive-by Pharming33

Other Examples and Parting Thoughts44

3Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

The Web 2.0 Picture

WEB SERVER

CLIENT MACHINE

WEB SERVER

WEB SERVER

WEB SERVER

WEB SERVER

WEB SERVER

WEB SERVER

3 Intranet web devices

4 Plug-ins / Extensions

5 Multiple “Browsers”

6 “Local” online apps

2 Content aggregation

1 User-driven content

4Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

What Makes it Hard

• Unprecedented amount of content (not always trustworthy)

• Aggregation of content on local client and also by intermediaries (same-origin policy workarounds)

• Intranet devices often have web servers (internet/intranet boundary issues)

• Web browsers augmented with plug-ins (not always trustworthy & complicate interactions)

• Machines may have many local web browsers that communicate over HTTP, render HTML, and emulate JavaScript (increased attack surface).

• Some local client applications can interact with web browser and provide combined online / offline capabilities (compromises can lead to machine ownership).

4

5Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

Main Position Points and Examples

There are many pieces in the puzzle. The policies governing boundaries between these pieces needs to be better understood and better enforced.

If we get this wrong, *-script code running in one context, can affect another. Example: Drive-by Pharming.

5

6Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

Drive-by Pharming Overview

• Attack concept developed by Sid Stamm, Markus Jakobsson, and me that strongly leverages prior work on JavaScript host scanning presented by Grossman at BlackHat.

• Local broadband routers (both wired and wireless) offer a web management interface for device configuration

– Consequently, these devices contain a web server that runs a web app

• The web app is often susceptible to cross-site request forgeries (made easier since there is usually a default password that users often fail to change)

• Broadband routers govern DNS settings…

• Can change these settings from a remote location; victim only has to view web page containing malicious JavaScript to become infected

6

7Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

Drive-by Pharming Flow

Home broadband /wireless router

Web Browser

Good DNS Server

Rogue DNS Server

Your Bank

Not Your Bank

Web site with JavaScript Malware

Click Me!!!

66.6.66.6

129.79.78.8

www.ban

k.com

129.

79.7

8.8

www.bank.com66.6.66.6

<SCRIPT SRC = “http://192.168.1.1/...?...”</SCRIPT>

8Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

Drive-by Pharming Current Status

• Working proof of concept code for various Linksys, Netgear,and DLINK routers

• No known instances In the Wild yet

• Similar concept can be used to upgrade router firmware

• Solutions

– Simple bandaid: change password on home router

– More fundamental: protect the web app on the router from Cross-Site Request Forgeries

– Way to implement second sol’n: web app requires and validates unpredictable value hidden somewhere on web page containing config. management interface

8

9Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free

Other Examples and Parting Thoughts

• Other Examples:

– Overtaking Google Desktop (Amit, Allan & Sharabani)

– Universal XSS (Di Paola & Fedon)

• Not understanding boundaries associated with the plethora of component and failing to understand and enforce policies governing boundaries can have devastating consequences

• Things are getting more complex! New technologies like Silverlight, etc., are looming.

9

© 2007 Symantec Corporation. All rights reserved.  

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.