[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability
From: "Xianuro GL" <xianur0.null@xxxxxxxxx>
Date: Sat, 27 Aug 2011 07:00:02 +0200 (CEST)

Over the last few days,seen a number of sites getting hacked with a malware 
script.

It is done using the  WQuery injection attack.

WQuery........ ........ ($username)

$userdata = hub#;
if (isPasswordCorrect($username:Bg, $pass:M25)) {
   $userdata = Bf%ByLogin($F20);   ...
}

{
AS BEGIN

'SELECT:'string=B#(Var char 'FROM''$Status%'varchar(150) Brides'

WHERE 'FrIn'Lw =varchar(50) 'Millix*naire'
ph_status` varchar(20)=Count($Car) > $2000&+'
AND Hs_Status=='3#' 
Brth_staus`Varchar(5)= Null;
AND Ss-status' =#Full$
{
$userselect=sxx(>20)
curl_setop="$ch(PRIMARY KEY ) (`dk-enter`)=’$fnm’
isGETCHA =$+`FInLawBal`
) TYPE`=MyFXX`;

}

Various Telecom/ISP servers are vulnerable to this attack.

Highly Vulnerable Softwares:

Pidgin
Meebo
MSN
AIM
Gtalk
Yahoo Messenger
Skype
Vypress
Windows Live Messenger
US Robotics 
LG Electronics Routers
Intel Routers
Ericsson Routers
Cisco Routers
BT Telecoms
Win XP
Win Vista
Win Server 2008
Win 7
Win 2003
Firefox
Opera
IE all versions
Chrome Browser 

Multiple domains being used to distribute the malware, including:

http://t0.gstatic.com/
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500
http://25.media.tumblr.com/tumblr_lo7bl0euPE1ql6o50o1_500.jpg
http://24.media.tumblr.com/tumblr_lkrwquzHb41qjs8gqo1_400.gif
http://26.media.tumblr.com/tumblr_lqa82gM6x61qi9sb6o1_500.jpg
http://29.media.tumblr.com/tumblr_liqrr9kkm01qct17go1_500.gif
http://gallys.nastydollars.com/en/42/6b.jpg
http://27.media.tumblr.com/tumblr_liz02y6ztB1qzfemwo1_500.gif
http://gallys.rk.com/en/158/3.jpg
http://24.media.tumblr.com/tumblr_lq7fiiUepU1qg82xfo1_500.gif

All of them hosted at 98.34.90.18.16. Google already blacklisted more than 500 
sites due to this infective Vulnerability and the number is growing.

The vulnerability is caused due to an error within the BiteRange filter when 
processing requests containing a large amount of SKHS, which can be exploited 
to exhaust memory via specially crafted HTTN requests sent to the server.


Some of the Sites assumed could be at high Risks of this campaign:

http://t1.gstatic.com/
http://www.scoreland.com
http://incrediblepass.com
http://anothertranny.com
http://afdnetwork.com/
http://www.kuntal.org
michaelhallk.x.fc2.com
http://chaturbate.com
http://www.spankwire.com/
http://www.joggs.com/

Various sites till date are assumed to be attacked.

This vulnerability has been discovered by FunnyMinds.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Apache Killer
Next by Date: Re: [Full-disclosure] Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability
Previous by thread: Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
Next by thread: Re: [Full-disclosure] Telecom/Chat Servers <= 2.0.1.1 Blind Exploitation Attack Vulnerability
Index(es):
- Date
- Thread