lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20110827050002.8507181AB93@emkei.cz>
Date: Sat, 27 Aug 2011 07:00:02 +0200 (CEST)
From: "Xianuro GL" <xianur0.null@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability

Over the last few days,seen a number of sites getting hacked with a malware script.

It is done using the  WQuery injection attack.

WQuery........ ........ ($username)

$userdata = hub#;
if (isPasswordCorrect($username:Bg, $pass:M25)) {
   $userdata = Bf%ByLogin($F20);   ...
}

{
AS BEGIN

'SELECT:'string=B#(Var char 'FROM''$Status%'varchar(150) Brides'

WHERE 'FrIn'Lw =varchar(50) 'Millix*naire'
ph_status` varchar(20)=Count($Car) > $2000&+'
AND Hs_Status=='3#' 
Brth_staus`Varchar(5)= Null;
AND Ss-status' =#Full$
{
$userselect=sxx(>20)
curl_setop="$ch(PRIMARY KEY ) (`dk-enter`)=’$fnm’
isGETCHA =$+`FInLawBal`
) TYPE`=MyFXX`;

}

Various Telecom/ISP servers are vulnerable to this attack.

Highly Vulnerable Softwares:

Pidgin
Meebo
MSN
AIM
Gtalk
Yahoo Messenger
Skype
Vypress
Windows Live Messenger
US Robotics 
LG Electronics Routers
Intel Routers
Ericsson Routers
Cisco Routers
BT Telecoms
Win XP
Win Vista
Win Server 2008
Win 7
Win 2003
Firefox
Opera
IE all versions
Chrome Browser 

Multiple domains being used to distribute the malware, including:

http://t0.gstatic.com/
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500.jpg
http://24.media.tumblr.com/tumblr_lkrwquzHb41qjs8gqo1_400.gif
http://26.media.tumblr.com/tumblr_lqa82gM6x61qi9sb6o1_500.jpg
http://29.media.tumblr.com/tumblr_liqrr9kkm01qct17go1_500.gif
http://gallys.nastydollars.com/en/42/6b.jpg
http://27.media.tumblr.com/tumblr_liz02y6ztB1qzfemwo1_500.gif
http://gallys.rk.com/en/158/3.jpg
http://24.media.tumblr.com/tumblr_lq7fiiUepU1qg82xfo1_500.gif

All of them hosted at 98.34.90.18.16. Google already blacklisted more than 500 sites due to this infective Vulnerability and the number is growing.

The vulnerability is caused due to an error within the BiteRange filter when processing requests containing a large amount of SKHS, which can be exploited to exhaust memory via specially crafted HTTN requests sent to the server.


Some of the Sites assumed could be at high Risks of this campaign:

http://t1.gstatic.com/
http://www.scoreland.com
http://incrediblepass.com
http://anothertranny.com
http://afdnetwork.com/
http://www.kuntal.org
michaelhallk.x.fc2.com
http://chaturbate.com
http://www.spankwire.com/
http://www.joggs.com/

Various sites till date are assumed to be attacked.

This vulnerability has been discovered by FunnyMinds.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ