Archive for April 23rd, 2008

One of my early Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as before.

Now WebSense is reporting that both the United Nations and the UK Government have web pages affected by the infamous "Mass Malicious JavaScript Attack", which has been spreading since January across thousands of sites, bombing visitors with a chain of 8 client-side exploits triggered by an external script hosted on remote servers (e.g.

www.nihaorr1.com

).
These exploits leverage a Microsoft Internet Explorer 7 vulnerability patched last year (bad guys seem not to trust Windows Update effectiveness), “as well as [bugs in] other applications”. Well, since modern browsers embed a lot of "other applications" which are usually quite vulnerable, maybe a good idea (actually the only sane idea, other than reverting to Lynx) is switching to a safe web browser and -- shameless plug(in) -- making it even safer by preemptively blocking execution of malicious scripts and embedded content. On a side note, Opera's web site preferences couldn't help in cases like these, when the compromised site is probably among the ones you trust, allowed to run scripts; NoScript, instead, still blocks the external malicious code even if the main page is in your whitelist.

As previously explained by SANS, the

<script>

tag importing the malicious JavaScript code is inserted into the victim web pages through trivial SQL injection vulnerabilities, so much trivial that an automated tool has been used to find vulnerable sites through Google and infect them with the payload.
The default search pattern of this tool is

inurl:".asp" inurl:"a="

: in English, "those web pages developed with Microsoft Active Server Pages technology and accepting query string parameters". Unsurprisingly, this profile matches the original, still unpatched U.N. SQL injection; as I already said reporting the first accident, I believe crackers primarily target ASP sites (even though they are relatively few nowadays) because of the poor coding standards often shown by ASP coders, who usually have a Visual Basic desktop programming background and are less aware of web application security.

At any rate, some simple googling reveals that some U.N. sites are still infected, while UK Government sites have been "cleaned up".
The sad truth, though, is that even those "clean" sites are still vulnerable, hence they could be reinfected at any time: some people just never learn...

Bad Behavior has blocked 1313 access attempts in the last 7 days.