Mailing List Archive: Full Disclosure: Full-Disclosure

Extending JavaScript Portscanning to Include Banner Grabbing

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

mark at bindshell

Mar 4, 2007, 1:37 PM

Post #1 of 2 (718 views)
Permalink

Extending JavaScript Portscanning to Include Banner Grabbing

There's a new paper/advisory at: http://bindshell.net/papers/ftppasv

Here's a quick summary:

A common implementation flaw in FTP clients allows FTP servers
to cause clients to connect to other hosts. This seemly small
vulnerability has some interesting consequences for web browser security
(namely in Firefox, Opera and Konqueror).

This paper discusses the FTP client flaw in detail and demonstrates how
it can be used to attack web browsers. Proof of concept code is
presented that extends existing JavaScript port-scanning techniques to
scan any TCP port from Firefox (even though it now implements
"port banning" restrictions). Because of the way the same-origin policy
is applied it is also possible to perform banner-grabbing scans against
arbitrary hosts. Finally, for services that don't return a banner an
alternative fingerprinting technique is demonstrated which measures
the time it takes servers to close inactive TCP connections.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

wesley at mcgrewsecurity

Mar 5, 2007, 10:10 AM

Post #2 of 2 (655 views)
Permalink

Re: Extending JavaScript Portscanning to Include Banner Grabbing [In reply to]

On 3/4/07, mark <mark [at] bindshell> wrote:
> There's a new paper/advisory at: http://bindshell.net/papers/ftppasv
>
> Here's a quick summary:
>
> A common implementation flaw in FTP clients allows FTP servers
> to cause clients to connect to other hosts. This seemly small
> vulnerability has some interesting consequences for web browser security
> (namely in Firefox, Opera and Konqueror).
>
> This paper discusses the FTP client flaw in detail and demonstrates how
> it can be used to attack web browsers. Proof of concept code is
> presented that extends existing JavaScript port-scanning techniques to
> scan any TCP port from Firefox (even though it now implements
> "port banning" restrictions). Because of the way the same-origin policy
> is applied it is also possible to perform banner-grabbing scans against
> arbitrary hosts. Finally, for services that don't return a banner an
> alternative fingerprinting technique is demonstrated which measures
> the time it takes servers to close inactive TCP connections.

I love how clever the recent exploits of Firefox have been. They're
really fun to play with.

I took a look at this technique this morning, compared to the older
style of HTTP connections for JavaScript scanning, and I think that a
very important note is that this PASV technique allows for one to use
web browsers to scan for you, without it being immediately obvious to
the target what you're up to (since there's no request headers being
pushed to the open ports). While it is indeed quite slow, I think it
serves as a much cleaner way to scan, from the perspective of how
quiet it is with its interaction with the target. I guess it's a
trade-off if you want to poke at the ports a little more by sending
some data.

I've posted some pcap dumps illustrating the difference, in case
anyone wants to see without having to go through all the set-up:

http://www.mcgrewsecurity.com/blog/?p=8

So, awesome work! It's a shame your notification to security@ for
mozilla got filtered as spam :)

--
Robert Wesley McGrew
http://mcgrewsecurity.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads