SHARE
TWEET

8chan XSS/imgur breach ver. 2

a guest Sep 22nd, 2015 7,674 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Version 2
  2.  
  3. tl;dr at bottom.
  4.  
  5. This is not a DDoS attempt. This exploits an XSS against 8ch and is being spread through an imgur compromise, and is very similar to another XSS against 8ch found and exploited by the same entity back in January.
  6.  
  7. I'm still collecting more info, but here are the various stages:
  8.  
  9. There's a lot of JS, but most of it is for misdirection and obfuscation. The real code does very little.
  10.  
  11. 1. Upload malicious SWF to any 8ch board that allows Flash files. SWF uses ExternalInterface to execute arbitrary JS. In this case the SWF is http://media.8ch.net/pokepaws/src/1442859661665.swf.
  12.  
  13. 1a. For some reason, 8ch allows static content to be accessed with or without the "media." subdomain. If the SWF sees it's on "media.", it redirects to the root domain (that's what the ng=1 check is for).
  14.  
  15. I believe this is the actual XSS exploit.
  16.  
  17. If the SWF could only be accessed via "media.", same origin policy would only allow JS to be executed in the context of media.8ch.net rather than 8ch.net. Allowing users to upload arbitrary Flash SWFs which can be accessed via a domain essentially gives everyone arbitrary JS execution privileges to that domain. In other words, it's like letting people upload arbitrary HTML files (which would then contain script tags etc.).
  18.  
  19. Edit: It looks like 8ch.net is now the default for static content, rather than media.8ch.net. So this was an intentional change, but it unintentionally introduced an XSS vector when combined with SWF uploads.
  20.  
  21. 2. Embed that SWF on any other site. In this case the site is imgur (loaded indirectly through JS hosted on 4cdns.org first). Based on what I see, this is very likely a serious breach of imgur. They're routing a file with an image extension to an HTML file. This would imply they can control imgur's nginx config or a similar routing system. There's a chance there's just some critical vuln with imgur's API or something that lets you upload HTML files and for some reason it retains the image extension. Either way, imgur is hosed.
  22.  
  23. 2a. SWF checks to make sure it's currently hosted on either 4cdn.org (legit 4chan CDN), 8ch.net, or 4cdns.org (their malicious site). I suspect 4cdns was just for their testing. I do not know why 4cdn is there at all. There are other references in the code that make it seem like it was intended to exploit both 4chan and 8ch, though the main payload only makes any sense for 8ch. It's possible the 4chan stuff is there for misdirection, or they possibly seriously thought 4chan may be vulnerable to the same exploit (though I'm not sure how or why).
  24.  
  25. 3. Through various roundabout ways, in the context of 8ch.net, the SWF sets localStorage.favorites to a JSON array containing HTML with a script tag loading more Javascript. This Javascript ends up being loaded on every 8ch page because localStorage.favorites is automatically written directly to every 8ch page as HTML. (https://github.com/ctrlcctrlv/infinity/blob/85f7e8e2458e55b4fb4e3d89fb6fe58041229064/js/favorites.js#L41) It's normally used to show a favorite boards list. It's only being taken advantage of here because it allows for an easy persistent XSS across all 8ch pages via local storage.
  26.  
  27. 4. The Javascript makes an AJAX GET request to 8chan.pw/a_[randomgibberish].js. (8chan.pw and 4cdns.org are on the same server and owned by the same actor.) The response is presumed to be encrypted, and decrypted with a simple homemade arithmetic algorithm, and then eval'd. This is basically just more basic obfuscation and is trivial to decrypt if you have access to the code. It runs this only once (no loop), but it runs every time you open another 8ch page since it's embedded on every page. So, this is basically a C&C beacon which waits for new Javascript from 8chan.pw, the C&C, and then runs it.
  28.  
  29. Edit: They updated the beacon payload to hit a new URL, 8chan.pw/nbr.js. The code was changed to use JSONP instead of Ajax as well.
  30.  
  31. 4a. At this time, I have not seen the C&C actually respond with any JS yet. They're likely waiting for the XSS worm (not really a true worm in this case since it doesn't self-propagate, but since they hijacked a major site, it's going to spread far) to spread further before sending out more JS.
  32.  
  33. So basically, anyone who visited one of several imgur pages and then visits 8ch at least once is now a sitting duck for whatever they have planned next. At least, as long as they don't shut down their infrastructure now that they've been exposed.
  34.  
  35. =================================================================
  36.  
  37. Mitigation:
  38.  
  39. Recommended mitigation is to clear all your browsing data in the past 72 hours for 8ch.net, or for every website if your browser doesn't do fine-grained clearing.
  40.  
  41. Alternatively, visit a static 8ch link like http://8ch.net/meta/src/1429927327047.jpg. Open a dev console and type "localStorage". If you see strings like "\u0055\u0055" repeated, you fell victim to the XSS. Whether you see those or not, to be safe, type "localStorage.clear()" to remove the payload if it's there. Refresh the page and you're safe, as long as you don't load the compromised Flash again. Don't visit imgur in the near future, and install a Flash blocker like Flashcontrol, or a more robust blocker like NoScript or uMatrix.
  42.  
  43. =================================================================
  44.  
  45. Open questions:
  46.  
  47. -How did they compromise imgur? This may just be a vulnerability that lets you upload HTML files, or the actor may have control of one or more of imgur's edge servers.
  48. -What JS do they plan to spread to 8ch users?
  49. -The JS loaded on imgur also loads an iframe to this image, but doesn't seem to do anything anything with it: http://4cdns.org/image/title/14.jpg. Looks like a banner. Might just be a joke/reference or something.
  50.  
  51. =================================================================
  52.  
  53. Attribution:
  54.  
  55. This is very very similar to an XSS zero-day in vichan and infinity that was exploited on 8ch back in January, also using the 8chan.pw domain. In my next post, I'll show the similarities and discuss potential motives.
  56.  
  57. =================================================================
  58.  
  59. tl;dr Exploits XSS on 8ch via Flash (arbitrary SWFs are uploadable and accessible through 8ch.net root domain). SWF places a persistent JS beacon on all 8ch pages to wait for further JS to run, as issued by a server, though no payload has been seen yet from the server. XSS is spreading to likely users of 8ch by compromising imgur through unknown means, and loading the SWF in certain imgur submissions (4chan screenshots). No DDoS, no attempt to exploit recent Flash CVEs (yet).
  60.  
  61. =================================================================
  62.  
  63. -There is no evidence Bui is responsible. He likely isn't.
  64. -There is no evidence this is related to Hiroyuki Nishimura in any way.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top