A Puzzlement...

Published: 2011-11-28. Last Updated: 2011-11-28 19:17:16 UTC
by Tom Liston (Version: 2)
2 comment(s)

Perhaps I'm getting old and unimaginative - but I just don't get it...

About a month and a half ago, I published a diary called "What's In A Name." In that diary, I discussed an interesting "hack," where additional names were added to DNS zone information as part of what appears to be an SEO (search engine optimization) scam.

Over the past month, I've seen several web app RFI (remote file inclusion) attacks that have been using "target files" hosted on machines with names like blogger.com.victimdomain.com or img.youtube.com.victimdomain.com.  A little digging shows that these names also appear to have been added to DNS zones without the knowledge or permission of their owners.  As in the first set of these I found, those names point to a completely different machine (in fact, in a different country) that has nothing at all to do with the main domain.

So, what's the point of using one of these names?  What does this sort of obfuscation gain someone doing RFI attacks?

I'd love to hear some theories, because honestly... I'm stumped.

Tom Liston
ISC Handler
Senior Security Analyst, InGuardians, Inc.
twitter: tliston

P.S.: The folks at the web hosting company that I talked with were less than helpful.  The contents of DNS were "confidential" and they could only respond to a "client complaint." So I'm left trying to explain to some poor, clueless, mom and pop outfit that they need to contact their web host and complain about something called "DNS."  Lovely.

I keep hearing horror stories about how organizations treat people who contact them regarding security issues.  Please make sure that *your* organization truly works with anyone who reports an incident.  It's the frickin' holidays, after all...

UPDATE: B-I-N-G-O! Both @web007 and @jjarmoc on Twitter came up with the answer... and made me kick myself for not looking more closely at how these machine names were being used in the RFI attack.  The attack is intended to satisfy a poorly written domain name matching "filter" for allowed remote includes in the script being attacked... in this case, timthumb.php.  Thank you, thank you, thank you!  And, if you're using timthumb.php, you need to make sure you're using the latest version.  Also, @jjarmoc correctly points out that this isn't really an RFI attack... the malicious code is actually uploaded and executed - but the end result is the same.

2 comment(s)

Comments

The missing piece of your puzzle is that this is required to pass some poorly thought out input validation routines in some apps. The likely candidate here is the timthumb.php vuln detailed at;

http://osvdb.org/show/osvdb/74326
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

In this case, the vulnerable code attempts to confirm it's fetching a file from one of a small list of allowed sites. It does this by requiring a regex match between a small list of allowed sites, and the parameter value. Unfortunately, the regex isn't anchored, so http://blogger.com.example.com/ and http://blogger.com/ are both accepted.

If you're URI doesn't have a string matching one of the whitelisted domains, your code won't execute.
Jeff- I was so focused on the name hack that I failed to look closely enough at the attacks. You're EXACTLY correct... Thank you!

Diary Archives