Interesting new WWW attack vector

While I suppose that using javascript for evil purposes isn’t exactly a new idea, Bruce Schneier has written a piece (also covered on Slashdot and, I’m sure, other places) about three guys who have developed an attack that royally screw most users’ ability to use their Internet connection again.

AJAX, the magic pixie dust used heavily on sites like Google Mail, is really just javascript with the ability to make HTTP requests and parse the results of those requests. Javascript has been available in browsers for years and is recently enjoying some interest by web developers because of that last (somewhat) new capability. The use of this technology for evil is nearly indistinguishable from legitimate use, so it’s hard for any software to detect it and prevent it.

Basically, the attacker sets up a web site with some javascript code (see below) and tricks you into visiting that site. It’s not all that hard to get people to look at a rogue site: you can either spam the entire world and expect that a certain percentage of email readers are suckers who will click on the links in those messages, or you can hack a major site (such as Dolphin Stadium) and insert the exploit into it.

Now, the fun begins. This piece of javascript code (which, as I mentioned earlier, is pretty much impossible to identify as evil) attempts to make a connection to your router. If you are like most home users, your router is still sitting there with it’s default, factory-set password (probably something stupid like “admin”). That means that this piece of javascript code can login to your router and start playing around. This particular attack is designed to change your DNS settings such that all requests for named Internet addresses go to malicious servers. Those requests will be answered with fraudulent IP addresses which can be used to either emulate your favorite website or simply serve nothing but pop-up ads and porn. This little hack could even change your router’s password, locking you out of your own hardware.

Imagine if you were to fall victim to this exploit… the next time you tried to access, say, www.bankofamerica.com, the rogue DNS server sends you to what really is www.evilbankofamerica.com. The site looks like Bank of America’s real site, and you fall for the bait. You enter your username and password for online banking, and bang! – the bad guys have your online banking credentials.

SSL certificates might save you, since VeriSign (and others) are unlikely to issue an SSL cert for “www.bankofamerica.com” to an entity that is not Bank of America. But what do you think most people do when they get a security warning these days? My guess is that most people do whatever they have to do in order to get the security warning to go away and let them look at their website. That is a recipe for disaster.

Since we’re talking about folks who have never changed their router’s password, they probably wouldn’t know how to recover from this problem, either. If the attack included changing your router’s password, you’ll have to reset it to factory defaults in order to get back up and running again.

I’m guessing most home users will ask friends what to do if every site they visit is just porn and popups. The advice they are going to get is to reinstall their operating system (statistically it will be Microsoft Windows, which has a bad reputation for becoming easily infested). Many users aren’t willing to do that, and will pay someone else to do it. Re-installing the OS won’t work, so those users are likely to do the next best thing: go out and buy a new computer. That won’t work either.

What a pain in the ass.

What a great exploit.

3 Responses to “Interesting new WWW attack vector”

  1. Chip Bennett says:

    I read about this last week, and then SecurityNow! (grc.com/securitynow) talked about it on their podcast this week.

    Sneaky exploit, to be sure; but the solution is simple (and should be rule-of-thumb): change the default password on the router. The script (at least this version of it) can’t detect or hack the password; it simply attempts to login using the known-default password for each manufacturer’s router.

    Anyone who doesn’t change the default password on their router is just asking for trouble – and not just from this script (especially since, IIRC with my Linksys router, remote access is enabled by default, leaving the router subject to warjacking attack).

    For instance, I’ve got WPA2 enabled with a full-length PSK, remote access disabled, MAC address filtering, non-default SSID, UPnP disabled, and, of course, local router access password changed. I know MAC addresses can be cloned, but it’s one more layer. Also, I am broadcasting my SSID; finding it out is trivial for anyone trying to do so, so why make my own networking more difficult?

    Anyway, doubtful anybody in my lifetime is going to get into my network (or router) without my permission – and everything that I’ve done is actually pretty easy to do with any modern router (mine is only an 802.11g, not even draft-n), and will prevent this type of javascript attack.

  2. Christopher says:

    Chip,
    To be sure, changing your router’s password is really something one should do, though most home users do not. Many newer routers are coming with “installation” software that forces you to change the password for the router, which is good.

    Most routers /do not/ come with remote access enabled. Wardriving gives an attacker access to the router from /inside/, not from outside. As such, the remote access setting is irrelevant in that case anyway.

    WPA2 and disabling UPnP are probably the only useful “protections” that you have given yourself. Better than changing your SSID is turning off SSID broadcasting. A non-default SSID is about as useful as painting your front door a different color: it does not improve the lock on the door.

    This hack is just a proof-of-concept at this point. AFAICK, nobody is actually /doing/ this, although I’m sure an attack will be out there any day, now. Given that it’s just a proof-of-concept, the existing hack isn’t very interesting.

    As soon as someone wants to make a concerted effort to get this thing out into the wild and do some damage, I’m sure they’ll add brute-force password access into the javascript code. Or, even a simplistic dictionary attack. Simply changing your password from the default might not be enough… you’ll have to make it something that can’t be “easily” broken”.

    The real problem is that most users out there are idiots. The means to protect against this type of attack exist, it’s just that nobody bothers to understand enough about security to even care. If everyone used a non-privileged Microsoft Windows login most of the time, many attacks would be stopped in their tracks. It’s just easier to /not/ do that. Likewise, it’s easier not to change your router password.

  3. Brian says:

    You do realize, that one of the guys who wrote the paper on this, graduated from Rose in 2003. Sid Stamm. We interned together in Chicago and DC. He’s at IU now getting his PhD.