ScanFun

On 14 February 2007, Michal Zalewski disclosed a serious vulnerability in the Firefox browser (Full-disclosure archive). The flaw in Firefox allows JavaScript code to set the 'location.hostname' to a string that contains an embedded null character. The domain handling code ignores the embedded null, but the code responsible for retrieving the page doesn't. A mitigating factor is that this vulnerability does not appear to be exploitable when browsing behind a web-proxy.

What makes this vulnerability so interesting is that it allows malicious JavaScript to by-pass the same origin policy. This means that you could host a malicious page on your site and then spoof another completely unrelated site. Most of the exploit discussion focused on reading and writing web cookies. Gaining access to cookies is no doubt a significant issue, but what if there were other, more interesting possibilities?

After some thought and experimentation, it became evident that the Firefox Java security manager also utilizes a similar same-domain policy. Firefox (along with other browsers) offers LiveConnect functionality that can be used to access Java directly from JavaScript. If Java has been installed and enabled in the browser, any of the functionality that is available in Java can be utilized from JavaScript. One item that Java includes is TCP and UDP socket functionality. Normally, the socket functionality is fairly restricted because only connections back to the originating site can be made. But, with the same-origin bypass Zalewski found, why not make the browser think it is connecting back to the original site, when in fact it isn't? And what's more fun than port scanning?

Port scanning through JavaScript and image tags has become fairly standard fare since the SPI Dynamics JS-Port-Scan and Jeremiah Grossman's JavaScript Malware. Using Java to do this is even easier and simple banner grabbing can be implemented.

Proof of Concept files:

Tested using Firefox 2.0.0.1 under Linux and Windows. YMMV.