A security researcher has developed an interesting new class of attacks that exploit the problems caused by organizations using non-routable IP space on their internal networks, including one attack that compromises VPN users through the use of a persistent JavaScript backdoor.

A security researcher has developed an interesting new class of attacks that exploit the problems caused by organizations using non-routable IP space on their internal networks, including one attack that compromises VPN users through the use of a persistent JavaScript backdoor.

The attacks rely on the long-term caching policies of some browsers and take advantage of the collisions that can occur when two different networks use the same non-routable IP address space, which happens fairly often because the amount of address space is quite small. The bottom line is that even a moderately skilled attacker has the ability to compromise remote machines without the use of any vulnerability or weakness in the client software.

“If you’re even vaguely clever, developing this might take you two hours. It’s not that difficult,” said Robert Hansen, the researcher who wrote about the attacks in a white paper published this week, called “RFC1918 Caching Security Issues.” Hansen, who is better known in the security community as Rsnake, worked out the techniques through research and discussions with fellow researchers Amit Klein and HD Moore over the course of several weeks. RFC1918 refers to an IETF specification developed in 1996 for private intranets.

“All you need is a mediocre amount of intelligence about VPNs, a mediocre understanding of how to inject iFrames, the ability to run a backdoor and a command and control server. Put all of that together and maybe it’s considered hard. All of the pieces are there, it’s just a matter of putting them together,” Hansen said.

In one of the scenarios that Hansen describes in his paper, an attacker is able to force a VPN user to connect to an attacker-controlled network instead of the user’s own corporate intranet through the use of injected iFrames and aggressive caching. Once the user connects, his browser gives the attacker access to the user’s cookies and the attacker delivers a JavaScript backdoor. He then drops the VPN connections and when the user reconnects to his normal intranet, the attacker’s backdoor controls the connection and requests instructions from a command-and-control server that the attacker owns.

One of the things that makes this technique possible is the widespread use of non-routable IP address space for corporate intranets. Many companies use IP addresses that are not routable from the public Internet for their intranets, a tactic that is meant to protect the networks from attack. But because the amount of non-routable IP address space most commonly used for intranets is so small–about 1280 addresses, Hansen estimates–collisions between networks often occur. And because some popular browsers will cache credentials and IP addresses for a long time, an attacker can take advantage of these circumstances to gain control of user PCs.

And, as Hansen discovered, the browser cache is a hidden jewel for attackers looking to remain undetected for a long time.

“The cache is a nice place to store persistent attacks long term. If you store it in the cache, in order to find it you’d have to go through every file to find the one that’s going to be exploitable,” he said. “It’s difficult to do and it’s a huge pain to recover from. Forensics on this is a nightmare because attackers can cause the cache to be flushed if they so desire.”

In addition to the VPN attack, Hansen lays out another scenario in his paper that involves a man-in-the-middle attack. In that scenario, the attacker needs to compromise a device somewhere upstream from the victim, waits for the victim to connect to his intranet and then creates a series of malicious iFrames containing the malicious JavaScript code. Once the user connects to one of these iFrames, the code downloads to the user’s PC. Then, when the user connects to his home or office RFC1918 network, the malware, which has been cached, connects the user to an attacker-controlled page.

“This happens in the wild all the time. People just don’t realize it,” Hansen said. “The man-in-the-middle variant requires a little more work because you have to do ARP spoofing or break into something upstream. It’s not super-hard but it requires a little more work than the VPN one.”

*VPN diagram via www.sectheory.com