Technical Insight-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 32: WordPress Core XSS, Spoof Email Tanks Stock, Tesla Defacement via DNS Hack, 451 Status Code, MS15-034 Microsoft Vulnerability

Hey All! Thanks for checking out this week’s HackerKast! We’re all back and recovering from RSA and my feet still hurt.

Starting off with This Week In WordPress Sucks™, we’ve got a vulnerability in WordPress core this time. This is usually not the case as core has been gone over several times with a fine toothed comb, but some persistent XSS in core comment functionality popped up anyway. Also, as per usual, a few hundred plugins were vulnerable to an XSS that was found in two different frequently used functions that were poorly documented. The core issue were patched already but it is up to administrators of WordPress installs to race and get the patch installed.

Next, in silly things that affect the stock market news, Italy’s 2nd largest bank had a hoax email go out pretending to be the CEO resigning. Within moments, the stock takes a huge crash before coming back up after everyone realizes it was a hoax. We’ve seen this before a few times, notably the time Associated Press Twitter account was hacked and tweeted about a bomb at the White House which caused the entire stock market to take a dive for a few minutes. This all points to the fact that there are automated stock trading systems out there making decisions based off of social media and news information.

We had a little chat about the recent problem over at Tesla where their homepage was “defaced”. This wasn’t actually a defacement of any servers on their end but the attackers went after the recently popular low hanging fruit of DNS providers. Once the DNS provider was owned, the homepage was redirected along with any MX records allowing emails to be rerouted to the attackers. With this email rerouting in place, they then sent out some Twitter password reset emails which allowed them to take over the social media accounts. What Robert and I touched on at the end here is that Tesla was lucky that this was all for the lulz because that email rerouting, if done correctly, could’ve been silently MiTMing the company’s emails for some time before anybody noticed. Scary stuff relying on a DNS provider with that level of severity of compromise.

A new status code is being presented in the HTTP standard for the purposes of displaying a legally related block. Instead of just a 404, the browser would now present a 451 which would mean legally restricted due to any number of reasons. Most popularly this would show up for geolocation related blocks of content that tons of Netflix users are very aware of.

Lastly, MS-15-034, came out which was a Microsoft Buffer Overflow vulnerability in IIS servers. Of course Robert couldn’t help himself and wrote a snippet of exploit code. Then in This Week In RSnake Puts Something Dangerous Social Media™ he posted this code to Twitter for people to play with exploit in a remotely exploitable way. We’re toying with a possible demo we could do of this for you all but might take some tinkering to make it interesting.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


XSS 0day in WordPress Core

Many WordPress Plugins Found Vulnerable to XSS

Fake Email Regarding CEO Resignation Tanks Stock

Tesla’s DNS and Twitter Account Hacked

New HTTP “Legally Restricted” Status Code Proposed

MS15-034 Buffer Overflow in Microsoft HTTP pt 1.

MS15-034 Buffer Overflow in Microsoft HTTP pt 2.

MS15-034 Buffer Overflow in Microsoft HTTP pt 3.

Notable stories this week that didn’t make the cut:

Thirty Meter Telescope Gets DDoS’d

Google’s April Fools Joke Actually Made Users Less Secure

Extremely Hackable eVoting Machine

Security Expert Pulled Off Flight by FBI After Exposing Airline Security Flaws

Senate Proposes Re-classifying Certain Uses of Software/Hardware as “Fair Use” and Exempt from DMCA

Navy Announces It Will Stop Buying Manned Aircraft

“Better Presentation of URLs in Search” Should Read “Removal of URLs In Search”

“The Real Deal” DarkNet 0Day Auction

Tags: XSS Vulnerability