[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] about that new MySpace XSS worm

To: "'Xavier'" <compromise@xxxxxxxxx>
Subject: RE: [Full-disclosure] about that new MySpace XSS worm
From: "Debasis Mohanty" <mail@xxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Dec 2005 23:46:20 +0530

Xavier, 
Thanks for the clarification !! 

>> within the .swf there was a GetURL() call to the target XSS at MySpace. 

This is otherwise called skinning a cat in different ways ;-)

>> indeed! have you messed with any specific examples? 

Presently I am working on it, mind it !! Not a worm but a PoC ;o) 

I'll publish it sometime on my site - www.hackingspirits.com

- D (aka T)


-----Original Message-----
From: Xavier [mailto:compromise@xxxxxxxxx] 
Sent: Tuesday, December 20, 2005 1:36 AM
To: Debasis Mohanty
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] about that new MySpace XSS worm

Debasis,

> >> 2) The XSS worm is propagating via malicious .swf Flash files, 
> >> using ActionScript and Cross-Domain data loading.
>
> I failed to understand, how it manage to _self-propagate_ via .swf file??
> Can you elaborate here???
>
> If your answer is XSS, then it implies it is not self propagating worm 
> and involves some sort of social engineering to entice the victim to 
> click on the malicious link. If the answer is not XSS, then I guess 
> the use of XSS in the blog is highly misleading.
>

within the .swf there was a GetURL() call to the target XSS at MySpace. In
the specific XSS request, a remote .js file was loaded where then, xmlhttp
was used to inject into the profile of the victim an embed object, pointing
back to the .swf file.

since you are (or were) able to embed Flash objects into MySpace, you could
get infected by viewing an infected profile. since it most likely already
had the .swf file embedded in it. That is where propagation really starts,
perhaps I worded my thoughts improperly, hopefully this explanation makes
better sense.

>
> >> 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml 
> >> (note
> >> specifically: allow-access-from domain="*"/) the worm hit many 
> >> users across MySpace.
>
> Although, I can see the url with possible XSS in your blog but it is 
> unclear to me where and how it has been used.. The major player which 
> I can see here is "xmlhttp". The first version of samy worm actually 
> demonstrate the real power of xmlhttp in the malicious form. The 
> interesting part of the worm was, the way xmlhttp was used to send 
> request to cross-domain and the use of 'eval' to bypass all those script /
tags parsing mechanism.
>
> - T (aka D)
>

You're right here, when I first posted the forementioned blog post, I
thought there was a use of XML Sockets from within the Flash file using
ActionScript. After decompiling the malicious .swf file, it turns out that
it used a simple GetURL() execution. and from thereonin the .js file did
most of the work.

You can check out the source to the .js file here:
http://confinement.org/other/SamyReloaded.js

> Ps: A mix of xmlhttp + AJAX + RSS => Creats really cool web based 
> self-propagating worms which makes millions of sites using rss 
> vulnerable.... More to come ...

indeed! have you messed with any specific examples?

Take care,
Xavier.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] about that new MySpace XSS worm
  - From: Xavier

Prev by Date: [Full-disclosure] iDefense Security Advisory 12.20.05: McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwrite
Next by Date: [Full-disclosure] Enterprise Connector v.1.02 Multiple SQL Vulnerabilities and Login Bypass
Previous by thread: Re: [Full-disclosure] about that new MySpace XSS worm
Next by thread: [Full-disclosure] another rights up
Index(es):
- Date
- Thread