Roy Firestein

Security Feeds

Archive for April, 2010

MalaRIA Malicious RIA Proxy

April 14th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I got an email from Erlend Oftedal about a new tool he’s created called MalaRIA. The tool uses weak crossdomain.xml and clientaccesspolicy.xml (so both Flash and Silverlight) to allow a piece of code that resides on his server to use the client’s machine as a proxy to read information off of other websites that are protected in other ways. So think of it like an RIA version of BeEF.

You can read his blog post here or if you’re the visual type you can check out his movie here. We often talk about why poorly written crossdomain.xml files are dangerous, but I think this puts the last nail in that coffin. Yes, it’s dangerous. For real. Incidentally there is no reason you couldn’t deliver a MalaRIA payload over BeEF as well, if you wanted the best of both worlds. Nice job by Erlend!

Update: code available here.

AT&T UTMS JS Injection

April 14th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

This isn’t exactly an exploit, but I’m sure after reading it, some people will feel like it is, or at minimum it might make people feel uncomfortable. It appears when users connect through AT&T UTMS wireless cards, the system man-in-the-middle’s the connection, and not only does it downgrade the image quality for performance reasons but it also injects a piece of JavaScript located at http://2.2.3.4/bmi-int-js/bmi.js (not live on the Internet). If you’re anything like me and you see a piece of JS installed in your website that you know doesn’t have any JS on it at all, you’re thinking you’re owned at this point. Alas, you probably are owned, but it’s in an effort to save your bandwidth. You can download a zipped copy of this JavaScript file here.

The real questions are when and how this page gets cached, and who owns 2.2.3.4 when it’s not being MITM’d (when you switch from UTMS to another network), and on and on. Incidentally, I tried to do directory transversal and go to http://2.2.3.4/ to see what else might be on that page and it banned me from going there and to the JavaScript file for the rest of the session. Why? Probably to stop guys like me from hacking whatever server that is and MITMing everyone on AT&T’s UTMS network. Clearly reducing the size of the page, is good for them, and is good for some percentage of users who don’t care about the potential issues here. And for the rest of us, we’ll continue to tunnel our traffic so we can avoid AT&T’s MITM craziness.

Update: a few people have sent me a link that this also is happening on other networks as well.