1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

JavaScript code that can escape a web browser’s security sandbox

Discussion in 'Black Hat SEO' started by SEO20, Aug 3, 2015.

  1. SEO20

    SEO20 Elite Member

    Joined:
    Mar 25, 2009
    Messages:
    2,017
    Likes Received:
    2,260
    This is pretty crazy times we live in:

    "Three security researchers released a paper describing a proof of concept exploit they developed. They?ve called it Rowhammer.js, and it?s a piece of JavaScript code that can escape a web browser?s security sandbox and gain access to the physical memory of your computer.


    The bad news is that if your computer is vulnerable, it?s a hardware issue, and there?s very little you personally can do about it. No software patches are coming to the rescue any time soon. The good news is that this hack is so complicated to pull off, you?re probably safe just from its level of difficulty alone.


    So what exactly is Rowhammer.js? While it still needs to be tested further, the researchers claimed it is the ?first remote software-induced hardware-fault attack? in existence, written entirely in JavaScript. In other words, it?s scalable, powerful, takes more than a little luck to pull off, and if you understand how it works, it?s the most clever thing you?ll see all week"

    And here is the paper:
    Code:
    http://arxiv.org/pdf/1507.06955v1.pdf
    

    And the code:
    Code:
    https://github.com/IAIK/rowhammerjs
    
    Enjoy
     
    • Thanks Thanks x 2
  2. pirrtaste

    pirrtaste Junior Member

    Joined:
    Sep 1, 2011
    Messages:
    139
    Likes Received:
    48
    Interesting read , one thing sticks out in particular is the fact is you can use this to easily read memory particular cookies
    it makes services like hitleap and url redirection extremely dangerous since most of them have browser exploits already.
     
  3. SEO20

    SEO20 Elite Member

    Joined:
    Mar 25, 2009
    Messages:
    2,017
    Likes Received:
    2,260
    Yes it can be used for a lot of sick stuff.
    Don't know if this works on any mobile-device - but think about all "secure" stuff we have there also.
     
  4. Zher0

    Zher0 Registered Member

    Joined:
    Nov 18, 2011
    Messages:
    70
    Likes Received:
    6
    Occupation:
    Money.
    Location:
    Earth
    Home Page:
    Thanks for the share, going to read into this.
     
  5. tompots

    tompots Elite Member Premium Member

    Joined:
    Dec 11, 2011
    Messages:
    4,371
    Likes Received:
    3,964
    Gender:
    Male
    Occupation:
    Full Time Bot Developer
    Location:
    Automation Alternatives
    Home Page:
    Very nice, good to see you back. Looking forward to seeing what else you have. :drinking2
     
    • Thanks Thanks x 1
  6. pixeltech

    pixeltech Newbie

    Joined:
    Mar 22, 2014
    Messages:
    24
    Likes Received:
    2
    Occupation:
    Web Application and General Software Dev
    Location:
    Florida, USA
    From an academic standpoint, the article is an exceptionally interesting read, at least as far as the technical details and explanations of how they pulled off the rowhammer technique using pure JavaScript go.

    That being said, I feel the paper's authors are being somewhat alarmist, and their claims that it could be more or less "readily" exploited in today's typical computing environment(s) extremely exaggerated.

    I'm not going to be losing any sleep over this, and neither should anybody else. Here is why (from the article): "In a second step we build an inverted page table for the Firefox process. We then resolve the physical addresses we want to hammer to offsets within the JavaScript array. These offsets are then pasted into a field in the webpage to start hammering on the JavaScript array."

    Very specific foreknowledge of the particular environment in which the JavaScript is executing must be available in order to actually turn this into something which could be called an attack or exploit.

    Basically, this technique, while very much so a definite theoretical possibility, would be *more* difficult (on several orders of magnitude) to pull off than smashing the stack on a machine protected with a decent NX data pages + ASLR memory layout implementation (which is quickly becoming standard first-line protection, if not considered to be so already).

    We're all going to be just fine now... :)
     
  7. SEO20

    SEO20 Elite Member

    Joined:
    Mar 25, 2009
    Messages:
    2,017
    Likes Received:
    2,260
    I am talking about using it to your advantage :)

     
  8. SEO20

    SEO20 Elite Member

    Joined:
    Mar 25, 2009
    Messages:
    2,017
    Likes Received:
    2,260
    Anyone using this?
     
  9. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    hah fun this is exploiting bit flipping (aka bitsquatting) i wrote a little article about that once to use it for seo purposes as bitflipping in domain names happens too and you can predict+register the right domains ;)
    aaanyways like pixeltech said, while this is a interesting/fun hack its not practical especially not easily exploitable on a wide scale (though not impossible with enough research and possible combined attack vectors).