[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20110827050002.8507181AB93@emkei.cz>
Date: Sat, 27 Aug 2011 07:00:02 +0200 (CEST)
From: "Xianuro GL" <xianur0.null@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability
Over the last few days,seen a number of sites getting hacked with a malware script.
It is done using the WQuery injection attack.
WQuery........ ........ ($username)
$userdata = hub#;
if (isPasswordCorrect($username:Bg, $pass:M25)) {
$userdata = Bf%ByLogin($F20); ...
}
{
AS BEGIN
'SELECT:'string=B#(Var char 'FROM''$Status%'varchar(150) Brides'
WHERE 'FrIn'Lw =varchar(50) 'Millix*naire'
ph_status` varchar(20)=Count($Car) > $2000&+'
AND Hs_Status=='3#'
Brth_staus`Varchar(5)= Null;
AND Ss-status' =#Full$
{
$userselect=sxx(>20)
curl_setop="$ch(PRIMARY KEY ) (`dk-enter`)=’$fnm’
isGETCHA =$+`FInLawBal`
) TYPE`=MyFXX`;
}
Various Telecom/ISP servers are vulnerable to this attack.
Highly Vulnerable Softwares:
Pidgin
Meebo
MSN
AIM
Gtalk
Yahoo Messenger
Skype
Vypress
Windows Live Messenger
US Robotics
LG Electronics Routers
Intel Routers
Ericsson Routers
Cisco Routers
BT Telecoms
Win XP
Win Vista
Win Server 2008
Win 7
Win 2003
Firefox
Opera
IE all versions
Chrome Browser
Multiple domains being used to distribute the malware, including:
http://t0.gstatic.com/
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500.jpg
http://24.media.tumblr.com/tumblr_lkrwquzHb41qjs8gqo1_400.gif
http://26.media.tumblr.com/tumblr_lqa82gM6x61qi9sb6o1_500.jpg
http://29.media.tumblr.com/tumblr_liqrr9kkm01qct17go1_500.gif
http://gallys.nastydollars.com/en/42/6b.jpg
http://27.media.tumblr.com/tumblr_liz02y6ztB1qzfemwo1_500.gif
http://gallys.rk.com/en/158/3.jpg
http://24.media.tumblr.com/tumblr_lq7fiiUepU1qg82xfo1_500.gif
All of them hosted at 98.34.90.18.16. Google already blacklisted more than 500 sites due to this infective Vulnerability and the number is growing.
The vulnerability is caused due to an error within the BiteRange filter when processing requests containing a large amount of SKHS, which can be exploited to exhaust memory via specially crafted HTTN requests sent to the server.
Some of the Sites assumed could be at high Risks of this campaign:
http://t1.gstatic.com/
http://www.scoreland.com
http://incrediblepass.com
http://anothertranny.com
http://afdnetwork.com/
http://www.kuntal.org
michaelhallk.x.fc2.com
http://chaturbate.com
http://www.spankwire.com/
http://www.joggs.com/
Various sites till date are assumed to be attacked.
This vulnerability has been discovered by FunnyMinds.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists