NewOrder.box.sk Inherits Incore Redirection Vulnerability.
Vulnerability : Not Patched Yet
zeroknock [at] secniche.org
For Education Purposes Only!
Redirection Analysis.
The neworder.box.sk is famous security website.It inherits very specific redirection attacks.
The domain forwarding or URL forwarding not only directly possible through
the website but can be called from third party directly. This makes the website prone to redirection
attacks and traffic manipulation. The context in which this attack is undertaken is very stringent.
Before getting into detail lets perform a single test through Google. In this we will check any redirect
parameter is present in the meta contents of website or not. Look at the pick.
Why this happens ?
There can be two reasons:
1.The very basic reason is the site wont allow search engines spider to crawl through the robots.txt or
the configuration in that file must be in "Disallow" state.
2.The second reason can be there is no search meta elements will be provided in the header tags of
the php web page.
The reason can be anything .But the google results are not even so fruitful always. According to google
there is no such page exists.Lets see how exactly the URL obfuscation designed in PHP.
<?
Header( "HTTP/1.1 301 Moved Permanently" );
Header( "Location: http://www.new-url.com" );
?>
Thats how exactly the things work. Remember , The HTTP protocol requires that the redirect be sent
all by itself, without any web page data. As a result, the web programmer who is using a scripting
language to redirect the user's browser to another page must ensure that the redirect is the first
or only part of the response. In the ASP scripting language, this can also be accomplished using the
methods response.buffer=true and response.redirect "http://www.example.com". Using PHP, one can use
header("Location: http://www.example.com").
At this point of time we get to the base and google has played its part. Ha!. The rootkit possesses
this redirection vulnerability and it can be programmed to launch looping attacks in browser.
The attacks can be of :
1.Looping with single domain forwarding.
2.Looping with multiple domain forwarding.
The single domain forwarding states to redirect traffic through vulnerable link to single destination.
The multiple concept makes it to redirect to the number of sites. We will demonstrate it one by one.
Upon searching the website directly I found that the vulnerable link is:
http://neworder.box.sk/redirect.php?[Redirected URL]
When you start making complicated files i.e. you decide to allow different user agents access to different directories
problems can start, if you do not pay special attention to the traps of a robots.txt file. Common mistakes include
typos and contradicting directives. Typos are misspelled user-agents, directories, missing colons after User-agent
and Disallow, etc. Typos can be tricky to find but in some cases validation tools help.
The more serious problem is with logical errors. For instance:
User-agent: *
Disallow: /temp/
User-agent: Googlebot
Disallow: /images/
Disallow: /temp/
Disallow: /cgi-bin/
The above example is from a robots.txt that allows all agents to access everything on the site except the /temp directory.
Up to here it is fine but later on there is another record that specifies more restrictive terms for Googlebot.
When Googlebot starts reading robots.txt, it will see that all user agents (including Googlebot itself) are allowed to
all folders except /temp/. This is enough for Googlebot to know, so it will not read the file to the end and will index
everything except /temp/ - including /images/ and /cgi-bin/, which you think you have told it not to touch. You see,
the structure of a robots.txt file is simple but still serious mistakes can be made easily.
You can use the same script with looping that fires the number of child browsers.One can also exploits
it through iframe tags.Also arrays can be designed with attack websites that has to be redirected and can
be put into a script.First look at the looping stuff.
for($temp=1 ; $temp < 10; $temp ++)
{
my $exploited_url="http://neworder.box.sk/redirect.php?";
my $website_hit = $ARGV[0];
my $phishing = $exploited_url.$website_hit;
system("firefox $phishing");
}
Note
This information can be captured in several ways. One way involves URL redirection. Instead of sending
the visitor straight to the other site, links on the site can direct to a URL on the original website's
domain that automatically redirects to the real target. This added request will leave a trace in the
server logs saying exactly which link was followed. This technique is also used by some corporate websites
to have a "warning" page that the content is off-site and not necessarily affiliated with the corporation.
This technique does bear the downside in the delay of an additional request to the original website's server,
even if the redirect is set to fire in 0 seconds. For websites that wish to display a "warning" page before
automatically forwarding, the length of time the warning is displayed is an additional delay.
The Redirection Attack Check:
http://neworder.box.sk/redirect.php?http://www.google.com
http://neworder.box.sk/redirect.php?http://www.secniche.org
http://neworder.box.sk/redirect.php?http://www.microsoft.com.
The Analysis is All done!