Exploit stops, pops security scanner

Unruly hackers have had their popular weapon, the Acunetix web app scanner, turned against them after a security researcher found a way to exploit the program.

The scanner was a legitimate web application security tool that allowed web administrators to easily find vulnerable components of their websites that could be exploited. It was used by customers such as the US Pentagon and the US Air Force, Skype and Cisco.

Acunetix was also popular with new hackers who used the automated app to find attack vectors on websites.

Israeli penetration tester Danor Cohen (@An7i21) found website administrators could craft certain parameters on their websites to exploit a version of the scanner most popular with software pirates.

"This exploit will give us the ability to do everything with all that nasty newbie hackers that scan our sites day and night, killing our traffic, filling all the web site forms with junk and so on," Cohen said.

'... this exploit is anonymity killer because even if the attacker uses ... TOR and others, his ass will be revealed and full control on his scanning machine will be gained."

The remote stack-based buffer overflow affected the popular version 8 of the platform designed in 2012, but not the latest version, according to Acunetix.

Administrators wanting to strike back at those running the scanner on their sites should bait them with enticing crafted links that include exploit code, Cohen said.

Those external links should be named such as 'SQLINJECTION', 'XSS' and 'CSRF', which would appear as interesting sources in the Acunetix scanner window. When the user executed them in the scanner, the exploit code would run.

Acunetix said it wanted to assure customers official versions released from January 2013 were unaffected by the vulnerability.

"The blogger [Cohen] seems to have managed to pull his exploit by using a cracked version of the software from 2012," an Acunetix staffer wrote in a post.

"We want to make it clear, and reassure our customers, that this vulnerability only affects an old build from 2012.

"Legitimate users of the more recent Acunetix Web Vulnerability Scanner version 8 and version 9 are not affected by this."

In March, Cohen reported a vulnerability in earlier WinRAR versions which allowed virus writers to modify the name the application gives to compressed files in order to obfuscate malicious payloads.

The proof of concept, which security researcher Xylit0l (@Xylitol) said was a known trick of spammers, showed how a file could appear as a benign image or music file when it was packed into a compressed format and opened in the WinRAR, but when executed could run a hidden payload.

Files that were drag and dropped from WINRAR, rather than executed from inside the program, could be still made to appear benign on Windows machines thanks to unicode Right-to-Left Override spoofing.

That trick allowed files such as 'AusPost.jpg.exe' to appear as 'AusPost..jpg'.