Thursday, April 24, 2008

U.N site took the injection

U.N site is another victim of SQL injection attacks, when a user browses the site events page, he will get redirected to ([removed]). The "1.js" redirects the user to another page "1.htm", once loaded it will try to exploit the following vulnerabilities:

Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (Critical)

Cumulative Security Update for Internet Explorer (Critical)

Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

The Baofeng Storm MPS.StormPlayer.1 ActiveX control heap-based buffer overflow

GLChat Stack-based buffer overflow

Baidu Bar ActiveX Control Remote Command Execution

Real Player RAM Download Handler ActiveX Control

Finally, it will redirect the user to another two pages that serve malwares: ( hao8.htm?036) and ( new.htm).

Mitigation checklist for system administrators:

  1. Make sure all windows machines are up-to-date, use WSUS to distribute patches and critical updates. Use Microsoft Baseline Security Analyzer (MBSA) to scan for missed patches and vulnerable security settings.
  2. Make sure all installed applications and softwares are up-to-date, you can use Secunia Network Software Inspector to check for vulnerable softwares.
  3. Secure the ActiveX settings of Internet Explorer, check here IE ActiveX security 101. Also check the "ActiveX Killpit App" from Tom Liston of Intelguardians.
  4. Block all http requests to [replace blach.js with 1.js]
  5. Make sure your Antivirus vendor has signatures for W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr; Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN