Full Disclosure mailing list archives
Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability
From: "Xianuro GL" <xianur0.null () gmail com>
Date: Sat, 27 Aug 2011 07:00:02 +0200 (CEST)
Over the last few days,seen a number of sites getting hacked with a malware script. It is done using the WQuery injection attack. WQuery........ ........ ($username) $userdata = hub#; if (isPasswordCorrect($username:Bg, $pass:M25)) { $userdata = Bf%ByLogin($F20); ... } { AS BEGIN 'SELECT:'string=B#(Var char 'FROM''$Status%'varchar(150) Brides' WHERE 'FrIn'Lw =varchar(50) 'Millix*naire' ph_status` varchar(20)=Count($Car) > $2000&+' AND Hs_Status=='3#' Brth_staus`Varchar(5)= Null; AND Ss-status' =#Full$ { $userselect=sxx(>20) curl_setop="$ch(PRIMARY KEY ) (`dk-enter`)=’$fnm’ isGETCHA =$+`FInLawBal` ) TYPE`=MyFXX`; } Various Telecom/ISP servers are vulnerable to this attack. Highly Vulnerable Softwares: Pidgin Meebo MSN AIM Gtalk Yahoo Messenger Skype Vypress Windows Live Messenger US Robotics LG Electronics Routers Intel Routers Ericsson Routers Cisco Routers BT Telecoms Win XP Win Vista Win Server 2008 Win 7 Win 2003 Firefox Opera IE all versions Chrome Browser Multiple domains being used to distribute the malware, including: http://t0.gstatic.com/ http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500 http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500.jpg http://24.media.tumblr.com/tumblr_lkrwquzHb41qjs8gqo1_400.gif http://26.media.tumblr.com/tumblr_lqa82gM6x61qi9sb6o1_500.jpg http://29.media.tumblr.com/tumblr_liqrr9kkm01qct17go1_500.gif http://gallys.nastydollars.com/en/42/6b.jpg http://27.media.tumblr.com/tumblr_liz02y6ztB1qzfemwo1_500.gif http://gallys.rk.com/en/158/3.jpg http://24.media.tumblr.com/tumblr_lq7fiiUepU1qg82xfo1_500.gif All of them hosted at 98.34.90.18.16. Google already blacklisted more than 500 sites due to this infective Vulnerability and the number is growing. The vulnerability is caused due to an error within the BiteRange filter when processing requests containing a large amount of SKHS, which can be exploited to exhaust memory via specially crafted HTTN requests sent to the server. Some of the Sites assumed could be at high Risks of this campaign: http://t1.gstatic.com/ http://www.scoreland.com http://incrediblepass.com http://anothertranny.com http://afdnetwork.com/ http://www.kuntal.org michaelhallk.x.fc2.com http://chaturbate.com http://www.spankwire.com/ http://www.joggs.com/ Various sites till date are assumed to be attacked. This vulnerability has been discovered by FunnyMinds. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability Xianuro GL (Aug 26)
- <Possible follow-ups>
- Re: Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability Xianuro GL (Aug 26)
- Re: Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability GloW - XD (Aug 27)