Category Archives: Various

Clamav antivirus blocking Yahoo, Apple HTML.IFrame-39

Various,

We have experience some issues with Clamav antivirus when trying accessing Yahoo or Apple websites. The access is denied with the “Virus ‘HTML.IFrame-39’ found” message.

The “HTML.IFrame-39” pattern was introduced in the 10766 daily Clamav DB update, dated from Apr 20, 2010, 8:10 PM.

Submission-ID: 15222955
Sender: llattan
Submission notes: Email link leads to a URL not found.
Added: Email.Trojan-162
Added: HTML.IFrame-39

Maybe some more websites are affected by this false positive.

Here under a list of websites affected : http://uk.yahoo.com, http://fr.yahoo.com, http://www.apple.com, http://www.lenovo.com, http://www.aqa.org.uk, http://www.alice-dsl.de, http://www.sky.de

Google Mediapartners crawlers replaying web attacks

Various, ,

In the use case analysis SUC001, we have discovered that Google Mediapartners crawlers seems to replay web attacks under certain conditions :

  • Your website need to be a member of the AdSense network.
  • Your robots.txt file should not exclude the indexing of the “Mediapartners-Google”.
  • Your website targeted web page should contain a AdSense banner.
  • The “Mediapartners-Google” crawler should come frequently visit your website, better each time per web page display.

I have create a fake MySQL database named “injection“, you can find here under the fake content of this database.

CREATE TABLE IF NOT EXISTS `injection` (
  `id` int(11) NOT NULL auto_increment,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;

INSERT INTO `injection` (`id`, `password`) VALUES
(1, 'testtest'),
(2, 'testtesttest');

I grant the MySQL user “injection” only to SELECT on the “injection” table and this locale.

After the creation of all SQL requirements, we need to create a PHP test page with a “id” parameter how is vulnerable to an SQL Injection attack, for example “test2.php?id=2“.

$sql = "SELECT password FROM injection WHERE id=" . $_REQUEST['id'];

We also insert into this web page some good keywords (just copy and past your favorite web article), and the required AdSense banner. Now every thing is configured, we can play to see if the Google Mediapartners crawlers will replay the SQL Injection attack.

The SQL Injection how will be played is the following :

SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

The web query result into the apache log file is returning this entry :

80.90.60.93 - - [20/Apr/2010:22:48:45 +0200] "GET //test2.php?id=2%20AND%20ORD%28MID%28%28SELECT%204%20FROM%20information_schema.TABLES%20LIMIT%200%2C%201%29%2C%2070%2C%201%29%29%20%3E%2051%20AND%204454=4454 HTTP/1.1" 200 1280 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; fr-fr) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7"

The MySQL log file is returning this entry :

100420 22:48:45
419 Connect     injection@localhost on
1419 Init DB     injection
1419 Query       SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

This HTTP query is followed a few seconds later by the Google Mediapartners crawler.

66.249.71.1 - - [20/Apr/2010:22:48:48 +0200] "GET //test2.php?id=2%20AND%20ORD(MID((SELECT%204%20FROM%20information_schema.TABLES%20LIMIT%200%2C%201)%2C%2070%2C%201))%20%3E%2051%20AND%204454=4454 HTTP/1.1" 200 1280 "-" "Mediapartners-Google"

And with no suprise we can see into the MySQL log file that the crawler is replaying the SQL Injection.

100420 22:48:48
1432 Connect     injection@localhost on
1432 Init DB     injection
1432 Query       SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

So, in conclusion, if you website is a member of the Google AdSense network, displaying some AdSense banners, vulnerable and targeted by an SQL Injection, you will not be only owned by the bad guys, but also by Google 🙂

Activité croissante de Revolt Scanner

Various, ,

Depuis environ 1 mois, l’on peut observer une activitĂ© croissante du scanner Revolt, spĂ©cialisĂ© dans la dĂ©couverte des installations de phpMyAdmin. L’annĂ©e dernière cette mĂŞme croissance d’activitĂ© avait prĂ©cĂ©der la mise sur Internet d’un exploit pour phpMyAdmin, qui d’ailleurs est aussi activement utilisĂ© comme vecteur d’attaque. Une nouvelle vulnĂ©rabilitĂ© non encore publiĂ©e pour phpMyAdmin serait-elle en cours d’exploitation ?

Metagoofil, analyse de métadonnées oubliées

Various,

Lors de la phase d’approche d’un pen-test, il est toujours intĂ©ressant de rĂ©cupĂ©rer un maximum d’informations sur sa cible. Metagoofil, dĂ©veloppĂ© par Edge-Security, permet la rĂ©colte d’informations par le biais des documents disponibles sur Internet.

Metagoofil se chargera d’extraire les “mĂ©tadonnĂ©es” de diffĂ©rents types de documents (pdf ,doc, xls, ppt, odp, ods), d’un nom de domaine cible, disponibles sur Internet. Pour ce faire, Metagoofil va interroger Google, et utilisera les options de recherches avancĂ©es du moteur de recherche pour cibler les extensions de fichiers (filetype:pdf site:zataz.com, par exemple).

  • Les options de Metagoofil sont les suivantes :

usage: metagoofil options

-d: domain to search
-f: filetype to download (all,pdf,doc,xls,ppt,odp,ods, etc)
-l: limit of results to work with (default 100)
-o: output file, html format.
-t: target directory to download files.

Example: metagoofil.py -d microsoft.com -l 20 -f all -o micro.html -t micro-files

Comme vous pouvez le voir, Metagoofil propose de filtrer les documents cibles desquels seront recupĂ©rĂ©s les mĂ©tadonnĂ©es. Il est aussi possible de donner une limite aux rĂ©sultats retournĂ©s par Google, d’enregistrer un rapport d’activitĂ© HTML et de spĂ©cifier le rĂ©pertoire cible des documents qui auront Ă©tĂ© tĂ©lĂ©chargĂ©s.

  • Le rapport d’activitĂ© vous donnera les informations suivantes :

– URL d’oĂą le document a Ă©tĂ© tĂ©lĂ©chargĂ©.
– Un lien direct vers le document sauvĂ© en local.
– L’extrait des metadonnĂ©es.

  • Les metadonnĂ©es peuvent contenir des informations juteuses, tels que par exemple :

– La date de crĂ©ation du document
– La date de dernière modification du document
– Le logiciel et la version de logiciel utilisĂ© pour crĂ©er le document.
– La langue par dĂ©faut dans laquelle le logiciel a Ă©tĂ© configurĂ© pour Ă©diter le document
– Le nombre de pages, de caractères, de mots, paragraphes et de lignes du document
– Le nom du template utilisĂ© pour la crĂ©ation du document
– Le type d’imprimante ayant gĂ©nĂ©rĂ© le document
– Le chemin d’accès de stockage du document
– Le nom de l’utilisateur ayant crĂ©Ă© le document (correspond la plupart du temps Ă  l’identifiant de l’utilisateur dans le domaine)
– Le nom de l’utilisateur ayant modifiĂ© en dernier le document (correspond la plupart du temps Ă  l’identifiant de l’utilisateur dans le domaine)

creation date - 20040919050429+02'00'
producer - OpenOffice.org 1.1.2
creator - Writer
format - PDF 1.4
mimetype - application/pdf

subject - Image
title -
producer - Canon iR C3380
author -
creation date - 20080320141726+01'00'
format - PDF 1.3
mimetype - application/pdf

title - Microsoft Word - ThreatNews_Flyer.doc
creator - PScript5.dll Version 5.2
author - robert.duschnock
producer - Acrobat Distiller 5.0.5 \(Windows\)
modification date - D:20050905162340+02'00'
creation date - 20050905142137Z
format - PDF 1.4
mimetype - application/pdf

mimetype - application/msword
language - U.S. English
paragraph count - 4
line count - 16
last saved by - eromang
character count - 2019
template - Normal.dot
creation date - 2008-10-28T12:04:00Z
title - qu'il est beau mon document word
word count - 354
page count - 1
creator - dbancal
date - 2009-08-11T17:28:00Z
generator - Microsoft Office Word