At S4 2009, Daniel and Kevin taught a security class.  Kevin demonstrated web attacks emanating from a browser client directed toward a server. The flip side of web server hacking uses a web server to attack the client system.  The Pwn2Own contest is a good example of the type of damage that can be done by attacking web browsers.

This year Internet Explorer 8, Firefox and Safari were exploited quickly in the Pwn2Own contest that took place a couple weeks ago at the CanSecWest 2009 conference.  The goal of the contest is to exploit a web browser in such a way that it executes arbitrary code on the client system and the winner keeps the system they exploited as well as some cash.

The exploits required a single click on a link.  All operating systems and web browsers were patched as of the date of the contest.  There were two laptops available for attack: a Sony Vaio with Internet Explorer 8, Google Chrome and Firefox and a Macbook with Firefox and Safari.  Multiple smartphone operating system browsers were also available for attack: WindowsCE, Google Android, Apple iPhone, Blackberry and Symbian.  Only Google Chrome and the smartphone browsers survived the contest unscathed.

Obviously this does not meet they are immune and more likely is due to the fact that most of the effort has been put toward the more popular browsers. Multiple web applications are already in the process control network (PCN) and many of newer field devices have web servers as well. Nearly all workstations on the PCN have web browsers (how many of those are patched?) and often are given access to either the company’s intranet or access to the internet.  As an attacker, this pleases me; as a security professional, this disturbs me.

Remember to prevent that outbound access in your firewall rulesets so your PCN browsers aren’t allowed to go to compromised web servers on the corporate network or Internet.