The Emergence of
Cross Channel Scripting
abstract
Lightweight, embedded Web servers are soon about to
outnumber regular Internet Web servers. They reside in
devices entrusted with personal and corporate data, and
are typically used for configuration and management. We
reveal a series of attacks on consumer and small office electronics, ranging from networked storage to digital photo
frames. The attacks target Web server logic and are based
on a new type of vulnerability that we call cross channel
scripting (XCS). XCS is a sophisticated form of cross site
scripting (XSS) in which the attack injection and execution
are carried out via different protocols.
1. in TRoDuc Tion
Current consumer electronic devices often ship with an
embedded Web server used for system management. The
benefits of providing a Web-based user interface are twofold: first, the user does not need to learn a complicated
command-line language, and second, the vendor does not
need to ship client-side software. Instead the user interacts
with the device through a familiar browser UI. Market data
confirms the success of the browser-based device management paradigm: even when considering only network-attached storage (NAS) and digital photo frame products,
embedded Web servers are on track to surpass in number
general-purpose Web servers on the Internet (Figure 1).
While browser-based device management is a cost-effective and convenient approach, it can introduce considerable security risk due to the large number of potential
vulnerabilities in a weak Web application. Moreover, securing Web applications on a consumer electronics device can
be difficult due to the large number of supported network
protocols and the interactions between them. For example,
a user might upload a file to a network storage device by
using the SMB protocol, manage its permissions through
the Web interface, and eventually share it with his friends
through FTP. The overall opacity of both the software that
runs on embedded systems and any state they store further
adds to the security risk, as it effectively prevents security
products from scanning such systems and reporting on vulnerabilities or attacks in progress.
In this complex environment, it is not surprising that many
embedded devices are vulnerable to Web attacks. In fact, all
the 23 devices we evaluated3 were vulnerable to several types
of Web attacks, including cross site scripting (XSS), 5 cross
site request forgeries (CSRF), 2, 12 and many others.
Recall that in a Type 1 (reflected) XSS attack, the user follows a malicious link to a victim site. A vulnerability in the
site causes an attack script to be embedded into the resulting
figure 1. embedded Web servers will soon outnumber generic Web
servers on the internet.
Growth
300 225 75
Internet Embedded (NAS and photo frame only)
(Millions)
150
0
2008 Data :
-Parks associates
-Netcraft
2009
2010
2011
2012
2013
HTTP response. This script can then take over the page and
perform arbitrary actions on behalf of the attacker. A Type
2 (persistent) XSS enables the attacker to inject a malicious
script into persistent storage at the victim site. When an
unsuspecting user views a page that contains the script, the
script can take over the page. For example, Type 2 XSS can
affect message boards; an attacker can post a message con-
taining a script that is later executed by the browser of every
user that happens to view the attacker’s post. A recent exam-
ple of such an attack is the XSS Twitter worm that struck in
the middle of April 2009.13
cross channel scripting: Many of the embedded devices we
examined were vulnerable to a type of persistent XSS that
we call cross channel scripting, or XCS. In an XCS attack a
non-Web channel, such as SNMP or FTP, is used to inject
a persistent XSS exploit which is activated when the user
connects to the Web interface. For example, several NAS
devices we examined allow an attacker to upload a file with
an almost arbitrary filename via SMB. The attacker takes
advantage of this lack of restrictions and crafts a filename
that contains a malicious script. When the NAS adminis-
trator views the NAS contents through the Web interface,
the device happily sends an HTTP response to the admin’s
browser containing a list of file names including the mali-
cious filename, which is then interpreted as a script by the
The original version of this paper appeared in the Proceed-
ings of the 16th ACM Conference on Computer and Commu-
nications Security (Chicago, IL, Nov. 9–13, 2009), 420–431.
