TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... We release at least two Digital Vaccine updates a week to our IPS customers; on average each has about 10 new security filters, many of which are turned on by default.

ThreatLinQ: Javascript Bad Juju

The game of obfuscating especially JavaScript code has been going on for a while. The attackers are coming up with simple and ingenious ways to evade "string"-based detection. One of our sensors caught this clever technique for evading string-based detection of ActiveX CLSIDs. With hundreds of ActiveX vulnerabilities out there, it is very common to see a massive exploitation of them.

Here is a cool trick we saw in action:
<script>
start();
function z_sa(o,p,v){ o.setAttribute(p,v); }
function start(){
var z = document.createElement('object'); z_sa(z,'id','z');
z_sa(z,'classid',"cjlWsTiWdI:HBWDH9T6jCT5T5H6T-T6I5IAj3j-"

"W1W1IDH0I-W9H8W3HAT-I0T0WCH0W4jFICW2T9TEI3T6T".replace(/[WHjIT]/g, ''));

Let's look at:

"cjlWsTiWdI:HBWDH9T6jCT5T5H6T-T6I5IAj3j-"

"W1W1IDH0I-W9H8W3HAT-I0T0WCH0W4jFICW2T9TEI3T6T".replace(/[WHjIT]/g, '')

The JavaScript replace function replaces any instances of letter "W", "H", "j", "I", "T" with emptiness!

After replacement, the string reduces to: clsid:BD96C556-65A3-11D0-983A-00C04FC29E36

This CLSID is for RDS.Dataspace ActiveX control, and the exploit targets the vulnerability explained in the Microsoft Security Bulletin MS06-014.

Whoever is serving this exploit, can also create a layer that throws in random letters in the "replace" function to serve a new obfuscated CLSID string every time!

Credits: "Bad Juju" is a phrase I most often hear from the cowboy in the DV team - Wayne Blackard
Tags:
Published On: 2008-08-14 09:44:51

Comments post a comment

No comments.
Trackback