Paid Advertising
web application security lab

ANI Exploit + SQL injection

Arian Evans pointed me to an interesting article over at Security Focus discussing how 25,000 machines were compromised specifically to launch the ANI MS cursor exploit. There are a few interesting parts to this. The first is that it appears that the Dolphin’s stadium hack a while back was not unique - it was just part of this larger attack. The second is that SQL injection was the most likely culprit for the large scale compromise.

I know we’ve all thought about it, but for some reason this one is hitting a little more than others. Partially because I think we all like to think we are unique and every hack needs to be forensically important. Think about if you were running the Miami Dolphins and you were to see this happen to your site. You’d want answers, and you’d want them now. And then after spending countless hours and tons of resources you’d find that the answer is you were just one hack of 25,000. The Dolphins had an interesting website but it was actually insignificant in the grand scheme of the attack.

It’s an interesting thought to think that one attack compromised 25,000 websites, which in turn could have compromised potentially hundreds of thousands or even millions of remote machines via the ANI payload through XSS. And ultimately, the attackers are still at large. Pretty scary concept when you think about the low level of diversity in open source web applications, making them much more susceptible to attack. Maybe that tiny webapp hole isn’t so tiny after all.

2 Responses to “ANI Exploit + SQL injection”

  1. digi7al64 Says:

    thank god the guys on the FD list still think xss is a joke. Without that people might actually start tackling the problem and shutting down all these holes.

  2. digi7al64 Says:

    oops - before I forget, whilst SQL injection allowed the exploit to be inserted, if the code was smart enought to filter out the inserted xss it would have been impossible to launch the attack.

    next, if the code was smart enough to fitler out xss/sql attacks then it wouldn’t happen.