HTML 'Hack' Could Use Browsers To Open Net Security Hole
An independent computer programmer in Germany has discovered that malicious hackers
could wield seemingly ordinary-looking Web pages to send commands to servers behind
such barriers as corporate firewalls.
Jochen Topf, whose own software credits include a POP3-protocol server for managing
user access to large e-mail systems, says he found that many common Web browsers can
be tricked into passing on commands from hackers unbeknownst to the browsers' users.
The trick, Topf wrote last week in a paper called "The HTML Form Protocol Attack," relies
on the same HTML-based technology builders of legitimate Web pages use to capture
information visitors might enter into online forms.
On a legitimate Web page, any HTML code defining a form usually points a user's
submission at an application running on the same server hosting the Web page itself. But
Topf said a form protocol "attacker" would code his HTML to redirect the submitted data
to some other server and can specify TCP (transport control protocol) ports associated
with such services as e-mail (SMTP and POP3), Internet relay chat (IRC), the file transfer
protocol (FTP) and newsgroups (NNTP).
Topf told Newsbytes that it's unlikely that such fiddling with Web forms could be used for
large scale attacks. However, he said it could be a useful way for a hacker to introduce
some other malicious code, such as an Internet worm, and hide its true source of origin.
"It is basically just a bunch of cute tricks that an attacker might use as some point," he
said. "Developers and (system administrators) should know about this so that they do not
inadvertently build a system that is especially vulnerable to those attacks."
"I imagine that this attack will be used as a small part in a bigger attack," he said.
In his paper, Topf recommended that authors of Web browser software ensure that their
applications refuse to submit form data to TCP ports associated with potentially
vulnerable Internet services. And he suggested that developers of server software make
their applications more choosy about the kind of data they accept.
He said the success of a form protocol attack relies in part on servers using plain-text
protocols that happily ignore bogus commands.
Topf's Web-form trickery uses form-submission formatting known as "multipart/form-data"
encoding that allows the attacker to build a list of commands intended for the target
server. However, there is no way to use that approach without also generating lines of
text the browser software creates to delineate the user input.
Topf said he found that many servers reject those extraneous lines of text in an HTML
form protocol attack but continue to accept subsequent lines of what could be a
cracker's malicious code.
Also limiting the effectiveness of the form protocol attack is the need to identify the
address of a host running vulnerable services, which in a useful exploit might be located
behind a corporate firewall.
But Topf pointed out that a cracker attempting to create a universal attack could
frequently guess server addresses using standard naming conventions. For example, if a
script on the cracker's own Web site determined that a Web browser was visiting from a
network associated with the "newsbytes.com" domain, the script might accurately
assume that there is also a server known as "mail.newsbytes.com."
Topf said it also is not necessary for victims of such an exploit to see the forms on an
attacker's Web page or to take any action to submit them. Instead, he said, the attacker
could use well-known JavaScript commands to have hidden form data submitted as soon
as an otherwise innocent-looking page is displayed.
Topf's HTML form protocol attack paper is at http://www.remote.org/jochen .
