Browser-based Backdoor Attack for SSL?

Posted: June 17, 2009 in 64-Bit, Highlights

Read an interesting post last week on ThreatPost, New attack class exploits intranet weaknesses. Dennis Fisher reports on a new class of attacks caused by organizations using non-routable IP space on their internal networks—including an attack that compromises VPN users through the use of a persistent JavaScript backdoor. The research was done by Robert Hansen, Amit Klein and HD Moore.

It appears to us the attacks are subject to SSL rather than IPSec VPNs because it is browser-based. Moreover, the diagrams look like the attacks originated inside the network. We can’t be sure based solely on the paper. Can anyone clarify or have opinions on this research paper?

  1. Chris Knox says:

    The exploit is based on the potential for an individual to experience collisions in internal address space depending on which network is connected to his/her workstation. This vulnerability exists whether the VPN is SSL or IPSEC.

    For example, if you open your browser while connected to your local intranet and browse to a server with the IP, then connect to a VPN where there is a server with the same IP (, the VPN’s tunneling rules will direct your browser to the new server as opposed to the one on your intranet. Any IP-based cookies or session variables associated with the original site will be accessible to the new site because the IP addresses are the same.

  2. From my perspective ALL VPN connections are affected, the issue is not limited to SSL.
    And it is not SSL-centric, it just uses the normal browser cache!
    But I might be wrong 😉

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s