Quote:
Originally Posted by mono
You said , "Actually, it is possible for a web based applet to determine what (local) IP address the computer is using and scan the entire subnet looking for devices that respond to requests on a certain port. I've, uh... ahem... seen somebody else do it. "
Written in JAVA? or Flash? I thought Flash was safer than Javascript. Care to share that script privately? I'm a good guy --- passed all the prescreening and rigorous background checks to work at Symantec and worked there for a while -- I'd like a copy of that script for my private entomology collection.
|
The software the, um, person wrote was done in Java, and worked quite well until one of the managers made me, um, that person, add in a dialog box for the user to confirm the operation. Apparently, successfully using an exploit when talking to a defense contractor is a "bad thing." The applet violated a permissions setting in the JVM to talk to the local network, which has since been patched. Other engineers adapted the program to VBScript and I have seen some versions that use ActiveX. I am not able to share any part of the code, because in addition to the browser exploit, it also exploits internal code in the target system that is considered proprietary, to force the device to alter certain settings. It was actually designed as a diagnostic tool, for people who had a device and set it to DHCP without entering a hostname.
Quote:
Originally Posted by mono
You said, "You could also use a javascript that guesses what the local subnet of the computer would be and tries every address. "
Yeah I thought of that one. That's why I don't use the default 192.168.0.* on my local net. It would take a javascript long enough so you'd feel it to scan the entire class B, but not so long to scan the default class C with the fixed third octet of 0.
"This is even easier for routers - in default installations, there are maybe three common IP addresses for routers (192.168.0.1, 192.168.1.1, 10.0.0.1) and so many default usernames and passwords that you could easily create a simple script that would change the router's settings or cause the router to crash."
or rewrite certain well-known bank ip addresses to evil hacker webservers and phish the crap out of everyone. But you've moved off the printer hack and on to a more general hack, I think. I'm not following how exploiting port 9100 allows you to change the router. It seems to me like the root cause is having a vulnerable router in the first place which allows the hacker to both hack the router and exploit 9100.
Where I come from, the local custom is to assign 254 to the router, but it's just a custom, not a requirement. Anyone who runs a router on the open internet with the default uid/pass and configs is a clueless noob.
People your router is your point of ingress into your soft mushy underbally internal network. That's the door you want to lock.
WHEN ARE WE (in USA) GOING TO GO IPv6? Korea has it. and I think China too.
|
Yes, I did move on to a much more general topic with the router comments. I just wanted to give an example of how this idea can be expanded on to allow an attacker to exploit almost any network device given the right conditions. Even the strictest router would be unable to prevent the attack because the code is embedded in a requested web page.
Also, because a print operation does not require a response from the printer, all you need to do is open a connection to the IP/port, send the data, and close the connection. A Javascript could do this using AJAX for an entire Class B in maybe 10 seconds. Two asynchronous connections lasting 1-2 ms each would be all that would be required. Of course, hopefully an IDS would detect the burst of traffic, but that is not something most IDS systems look for yet.