Exploit??

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 9321
Joined: Sat Aug 03, 2013 5:45 pm

Exploit??

Post by barbaz » Sat Jun 21, 2014 10:48 pm

Earlier today, while browsing normal sites, I got an alert from Symantec about a file in my SeaMonkey cache containing "Bloodhound.Exploit.33". I'm not used to that kind of alert and I'm no malware expert, but it sounds from the description that it's basically a GIF image with wrong dimensions, and some versions of MSN Messenger on Windows would incorrectly validate it and thus allow attacker code to run at the privilege level of the user.

The following STR would consistently download the "malware" (but it's not happening anymore?):
(Links in code tags and sanitised in case something actually malicious is/was going on here.)
1) Go to

Code: Select all

https www youtube.com/watch?v=UOkremCZO6w

2) Open a new tab, and go to

Code: Select all

https bugzilla.mozilla. org/show_bug.cgi?id=1019021

3) Go back to the first tab, and in the video description, copy the text "Mango - Here We Go (Original Mix)".
4) Open a new tab, and do a Startpage search (from the browser searchplugin) for

Code: Select all

host:youtube.com Mango - Here We Go (Original Mix)
, pasting in the copied text.
That's when I got the alert. No HTTP requests were sent to unexpected domains.

My system came out clean in full scans by both Symantec and ClamXav, so I think it's safe to say I didn't actually get infected, but I do have a couple of questions:
1) Is SeaMonkey 2.27a2 (the latest available of that version) on OS X vulnerable to that exploit at all? (I think no, but not quite 100% sure...)
2) Could it be that there is actually no malware or exploit coming from those websites at all, but just that the cached GIF image wasn't quite "correctly" written to disk due to high CPU usage (initiated by me) at the time I was able to reproduce it?

(Unfortunately, I don't have a copy of the file anymore, nor do I have any way that I know of to preserve it for analysis should I manage to reproduce this again.)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Exploit??

Post by Giorgio Maone » Sun Jun 22, 2014 12:32 am

A Symantec false positive, most likely.
Anyway, latest Seamonkey just cannot be vulnerable to something discovered in 2005, period.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

barbaz
Senior Member
Posts: 9321
Joined: Sat Aug 03, 2013 5:45 pm

Re: Exploit??

Post by barbaz » Sun Jun 22, 2014 3:20 am

Oops, somehow I completely missed the date that exploit was discovered, sorry about that.

Thank you very much for the clarification, Giorgio.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0

barbaz
Senior Member
Posts: 9321
Joined: Sat Aug 03, 2013 5:45 pm

Re: Exploit??

Post by barbaz » Tue Jun 24, 2014 10:15 pm

Reproduced again, and the source is

Code: Select all

startpage.com/cgi-bin/ccspacer?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (PaleMoon)

User avatar
therube
Ambassador
Posts: 7519
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Exploit??

Post by therube » Wed Jun 25, 2014 1:27 am

This is all I could get out of it, 7 bytes:

Code: Select all

47 49 46 38 39 61 01   GIF89a.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1

barbaz
Senior Member
Posts: 9321
Joined: Sat Aug 03, 2013 5:45 pm

Re: Exploit??

Post by barbaz » Wed Jun 25, 2014 3:08 am

That wasn't a direct link - the actual file resides on subdomains of startpage.com and is requested with URL parameters that vary slightly depending the search you do.

If you want an actual URL similar to what I'm working with, disable scripts for startpage.com in NoScript, do a search via their browser searchplugin, and then check something like the Adblock Plus blockable items list. Note also that Symantec doesn't consistently flag the file (I can't figure out what's making the difference), and a quick check indicates that ClamXav does *not* think it's malicious even when Symantec does.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (PaleMoon)

Post Reply