Combination of SNMP and XSS Flaw Results in New Persistent Attacks
XSS, which prompts a Website to repeat the action of a malware that subsequently, gets installed onto an end-user's browser, is an extremely common flaw in Web programs.
Researchers at ProCheckUp Ltd. recently came across a new variety of attacking mode in which the SNMP element is used to devise a long-lasting XSS attack. Such a persistent XSS attack is more powerful, when a malware is hosted on a site for an extended time period while the user only has to view the Web page to catch the infection.
By using SNMP, the attacker alters the device's parameters to trigger a long-lasting XSS attack. ProCheckUp discovered the SNMP-XSS flaw and several others, when analyzing ZyXEL's Prestige router products, which are in common use by home computers, ISP networks and SOHO.
According to a security consultant, Adrian Pastor, ProCheckUp, this is an entirely new attack, which possibly affects several other vendors' products, as reported by Darkreading on February 26, 2008.
According to the report by Pastor, a long-lasting XSS attack is waged when the elements containing a payload are copied on the browser through the device's Web interface. Pastor also says that the problem is partly because ZyXEL's Prestige products run with HTTP, SNMP, and telnet by default on the component's WAN interface. He writes that the action is true at least among some of ProCheckUp's customer used ISPs to whom the company offers its services of penetration testing.
Robert Hansen, Chief Executive Officer, SecTheory, commented that waging an XSS assault using SNMP is certainly an interesting method, as reported by djtechnocrat.blogspot on February 26, 2008.
According to Hansen, although many exploits use different variables to launch XSS attacks, the use of SNMP is definitely for the first time.
Hansen added that SNMP and hackers of Web programs don't normally intersect, so, the new attack method represents an interesting combination. Many hackers employ SNMPwalk to conduct attack but not many Web app hackers.
Related article: Companies Should Report Cybercrime
» SPAMfighter News - 17-03-2008