Re: about that new MySpace XSS worm

[Xavier <compromise () gmail com>]

Debasis,

> > > 2) The XSS worm is propagating via malicious .swf Flash files,
> > > using ActionScript and Cross-Domain data loading.
>
> I failed to understand, how it manage to _self-propagate_ via .swf file??
> Can you elaborate here???
>
> If your answer is XSS, then it implies it is not self propagating worm and
> involves some sort of social engineering to entice the victim to click on
> the malicious link. If the answer is not XSS, then I guess the use of XSS in
> the blog is highly misleading.

within the .swf there was a GetURL() call to the target XSS at
MySpace. In the specific XSS request, a remote .js file was loaded
where then, xmlhttp was used to inject into the profile of the victim
an embed object, pointing back to the .swf file.

since you are (or were) able to embed Flash objects into MySpace, you
could get infected by viewing an infected profile. since it most
likely already had the .swf file embedded in it. That is where
propagation really starts, perhaps I worded my thoughts improperly,
hopefully this explanation makes better sense.

> > > 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
> > > specifically: allow-access-from domain="*"/) the worm hit many users
> > > across MySpace.
>
> Although, I can see the url with possible XSS in your blog but it is unclear
> to me where and how it has been used.. The major player which I can see here
> is "xmlhttp". The first version of samy worm actually demonstrate the real
> power of xmlhttp in the malicious form. The interesting part of the worm
> was, the way xmlhttp was used to send request to cross-domain and the use of
> 'eval' to bypass all those script / tags parsing mechanism.
>
> - T (aka D)

You're right here, when I first posted the forementioned blog post, I
thought there was a use of XML Sockets from within the Flash file
using ActionScript. After decompiling the malicious .swf file, it
turns out that it used a simple GetURL() execution. and from thereonin
the .js file did most of the work.

You can check out the source to the .js file here:
http://confinement.org/other/SamyReloaded.js

> Ps: A mix of xmlhttp + AJAX + RSS => Creats really cool web based
> self-propagating worms which makes millions of sites using rss
> vulnerable.... More to come ...

indeed! have you messed with any specific examples?

Take care,
Xavier.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/