My Final Plea For You to Use NoScript / Why You Get Owned Because Sysadmins are Stupid

Posted: November 27, 2011 in Random pontifications
Tags:

So many people put down using NoScript — particularly in my beloved community at Ubuntu Forums. I beg and I plead…Still they tell me Javascript can’t hurt them. They can visit whatever sites they want because Ubuntu is secure. So let’s talk about how a browser actually gets owned by Javascript, no malicious emailed links, no man in the middle, no going to a site you wouldn’t normally go to. The real deal, browser exploitation via a compromised website.

In this brief demonstration. There will be 3 virtual machines involved. The first will be a Back Track 5 machine (IP 192.168.0.7), the second is the victim which is Ubuntu 11.10 Running Firefox 7.0.1 fully updated with firewall all the security essentials…Except NoScript… We don’t need that… The last machine is a web server, running Ubuntu 8.04 hosting my new personal website talking about my Ubuntu home server project it’s IP is 192.168.0.10 and it’s running Ubuntu 8.04.4 LTS fully patched.

In this scenario the sysadmin (me) of the Ubuntu 8.04 machine has decided he will create a website, he wants to access it remotely, so he uses SSH, but you know what SSH keys are a pain in the butt, so he uses a password. Not even a good one. This isn’t an uncommon scenario, anywhere in the world. So a malicious cracker (also me) is going to crack my SSH password via brute force, he’s going to alter my website and when the victim (still me lol) visits the website (dtwebsite.co.uk), his fancy new Firefox browser will be exploited and the attacker will gain remote access to his system.

Note : I didn’t register that domain for this demo it’s not mine, I have no idea what’s actually there I edited my hosts file. If you are the owner of that domain I did NOT hack your website, do NOT call the police do NOT email me, do NOT flame me in the comments section of my blog, thank you…

Uncompromised Site

My super cool site is super secure. It’s just sitting there, it gets about 3 hits a day (just like my blog). You may notice from the content of my website, I’m carefree when it comes to security and really have no idea what I’m doing.

Compromised Site

In this phase an attacker has gained access to my website via obtaining my SSH credentials, which were username dangertux password dangertuxsupercool. Wonder how he guessed. He has modified my site’s index.html page to contain some “additional” data. In this case it is code that will exploit a browser visiting the site, more specifically the Linux version of Firefox 7.0.1

If we examine the code for my site again we will see that something is amiss.

Compromised Ubuntu User

So in this phase, a Ubuntu victim err…user… Me is visiting my website to see how it’s looking (What!? I like the minimalist style). I’m using my trusty Ubuntu 11.10 with Firefox 7.0.1, I’m perfectly secure so I don’t run NoScript.

When I visit my site, the modified version exploit code is executed in my browser and I have just become compromised.

The Attacker’s Point of View

When I visited my website, the attacker received a reverse connection, and was able to spawn a remote shell on my machine.

Conclusion…

For the LOVE of all that is holy can we PLEASE use NoScript? If you don’t you’re relying entirely on sysadmins to secure their sites. This is not something that happens infrequently, and only to small sites.

Need Proof? Check out rankmyhack.com

Advertisements
Comments
  1. Carlos says:

    Hi Adam, I have to admit that I am one of the majority that don’t use noscript. The reason is that its so annoying when you have to add sites to the white-list.

    • dangertux says:

      Carlos,

      I know it’s a pain but, do reconsider, it’s can be a little bit of a learning curve, not particularly a hard one it’s just a tool you have to revisit often. However in my humble opinion it’s worth every ounce of annoyance in the protection it gives you.

      So many vulnerabilities target users who don’t utilize things like NoScript, and with the power of JavaScript the consequences can be severe.

    • dangertux says:

      I’m very glad you changed your mind Carlos 🙂

  2. Ms. Daisy says:

    Just to be clear in my own head, all the victim (you) did was to visit the website, right? You didn’t click on anything, you didn’t run any program, you just visited your website & the malicious JavaScript executed automatically. Nothing happened while the JavaScript ran that the victim (you) could see, right?

    • dangertux says:

      Correct. There is nothing to click, nothing to run, etc. This is not a social engineering attack. This is code that exploits a vulnerability in Firefox 7.0.1 on Linux, Firefox 4 and 8 on Windows. This is publicly available code.

      The only thing you can notice (you can’t do anything about it) is about a 12 second hang time when the browser loads the page. However during this time even if you close the browser the shell will still be created.

      The exploit will trigger as soon as the victim visits the site.

  3. dangertux says:

    Thanks — that’s the second compliment I’ve gotten on it today , I’m glad you guys like it 🙂

    I wanted to make an image header for it, but apparently this theme doesn’t support that and I can’t edit the template unless I pay for the premium subscription, so I guess it will just have to wait.

    Thanks again 🙂

  4. Haqking says:

    Great tutorial again, great theme (only cos you saw it first though, when you give it up its mine 😉

    • dangertux says:

      LOL — I doubt I’m the only person who has this theme, it was on the first page under new wordpress themes lol.

      I like yours too. Though, now that I know you’re wanting this one I think I can settle on having my site look this way forever 😛

      I kid I kid…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s