« previous next »
Pages: [1]   Go Down

Author Topic: Is function.bind.polyfill.js exploitable?  (Read 791 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33938
  • malware fighter
Is function.bind.polyfill.js exploitable?
« on: August 07, 2015, 10:32:30 PM »
Flagged by Sucuri's: https://www.virustotal.com/nl/url/da6be13015d97a0a2a076b7907cf3fe1a3a057521f0f4213d90ded975765c8e9/analysis/1438977849/
On site is this code:  http://assets.tumblr.com/assets/scripts/vendor/yahoo/rapid-3.29.js?_v=eba0b54ceda4a58e0c1ee32920e5bc09  which has
Code: [Select]
  /*! scripts/polyfills/function.bind.polyfill.js */ Attacking polyfills

The goal of the attack is to run the original function instance, replacing the previously bound arguments with the new runtime values. Because the original function might rely on its privacy, it might NOT validate the inputs, assuming that some of them will always be bound to the "safe" values.

Server vulnerable: System Details:
Running on: Apache/2.2.3
Outdated Web Server Apache Found: Apache/2.2.3

Detected on IP: https://www.virustotal.com/nl/file/d4617b2aeef840b14f081f880beb4149f0de4a169efcea631cf5850cbe285294/analysis/

uMatrix has prevented the following page from loading:
-http://b3.mookie1.com/ -> bad zone: Could not get name servers for 'b3.mookie1.com'.
http://www.dnsinspect.com/mookie1.com/1438979869
Warning: WARNING: Could not resolve domain mookie1.com..
nameserver: http://toolbar.netcraft.com/site_report?url=http://ns1.themig.com
http-robots.txt: 12 disallowed entries
| /cgi-bin/ /images/ /signature/ /marketing/ /css/
|_/files/ /js/ /common/ /p3p/ /w3c/ /campaigns/ /partnerships/
and redirects to: -http://www.xaxis.com/ an advertising platform-> : http://toolbar.netcraft.com/site_report?url=http://www.xaxis.com - bad bot and ad trackers galore: https://www.mywot.com/en/scorecard/xaxis.com?utm_source=addon&utm_content=rw-viewsc (chartbeat dot com and sharethis dot com) and of course -b.3.mookie1.com which uMatrix prevented from loading.
N.B. Sucuri detects malware as: Domain detected on spam or phishing campaigns. Details: http://sucuri.net/malware/entry/MW:HTA:7
This specific URL was identified in malicious campaigns to disseminate malware.

polonus (volunteer website security analyst and website error-hunter)

« Last Edit: August 07, 2015, 10:51:45 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »