User: Password:
Subscribe / Log in / New account


Brief items

Syndicated Malware

September 13, 2006

This article was contributed by Jake Edge.

Syndicated content, from blogs, news sites and the like is a popular way to track these websites, but also provides a vector for malware. Really Simple Syndication (RSS) and Atom are the two formats used to provide syndicated content and there are a variety of web-based and standalone clients that can read RSS/Atom feeds and display them to users. These clients often do not have proper filtering of the content provided and can be susceptible to various attacks.

Both RSS and Atom are XML-based formats that contain various elements of the content that is being syndicated -- title, description, story link, etc. A client program, often known as an 'aggregator' allows the user to subscribe to various feeds and will check periodically for new content. The aggregator then displays that information and the user can choose content items to look at more closely. Because much of the content is from websites, aggregators typically interpret HTML content in the feed data for display. This provides the means for attacks.

Malicious content, for cross-site scripting (XSS) or cross-site request forgery (XSRF) can be inserted into one of the textual portions of the feed data. If the aggregator does not sufficiently filter the received data, it may expose the user to the malware. Web-based aggregators are particularly susceptible as they run in a browser with all of the normal browser capabilities, but standalone clients often include browser-like rendering or will start a browser to follow feed links.

While it is certainly possible, it is probably unlikely that feed providers will directly put malware in their feeds; it is too easy to track them down. A much more likely scenario is feeds that syndicate user generated content, like comment feeds on blogs or sites like LWN (syndication information here). Depending on the filtering that the site does, it may be able to propagate malware within its syndication content. A malicious user could, anonymously at many sites, post a comment that contained malware and effectively co-opt that site into spreading it. A popular site could potentially spread this malware very widely, even if only a small percentage of its users' aggregators were affected.

In addition, many popular sites are 're-syndicated', their feeds are included in the feeds of aggregation sites. A security site, for instance, might display the feeds of several other security sites and include that content in their own feed. This provides for a virus-like propagation where a malicious user can inject content once and have it start showing up in multiple feeds. Some sites will also collect up mailing list entries or descriptions of new content available on peer-to-peer networks and add them to their syndication feed. This provides even more ways for someone to anonymously inject malware.

Bob Auger presented his findings (PDF) on this subject at Black Hat 2006 conference. He provides several examples of plausible malware attack scenarios as well as examples of RSS and Atom data that demonstrate these techniques.

The potential for malicious content in any data that originates from elsewhere really cannot be overstated. The tools we use on a day to day basis need to be aware of this potential and act appropriately. It may seem like security articles tediously repeat the same 'filter input data' mantra over and over, but, here is yet another place where proper filtering has been overlooked.

Comments (1 posted)

New vulnerabilities

bind: denial of service

Package(s):bind CVE #(s):CVE-2006-4095 CVE-2006-4096
Created:September 7, 2006 Updated:February 1, 2007
Description: Bind has two denial of service vulnerabilities.

Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.

An INSIST failure can be triggered by sending a large number of recursive queries.

Fedora FEDORA-2007-164 bind 2007-01-31
Gentoo 200609-11 bind 2006-09-15
Slackware SSA:2006-257-01 bind 2006-09-15
Fedora FEDORA-2006-966 bind 2006-09-11
Debian DSA-1172-1 bind9 2006-09-09
Mandriva MDKSA-2006:163 bind 2006-09-08
rPath rPSA-2006-0166-1 bind 2006-09-08
Ubuntu USN-343-1 bind9 2006-09-07
OpenPKG OpenPKG-SA-2006.019 bind 2006-09-07

Comments (none posted)

flash-plugin: arbitrary code execution

Package(s):flash-plugin CVE #(s):CVE-2006-3311 CVE-2006-3587 CVE-2006-3588
Created:September 13, 2006 Updated:October 5, 2006
Description: Security issues were discovered in the Adobe Flash Player. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file.
Gentoo 200610-02 netscape-flash 2006-10-04
SuSE SUSE-SA:2006:053 flash-player 2006-09-21
Red Hat RHSA-2006:0674-01 flash-plugin 2006-09-12

Comments (none posted)

isakmpd: programming error

Package(s):isakmpd CVE #(s):CVE-2006-4436
Created:September 13, 2006 Updated:September 13, 2006
Description: A flaw has been found in isakmpd, OpenBSD's implementation of the Internet Key Exchange protocol, that caused Security Associations to be created with a replay window of 0 when isakmpd was acting as the responder during SA negotiation. This could allow an attacker to re-inject sniffed IPsec packets, which would not be checked against the replay counter.
Debian DSA-1175-1 isakmpd 2006-09-13

Comments (none posted)

mailman: several vulnerabilities

Package(s):mailman CVE #(s):CVE-2006-2941 CVE-2006-3636
Created:September 8, 2006 Updated:October 23, 2006
Description: A flaw was found in the way Mailman handled MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working. (CVE-2006-2941)

Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. (CVE-2006-3636)

Fedora FEDORA-2006-1013 mailman 2006-10-23
Debian DSA-1188-1 mailman 2006-10-04
Gentoo 200609-12 mailman 2006-09-19
Mandriva MDKSA-2006:165 mailman 2006-09-18
Ubuntu USN-345-1 mailman 2006-09-13
rPath rPSA-2006-0165-1 mailman 2006-09-08
Red Hat RHSA-2006:0600-01 mailman 2006-09-06

Comments (none posted)

php: several vulnerabilities

Package(s):php CVE #(s):CVE-2006-4481 CVE-2006-4484 CVE-2006-4485
Created:September 8, 2006 Updated:June 13, 2008
Description: The file_exists and imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings (CVE-2006-4481).

A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array (CVE-2006-4484).

The stripos function in PHP before 5.1.5 has unknown impact and attack vectors related to an out-of-bounds read (CVE-2006-4485).

SuSE SUSE-SR:2008:013 thunderbird, xulrunner, tkimg, cups, qemu, gstreamer010-plugins-good, pan, libxslt 2008-06-13
Mandriva MDVSA-2008:077 perl-Tk 2007-03-26
SuSE SUSE-SR:2008:005 acroread, asterisk, cacti, compat-openssl097g, icu, libcdio, wireshark/ethereal, Jakarta, perl-tk 2008-03-06
Red Hat RHSA-2008:0146-01 gd 2008-02-28
Fedora FEDORA-2008-1643 graphviz 2008-02-13
Foresight FLEA-2008-0007-1 gd 2008-02-11
Fedora FEDORA-2008-1122 tk 2008-02-05
Fedora FEDORA-2008-1131 tk 2008-02-05
SuSE SUSE-SR:2008:003 java, nss_ldap, cairo, geronimo, moodle, SDL_image, python, mysql, nx, xemacs 2008-02-07
Mandriva MDVSA-2008:038 gd 2007-02-07
rPath rPSA-2008-0046-1 gd 2008-02-06
Gentoo 200802-01 sdl-image 2008-02-06
rPath rPSA-2006-0182-1 php 2006-10-05
SuSE SUSE-SA:2006:052 php4,php5 2006-09-21
Red Hat RHSA-2006:0669-01 PHP 2006-09-21
Mandriva MDKSA-2006:162 php 2006-09-07

Comments (1 posted)

xorg-x11: privilege escalation

Package(s):xorg-x11 xfree86 CVE #(s):CVE-2006-3739 CVE-2006-3740
Created:September 12, 2006 Updated:December 14, 2006
Description: iDefense reported two integer overflow flaws in the way the server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the server.
Mandriva MDKSA-2006:164-2 xorg-x11 2006-12-14
Mandriva MDKSA-2006:164-1 xorg-x11 2006-11-17
Debian DSA-1193-1 xfree86 2006-10-09
SuSE SUSE-SR:2006:023 MySQL xmms-plugins gnutls squirrelmail xscreensaver newpg bind 2006-09-27
Slackware SSA:2006-259-01 x11 2006-09-18
Mandriva MDKSA-2006:164 xorg-x11 2006-09-14
Gentoo 200609-07 libXfont 2006-09-13
Ubuntu USN-344-1 libxfont, xorg 2006-09-12
Red Hat RHSA-2006:0666-01 XFree86 2006-09-12
Red Hat RHSA-2006:0665-01 2006-09-12
rPath rPSA-2006-0167-1 x11 2006-09-12

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds