From daw@orodruin.CS.Berkeley.EDU Tue Feb 27 18:38:43 1996 Received: from hofmann.CS.Berkeley.EDU (hofmann.CS.Berkeley.EDU [128.32.35.123]) by orodruin.CS.Berkeley.EDU (8.7.Gamma.0/8.7.Gamma.0) with SMTP id SAA17871 for ; Tue, 27 Feb 1996 18:38:42 -0800 (PST) Received: from orodruin.CS.Berkeley.EDU (orodruin.CS.Berkeley.EDU [128.32.35.24]) by hofmann.CS.Berkeley.EDU (8.6.11/8.6.6.Beta11) with ESMTP id SAA05028 for ; Tue, 27 Feb 1996 18:38:41 -0800 Received: from espresso.CS.Berkeley.EDU.mammoth (espresso.CS.Berkeley.EDU [128.32.33.40]) by orodruin.CS.Berkeley.EDU (8.7.Gamma.0/8.7.Gamma.0) with SMTP id SAA17866; Tue, 27 Feb 1996 18:38:39 -0800 (PST) Received: by espresso.CS.Berkeley.EDU.mammoth (5.x/SMI-SVR4) id AA15724; Tue, 27 Feb 1996 18:38:25 -0800 From: daw@orodruin.CS.Berkeley.EDU (David A Wagner) Message-Id: <9602280238.AA15724@espresso.CS.Berkeley.EDU.mammoth> Subject: fun with the web and security To: cypherpunks@toad.com Date: Tue, 27 Feb 1996 18:38:25 -0800 (PST) Reply-To: daw@CS.Berkeley.EDU X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Status: RO Here's a fun way to exploit security holes via the web: http://www.cs.berkeley.edu/~daw/js1.html A rough representation of its contents follow. Whee! The web is awfully convenient for exploiting security bugs.... The following URL contacts your sendmail SMTP server and attempts to exploit an old, well-known security hole, trying to gain root access. Click _here_ to try it. As it stands, clicking on the URL above does not do anything harmful to your machine-- but it could! (This is a test of the emergency broadcast system. This is only a test.) ______________ We can get you to send arbitrary text, to an arbitrary port on an arbitrary host, from your machine. (If you are inside a firewall, we can thereby send arbitrary text to any internal machine by getting you to click on the link above.) The technique is simple: we list the host and port in a gopher URL, and encode the text to be sent in the path. For instance, a successful exploit of the hole could leave a backdoor root shell, and inform us via a pseudonym at an anonymous remailer. The exploit could be hidden by use of the JavaScript "width=1,height=1" techniques pioneered at John LoVerso's _JavaScript security hole page_; then you wouldn't even know when you'd been attacked. The exploit could be forced on you via many standard tricks: the Redirect: or META-EQUIV Refresh: or JavaScript mechanisms work fine, for instance. This is most dangerous when you are behind a firewall. Typically, there will be many machines inside a firewall which run insecure software. Normally, that would be safe, since the firewall prevents an outsider from connecting to the unsafe sendmail servers inside-- yet the example URL above allows outsiders like us to exploit security holes on the inside of your firewall. Nothing stops us from putting the IP address of a vulnerable machine inside your firewall in the URL above, and waiting for you to click on it: the firewall doesn't prevent connections from you to the internal vulnerable machine, and thus can't stop this attack. Using JavaScript, we don't even have to wait for you to click on anything. Furthermore, a JavaScript program could systematically and invisibly try all the machines inside your firewall. We could have used many other well-known security holes: there's nothing special about this particular sendmail bug (except that it was convenient for us to implement). ______________ Be afraid. Be very afraid. -- Ian Goldberg and David Wagner.