User: Password:
Subscribe / Log in / New account


Web security vulnerabilities and Javascript

By Jake Edge
January 23, 2008

Various recent, unrelated security issues seem to have a common thread: Javascript. It is not the fault of the language, exactly, nor of any particular implementation. It is the fundamental nature of how the language is used that often causes it to be "front and center" when security problems are found on the web.

Imagine that your computer reaches out across the net, to an unverified site, over an unencrypted link and grabs code that it executes with little in the way of further inspection. When put that way, it sounds rather dangerous, but that is exactly what browsers do with Javascript code. There are limits to what Javascript is allowed to do—meant to thwart malicious uses—but it has to have some privileges on the local machine in order to be useful.

One of the recent outbreaks is the "random js" attack, which propagates through Javascript served by legitimate websites. It generates a random .js filename for each visitor—which is where the name comes from—inserting a reference to it in a page on the site. It also stores the IP address of the visitor so that it does not repeat the infection multiple times. The payload then tries to exploit a dozen or more Windows vulnerabilities to install malware of various sorts.

The payload is not a problem for Linux users, but the websites hosting the attack are running Apache, many on Linux. The big unresolved question is how the servers were infected. It could be as simple as getting root access via insecure or intercepted root passwords. Or there could be some, as yet unknown, exploit. That certainly bears watching.

Because of the privileges that Javascript has on a local host, it can be used to spread malware, by exploiting the trust that users—those that even concern themselves with such things—have in the website they are visiting. It can also play a role in redirecting traffic away from a trusted site, even though the site itself has not been compromised.

A post by Nat Torkington at O'Reilly illustrates a common problem that content providers need to worry about. O'Reilly's site carried advertising that required them to load Javascript from the advertiser's site. All was well until the domain expired. A porn site bought it and started providing the required Javascript file with new contents redirecting the users to their site.

A man-in-the-middle or DNS cache poisoning attack could be used for similar results on a smaller scale basis. One can certainly see how it might be used by phishers as well. It is a difficult problem, as website owners need to be able to call out to advertisers' Javascript, but users typically do not expect to run code from a site they did not directly access.

A theoretical attack on home routers has started to show up in the wild. It uses Javascript to exploit a vulnerability in home routers to change the DNS entries for a popular Mexican bank. After that, accesses to the bank would instead go to the malicious website which would collect usernames and passwords, allowing the attacker to access the accounts. Once again, users probably do not expect that surfing to a random site could suddenly expose them to bank account compromise.

There are some things that can be done. For users, if Javascript cannot be disabled entirely—something increasingly difficult in the "Web 2.0" world—it can at least be leashed using NoScript for Firefox.

For website owners, Google's Caja project, seeks to define a subset of Javascript which implements an object-capability language, which would make it easier to sandbox remote code. If this effort succeeds, one can imagine that users could restrict their browsers to only use the Caja subset some day as well.

Comments (2 posted)

New vulnerabilities

apt-listchanges: arbitrary code execution

Package(s):apt-listchanges CVE #(s):CVE-2008-0302
Created:January 17, 2008 Updated:January 23, 2008
Description: From the Debian alert: Felipe Sateler discovered that apt-listchanges, a package change history notification tool, used unsafe paths when importing its python libraries. This could allow the execution of arbitrary shell commands if the root user executed the command in a directory which other local users may write to.
Ubuntu USN-572-1 apt-listchanges 2008-01-18
Debian DSA-1465-2 apt-listchanges 2008-01-17
Debian DSA-1465-1 apt-listchanges 2008-01-17

Comments (none posted)

bind: off-by-one error

Package(s):bind CVE #(s):CVE-2008-0122
Created:January 22, 2008 Updated:July 10, 2008
Description: Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
Fedora FEDORA-2008-6281 bind 2008-07-09
Red Hat RHSA-2008:0300-02 bind 2008-05-21
SuSE SUSE-SR:2008:006 sarg, phpMyAdmin, xine, bind, dbus-1, silc-toolkit, boost 2008-03-14
rPath rPSA-2008-0029-1 bind 2008-01-24
Fedora FEDORA-2008-0904 bind 2008-01-22
Fedora FEDORA-2008-0903 bind 2008-01-22

Comments (none posted)

boost: denial of service

Package(s):boost CVE #(s):CVE-2008-0171 CVE-2008-0172
Created:January 17, 2008 Updated:March 22, 2012
Description: From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash.
Scientific Linux SL-boos-20120321 boost 2012-03-21
Oracle ELSA-2012-0305 boost 2012-03-07
Red Hat RHSA-2012:0305-03 boost 2012-02-21
Gentoo 200802-08 boost 2008-02-14
SuSE SUSE-SR:2008:006 sarg, phpMyAdmin, xine, bind, dbus-1, silc-toolkit, boost 2008-03-14
Fedora FEDORA-2008-0754 boost 2008-03-13
rPath rPSA-2008-0063-1 boost 2008-02-13
Mandriva MDVSA-2008:032 boost 2007-02-01
Fedora FEDORA-2008-0880 boost 2008-01-22
Ubuntu USN-570-1 boost 2008-01-16

Comments (none posted)

flac: arbitrary code execution

Package(s):flac CVE #(s):CVE-2007-6277
Created:January 21, 2008 Updated:January 23, 2008

From the NVD entry:

Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619.

Debian DSA-1469-1 flac 2008-01-20

Comments (none posted)

horde3: remote email deletion

Package(s):horde3 CVE #(s):CVE-2007-6018
Created:January 21, 2008 Updated:March 24, 2009

From the Debian advisory:

Ulf Harnhammer discovered that the HTML filter of the Horde web application framework performed insufficient input sanitising, which may lead to the deletion of emails if a user is tricked into viewing a malformed email inside the Imp client.

SuSE SUSE-SR:2009:007 vim, gvim, apache2, opera, multipath tools, java-1_6_0-openjdk, imp, horde, lcms, moodle, ghostscript 2009-03-24
Fedora FEDORA-2008-2087 imp 2008-02-28
Fedora FEDORA-2008-2040 imp 2008-02-28
Fedora FEDORA-2008-2087 turba 2008-02-28
Fedora FEDORA-2008-2040 turba 2008-02-28
Fedora FEDORA-2008-2087 horde 2008-02-28
Fedora FEDORA-2008-2040 horde 2008-02-28
Gentoo 200802-03 horde-imp 2008-02-11
Debian DSA-1470-1 horde3 2008-01-20

Comments (none posted)

hsqldb: unspecified vulnerability

Package(s):hsqldb CVE #(s):CVE-2007-4576
Created:January 22, 2008 Updated:January 23, 2008
Description: HSQLDB contains an unspecified vulnerability which should be fixed in version
Fedora FEDORA-2007-4119 hsqldb 2008-01-22
Fedora FEDORA-2007-4171 hsqldb 2008-01-22

Comments (none posted)

kernel: local filesystem corruption

Package(s):kernel CVE #(s):CVE-2008-0001
Created:January 17, 2008 Updated:June 13, 2008
Description: From the CVE description: VFS in the Linux kernel before performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions.
Mandriva MDVSA-2008:112 kernel 2007-06-12
SuSE SUSE-SA:2008:013 kernel-rt 2008-03-06
Ubuntu USN-578-1 linux-source-2.6.15 2008-02-14
Mandriva MDVSA-2008:044 kernel 2008-02-12
Fedora FEDORA-2008-0984 kernel 2008-02-05
SuSE SUSE-SA:2008:006 kernel 2008-02-07
Ubuntu USN-574-1 linux-source-2.6.17/20/22 2008-02-04
Red Hat RHSA-2008:0055-01 kernel 2008-01-31
Debian DSA-1479 linux-2.6 2008-01-29
Fedora FEDORA-2008-0958 kernel 2008-01-29
Fedora FEDORA-2008-0748 kernel 2008-01-24
Red Hat RHSA-2008:0089-01 kernel 2008-01-23
rPath rPSA-2008-0021-1 kernel 2008-01-17

Comments (none posted)

libcdio: arbitrary code execution

Package(s):libcdio CVE #(s):CVE-2007-6613
Created:January 21, 2008 Updated:March 7, 2008

From the Gentoo advisory:

Devon Miller reported a boundary error in the "print_iso9660_recurse()" function in files cd-info.c and iso-info.c when processing long filenames within Joliet images.

A remote attacker could entice a user to open a specially crafted ISO image in the cd-info and iso-info applications, resulting in the execution of arbitrary code with the privileges of the user running the application. Applications linking against shared libraries of libcdio are not affected.

Ubuntu USN-580-1 libcdio 2008-02-20
SuSE SUSE-SR:2008:005 acroread, asterisk, cacti, compat-openssl097g, icu, libcdio, wireshark/ethereal, Jakarta, perl-tk 2008-03-06
Mandriva MDVSA-2008:037 libcdio 2007-02-07
Gentoo 200801-08 libcdio 2008-01-20

Comments (1 posted)

mantis: information disclosure

Package(s):mantis CVE #(s):CVE-2006-6574
Created:January 21, 2008 Updated:January 23, 2008

From the NVD entry:

Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field.

Debian DSA-1467-1 mantis 2008-01-19

Comments (none posted)

mantis: cross-site scripting

Package(s):mantis CVE #(s):
Created:January 23, 2008 Updated:January 23, 2008
Description: The Mantis 1.1.1 release contains a security fix for this bug.
Fedora FEDORA-2008-0856 mantis 2008-01-22
Fedora FEDORA-2008-0796 mantis 2008-01-22

Comments (none posted)

scponly: arbitrary command execution

Package(s):scponly CVE #(s):CVE-2007-6350 CVE-2007-6415
Created:January 22, 2008 Updated:February 18, 2008
Description: scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute code by invoking dangerous subcommands including (1) unison, (2) rsync, (3) svn, and (4) svnserve, as originally demonstrated by creating a Subversion (SVN) repository with malicious hooks, then using svn to trigger execution of those hooks. (CVE-2007-6350)

In addition, it was discovered that it was possible to invoke with scp with certain options that may lead to execution of arbitrary commands. (CVE-2007-6415).

Gentoo 200802-06 scponly 2008-02-12
Fedora FEDORA-2008-1743 scponly 2008-02-15
Fedora FEDORA-2008-1728 scponly 2008-02-15
Debian DSA-1473 scponly 2008-01-21

Comments (none posted)

tomcat: information disclosure

Package(s):tomcat5.5 CVE #(s):CVE-2008-0128
Created:January 21, 2008 Updated:March 7, 2008

From the Debian advisory:

Olaf Kock discovered that HTTPS encryption was insufficiently enforced for single-sign-on cookies, which could result in information disclosure.

SuSE SUSE-SR:2008:005 acroread, asterisk, cacti, compat-openssl097g, icu, libcdio, wireshark/ethereal, Jakarta, perl-tk 2008-03-06
Debian DSA-1468-1 tomcat5.5 2008-01-20

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2007-3389
Created:January 21, 2008 Updated:February 27, 2008

From the NVD entry:

Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload.

SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
Red Hat RHSA-2008:0059-01 wireshark 2008-01-21

Comments (1 posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2007-3391
Created:January 21, 2008 Updated:February 27, 2008

From the NVD entry:

Wireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop.

SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
Red Hat RHSA-2008:0059-01 wireshark 2008-01-21

Comments (1 posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CVE-2008-0238
Created:January 23, 2008 Updated:August 7, 2008
Description: From the CVE entry: Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function.
Ubuntu USN-635-1 xine-lib 2008-08-06
Mandriva MDVSA-2008:045 mplayer 2007-02-14
Fedora FEDORA-2008-1047 xine-lib 2008-01-29
Fedora FEDORA-2008-1043 xine-lib 2008-01-29
Gentoo 200801-12 xine-lib 2008-01-27
Mandriva MDVSA-2008:020 xine-lib 2007-01-22

Comments (none posted)

Xorg: multiple vulnerabilities

Package(s):Xorg CVE #(s):CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006
Created:January 17, 2008 Updated:April 4, 2008
Description: From the security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows.
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04
Gentoo GLSA 200801-09:03 xorg-server 2008-01-20
SuSE SUSE-SR:2008:003 java, nss_ldap, cairo, geronimo, moodle, SDL_image, python, mysql, nx, xemacs 2008-02-07
rPath rPSA-2008-0032-1 x11 2008-01-30
Mandriva MDVSA-2008:025 x11-server-xgl 2007-01-23
Mandriva MDVSA-2008:024 libxfont 2007-01-23
Mandriva MDVSA-2008:023 x11-server 2007-01-23
Mandriva MDVSA-2008:022 xorg-x11 2008-01-23
Mandriva MDVSA-2008:021 XFree86 2008-01-23
Fedora FEDORA-2008-0891 libXfont 2008-01-22
Fedora FEDORA-2008-0831 xorg-x11-server 2008-01-22
Fedora FEDORA-2008-0794 libXfont 2008-01-22
Fedora FEDORA-2008-0760 xorg-x11-server 2008-01-22
Debian DSA-1466-3 xfree86 2008-01-21
Ubuntu USN-571-2 xorg-server 2008-01-19
Gentoo 200801-09 xorg-server 2008-01-20
Debian DSA-1466-2 xorg-server 2008-01-19
Ubuntu USN-571-1 libxfont, xorg-server 2008-01-18
Red Hat RHSA-2008:0029-01 XFree86 2008-01-18
Red Hat RHSA-2008:0064-01 libXfont 2008-01-17
Red Hat RHSA-2008:0031-01 xorg-x11-server 2008-01-17
Red Hat RHSA-2008:0030-01 xorg-x11 2008-01-17
Debian DSA-1466-1 xorg-server 2008-01-17
SuSE SUSE-SA:2008:003 Xorg 2008-01-17

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds