Dude, wait till your parent companies PR office or the new CTO shows up...

They'll be wanting to create "marketing and propaganda" for the most arbitrary stuff ...

*sigh*

It gets worse once you say that's so lame and then a competitor does the same and gets some buzz and you say "that's lame" and someone bursts into your office saying "we should have announced that months ago!"

Heh...suppose that's why we'll never be in Sales...

Hi guys, first of all thanks you for the feedback. It's always very much appreciated.

We have ALL done things before other people have published an example of it. Any security researcher/enthusiasts has tried some type of technique at some point that has NOT been discussed in the public domain. However, if you don't discuss your idea/technique in the public domain, then people won't obviously be aware of it! As we all know there is a lot of bullshit in the community regarding who has done something first and who has the longest di**.

It's clear that any type of data that gets logged/stored on a website/web interface and can be manipulated by the attacker is a potential vector for XSS.

And yes, there have been some public examples of combining protocols other than HTTP with HTTP itself in order to accomplish XSS. I remember seeing an example of changing a workstation's machine name through by modifying the Windows registry which would ultimately get stored on a desktop web app which results in local-context XSS.

However, we did NOT find any public example of using SNMP write operation in order to accomplish persitent XSS on embedded devices.

Keep in mind that many SNMP variables such as
system name, and location are usually printed back on MANY devices' web interfaces. This is why we're doing a survey in our computer lab of devices from several vendors that are affected by this.

What's worst is that I'm afraid that this attack can be launched in a mass fashion without having to consider the brand/model of the device to be attacked. I personally find this very interesting and so have some peers.

The following steps could be completely automated with a few bash scripts:

1. Scan random Internet IP addresses for SNMP enabled
2. Test if write access is enabled with a common write community string such as "private"
3. Inject the JavaScript payload via a parameter that is usually printed in many devices' web interfaces. i.e.: system name (SNMP variable: system.sysName.0)

The JavaScript could do a phishing attack to get the admin's password which would get submitted to a PHP script on the attacker's site. Such PHP script would log the admin password AND the device's IP address which can be obtained via the 'Referer:' HTTP header. With this information being logged, the attacker could remotely gain administrative access to devices located all over the world.

Anyway, our research was originally published on FD. Since it's fully uncensored you're more than welcome to provide your feedback in such mailing list. Otherwise, what's the point of posting research to a non-moderated forum? :)

Anyway, please keep up the good work guys.

Hi Adrian.

Thanks for the politest email ever received after what could have been
read as "me being an ass".

i promise to buy u a beer if we ever meet at a conf.

i don't have a problem with the paper at all, and think its cool to bring
it to ppls attention.. my irritability was more with the sensationalist
dark reading coverage..

it no sleight at all on ur work.. (we have felt this pain in the past
when our first sql injection paper in 2001 was followed by a headline
"company hacks Microsoft!")

i agree re the threat, and like i said.. u actually end up finding even
more insidious cmd / sql injection attacks easily through this vector
because ppl have not being treating it as possibly malicious input..

ah well..

thanks again for not taking offense, and for reading our blog..

/mh