FlashGot + JDownloader exploit-walmart.com -NoScript bypass?
Posted: Wed Jun 20, 2012 5:20 pm
Dear Sirs,
Yesterday I was browsing the videogames session at 'www.walmart.com'
Yes 'www.walmart.com'.
Suddenly, my Ubuntu system freezed. Only the mouse pointer movement was still responding, but the mouse clicking wasn't.
It took about 1 minute in this state. Then JDownloader opened and asked me (as a warning) that an external application (flashgot) was accessing it whether I would allow the access to proceed or not. In fact my flashgot is associated to JDownloader, BUT, I didn't click in anything to download at all!
But, as I said the mouse click wasn't responding. There was a countdown on the JDownloader window and the default option was 'allow'.
I didn't have time to start another tty and kill the JDownloader before the (supposed) malicious code executed.
I'm almost sure that this was a flashgot + JDownloader exploit that was able to bypass NoScript.
Furthermore, analysing my apparmor logs I also noticed that a Java code had executed from the Icedtea-Web plugin and it tried to execute my '/bin/which' apparently even before JDownloader starts.
I tried to trace the exploit source and I believe that it might be the site 'http://wtags.bluekai.com'.
Could you check this out?
Was this a XSS attack?
Wasn't NoScript supposed to block it?
Any help would be really appreciated.
Thanks in advance.
Bruno
Additional Information:
---------------------------------
Link:
http://www.walmart.com/cp/413799?povid= ... _GAMES_PS3
Before the exploit execute I had allowed the following domais:
wallmart.com
channelintelligence.com
walmartimages.com
Yesterday I was browsing the videogames session at 'www.walmart.com'
Yes 'www.walmart.com'.
Suddenly, my Ubuntu system freezed. Only the mouse pointer movement was still responding, but the mouse clicking wasn't.
It took about 1 minute in this state. Then JDownloader opened and asked me (as a warning) that an external application (flashgot) was accessing it whether I would allow the access to proceed or not. In fact my flashgot is associated to JDownloader, BUT, I didn't click in anything to download at all!
But, as I said the mouse click wasn't responding. There was a countdown on the JDownloader window and the default option was 'allow'.
I didn't have time to start another tty and kill the JDownloader before the (supposed) malicious code executed.
I'm almost sure that this was a flashgot + JDownloader exploit that was able to bypass NoScript.
Furthermore, analysing my apparmor logs I also noticed that a Java code had executed from the Icedtea-Web plugin and it tried to execute my '/bin/which' apparently even before JDownloader starts.
I tried to trace the exploit source and I believe that it might be the site 'http://wtags.bluekai.com'.
Could you check this out?
Was this a XSS attack?
Wasn't NoScript supposed to block it?
Any help would be really appreciated.
Thanks in advance.
Bruno
Additional Information:
---------------------------------
Link:
http://www.walmart.com/cp/413799?povid= ... _GAMES_PS3
Before the exploit execute I had allowed the following domais:
wallmart.com
channelintelligence.com
walmartimages.com
