Thursday, April 24, 2008

U.N site took the injection







U.N site is another victim of SQL injection attacks, when a user browses the site events page, he will get redirected to (www.nihaorr1.com/[removed]). The "1.js" redirects the user to another page "1.htm", once loaded it will try to exploit the following vulnerabilities:



Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (Critical)

http://www.microsoft.com/technet/security/Bulletin/MS07-055.mspx

Cumulative Security Update for Internet Explorer (Critical)

http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx

Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/Bulletin/MS07-018.mspx

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

The Baofeng Storm MPS.StormPlayer.1 ActiveX control heap-based buffer overflow

http://xforce.iss.net/xforce/xfdb/36543

GLChat Stack-based buffer overflow

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5722

Baidu Bar ActiveX Control Remote Command Execution

http://www.frsirt.com/english/advisories/2007/2699

Real Player RAM Download Handler ActiveX Control

http://www.frsirt.com/english/advisories/2005/0368/references

http://www.snort.org/pub-bin/sigs.cgi?sid=8383

http://www.snort.org/pub-bin/sigs.cgi?sid=8384


Finally, it will redirect the user to another two pages that serve malwares: (gg.haoliuliang.net/one/ hao8.htm?036) and (gg.haoliuliang.net/wmwm/ new.htm).

Mitigation checklist for system administrators:

  1. Make sure all windows machines are up-to-date, use WSUS to distribute patches and critical updates. Use Microsoft Baseline Security Analyzer (MBSA) to scan for missed patches and vulnerable security settings.
  2. Make sure all installed applications and softwares are up-to-date, you can use Secunia Network Software Inspector to check for vulnerable softwares.
  3. Secure the ActiveX settings of Internet Explorer, check here IE ActiveX security 101. Also check the "ActiveX Killpit App" from Tom Liston of Intelguardians.
  4. Block all http requests to http://www.nihaorr1.com/blah.js [replace blach.js with 1.js]
  5. Make sure your Antivirus vendor has signatures for W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr; Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN

at 11:47 PM
Subscribe to: Comment Feed (RSS)