Sunday, August 29, 2010

NINGA, please!

NING is a popular social network community created by internet pioneer, and Netscape founder Marc Andreessen that allows users to create custom social networks similar to Facebook. NING currently host hundreds of thousands of social networks which includes (but is not limited to) websites belonging to the likes of Tyra Banks, Ellen Degeneres, 50 Cent, Meg Whitman, Enrique Iglesias, Kid Rock, Linkin Park, Jay-Z, and many many more.

Recently, after joining a NING powered community I noticed that the functionality of the NING framework seemed to be a bit buggy. I first became aware of this after accidentally typing a set of double quotes into the member search, and realizing by the broken HTML, that a core component of NING seemed to be vulnerable to a simple Cross Site Scripting issue. Unfortunately, XSS bugs are fairly common, but can be especially problematic on community driven websites that rely on cookie based authentication, or have no CSRF protection.

After realizing there were some substantial problems I started to look around the site a bit more, and noticed that NING has user application functionality similar to most social networking websites. Also, NING allows the loading of unrecognized apps via a XML file located via a remote URL. NING apps are basically a combination of HTML, and JavaScript wrapped up within an XML file, so JavaScript execution within the context of a victim's browser is trivial.


This seems to be fairly unsafe at first glance, but applications are hosted on a completely different domain as a means to prevent cross domain based scripting attacks. However, if an attacker has an XSS bug available to them, cross domain policy usually becomes trivial to bypass, as seen in the images below.

Since a users apps are displayed within a page accessed via their public profile writing a NING social network based malware seems trivial at this point, and to make matters even worse the CSRF protection token "xg_token" simply does not work. (This point would be moot anyway due to the XSS bugs) It is also worth  mentioning that if an attacker wanted to write a really nasty piece of malware that would take over accounts, it would be fairly easy due to a flaw in NING that allows for a password to be updated without knowing the original, as seen below; and once an attacker knows the password updating the core account settings becomes possible too.

The end result of my research is a simple NING application based, self replicating malware named NINGA. This application is simply a proof of concept, and only seeks to spread itself. However, just about any action you can imagine would be possible such as mass messaging, data harvesting, account hijacking, and much more.

Unfortunately, there is no public bug reporting interface that I am aware of, and NING also seems to not have a security contact, (though, attempts were made to email  so these issues are still present. Hopefully, someone from the NING development team will see this and work on resolving the multiple security issues affecting NING networks, before someone takes the time to write a more complex piece of malware that is created for nefarious purposes.

Download NINGA source

DISCLAIMER: All research was conducted using two test accounts that I created, and any malware created was protected by an ACL to prevent anyone except myself from being able to load the malicious application. This research was conducted for academic purposes only!

No comments:

Post a Comment