Cenzic 232 Patent
Paid Advertising
web application security lab

Warhol Worm Becomes Spam Gateway

Our innocent little Warhol worm has begun making it’s rounds. There are some serious additional implications that have not been thought through completely. One thing that unsticky brought to my attention was the use of a Warhol work for spamming. He correctly diagnoses a problem in myyearbook.com but takes it to the next step and describes what it would take to build a Warhol XSS worm.

This is actually a pretty interesting read if you aren’t already familiar with how it would work:

While I was once again wasting my time and life on myyearbook, I found that their forum software, XMB, accepted GET requests to make replies or new threads, which can be forced via an image tag. So I played around with it, and forced some random and useless spam, from unsuspecting users, all the while thinking about how it could truely be exploited. Then it hit me, why not point an image tag to a remote php script, instead of just to the posting script. That way, you can have your script generate new code and forward the viewer to back to the posting script, creating a post containing the code to repost once again. So now I’ve created a forum worm that can do wonders like spam… and advertise. So I started thinking about what else I could do, then once again, an epiphany. What if that technique were coupled with another image tag pointing to a separate php script. This time, the script would redirrect the viewer’s GET request to a large page on a victim site. For every X views the ‘infected’ threads got, the victim page got just the same. On a single forum, this wouldn’t be a problem, really in any sense of the word. But after a quick google search, I found there were over 2 million forums running the same vulnerable forum software. Even with the far under-estimated guess of a total of 10 views for each forum, that’s still a good 20 million requests sent to the victim site in a very short ammount of time, basicly within hours. But, keep in mind this is a worm, and won’t be making just one post, it’ll be making as many posts as it gets views. An exponential increase of requests sent to our victim page. I severly doubt there’s really a single server running that would be able to handle that kind of traffic. Once the origional target goes down, we’re left with dead links in all our posts… or so you’d think. Back to that idea on using a PHP script to dirrect the users. This would allow you to have a list of targets, and cycle through them, as long as your scripts and ‘infected’ threads remained up. Of course, all this raises the problem of getting servers that would be able to handle the traffic generated by both the spreading of the worm, and the requests for the script to divy out the DoS traffic. This could easily be taken care of with a large number of hosted scripts, and checks inside each of them to see which scripts were still up and which weren’t. If a script died, no more posts pointing to it would be made. Sort of scarey to think such a realitively small flaw could be turned into something so much larger and far more destructive. In a sense, an attacker could use this to knock out any sites of his or her choosing, and keep them down…

unsticky is correct, the possiblities for exploitation of a Warhol worm using nothing but CSRF and JavaScript could easily build a denial of service platform, a spam gateway for whatever purpose or something even more malicious. It’s really up to the author’s imagination, and it’s pretty scary thinking about. And he also makes a good point that such a relatively small hole increases in power dramatically with the number of users who use the application.

One Response to “Warhol Worm Becomes Spam Gateway”

  1. Girzi Says:

    Totaly right !
    I made the same kind of Worm for Phpbb 2.0.19 which exploit an XSS.
    (Thanks to xmlhttprequest)
    It spreads itself on the board by spamming infected messages and get stronger in stronger. But it spreads itself also via the private message box =) and steal every cookie he saw.
    Have you tried to see if there is an xsrf in the pmb ;-) ?
    Anyway it’s a very interresting stuff (worms), cause it’s getting more dangerous in more dangerous…