Full Disclosure mailing list archives

Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability

From: "Xianuro GL" <xianur0.null () gmail com>
Date: Sat, 27 Aug 2011 07:00:02 +0200 (CEST)

Over the last few days,seen a number of sites getting hacked with a malware script.

It is done using the  WQuery injection attack.

WQuery........ ........ ($username)

$userdata = hub#;
if (isPasswordCorrect($username:Bg, $pass:M25)) {
   $userdata = Bf%ByLogin($F20);   ...
}

{
AS BEGIN

'SELECT:'string=B#(Var char 'FROM''$Status%'varchar(150) Brides'

WHERE 'FrIn'Lw =varchar(50) 'Millix*naire'
ph_status` varchar(20)=Count($Car) > $2000&+'
AND Hs_Status=='3#' 
Brth_staus`Varchar(5)= Null;
AND Ss-status' =#Full$
{
$userselect=sxx(>20)
curl_setop="$ch(PRIMARY KEY ) (`dk-enter`)=’$fnm’
isGETCHA =$+`FInLawBal`
) TYPE`=MyFXX`;

}

Various Telecom/ISP servers are vulnerable to this attack.

Highly Vulnerable Softwares:

Pidgin
Meebo
MSN
AIM
Gtalk
Yahoo Messenger
Skype
Vypress
Windows Live Messenger
US Robotics 
LG Electronics Routers
Intel Routers
Ericsson Routers
Cisco Routers
BT Telecoms
Win XP
Win Vista
Win Server 2008
Win 7
Win 2003
Firefox
Opera
IE all versions
Chrome Browser 

Multiple domains being used to distribute the malware, including:

http://t0.gstatic.com/
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500.jpg
http://24.media.tumblr.com/tumblr_lkrwquzHb41qjs8gqo1_400.gif
http://26.media.tumblr.com/tumblr_lqa82gM6x61qi9sb6o1_500.jpg
http://29.media.tumblr.com/tumblr_liqrr9kkm01qct17go1_500.gif
http://gallys.nastydollars.com/en/42/6b.jpg
http://27.media.tumblr.com/tumblr_liz02y6ztB1qzfemwo1_500.gif
http://gallys.rk.com/en/158/3.jpg
http://24.media.tumblr.com/tumblr_lq7fiiUepU1qg82xfo1_500.gif

All of them hosted at 98.34.90.18.16. Google already blacklisted more than 500 sites due to this infective 
Vulnerability and the number is growing.

The vulnerability is caused due to an error within the BiteRange filter when processing requests containing a large 
amount of SKHS, which can be exploited to exhaust memory via specially crafted HTTN requests sent to the server.


Some of the Sites assumed could be at high Risks of this campaign:

http://t1.gstatic.com/
http://www.scoreland.com
http://incrediblepass.com
http://anothertranny.com
http://afdnetwork.com/
http://www.kuntal.org
michaelhallk.x.fc2.com
http://chaturbate.com
http://www.spankwire.com/
http://www.joggs.com/

Various sites till date are assumed to be attacked.

This vulnerability has been discovered by FunnyMinds.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability Xianuro GL (Aug 26)
- <Possible follow-ups>
- Re: Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability Xianuro GL (Aug 26)
  - Re: Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability GloW - XD (Aug 27)