TippingPoint | DVLabs | ThreatLinQ: Javascript Bad Juju

▼ 2010
- ▼ March (1)
  - MOBOTS: WeatherFist Exposed
- ► February (2)
  - (loading)
► 2009
- ► October (1)
  - (loading)
- ► September (3)
  - (loading)
- ► July (1)
  - (loading)
- ► June (5)
  - (loading)
- ► May (1)
  - (loading)
- ► April (2)
  - (loading)
- ► March (9)
  - (loading)
- ► February (7)
  - (loading)
- ► January (5)
  - (loading)
► 2008
- ► December (2)
  - (loading)
- ► November (4)
  - (loading)
- ► October (7)
  - (loading)
- ► September (9)
  - (loading)
- ► August (16)
  - (loading)
- ► July (9)
  - (loading)
- ► June (11)
  - (loading)
- ► May (1)
  - (loading)
- ► April (4)
  - (loading)
- ► March (6)
  - (loading)
- ► February (4)
  - (loading)
► 2007
- ► December (1)
  - (loading)
- ► November (5)
  - (loading)
- ► October (4)
  - (loading)
- ► September (1)
  - (loading)
- ► August (2)
  - (loading)
- ► July (9)
  - (loading)
- ► June (4)
  - (loading)
- ► May (8)
  - (loading)

ThreatLinQ: Javascript Bad Juju

By Rohit Dhamankar
Thu 14 Aug 2008 09:44am
4026 Views
0 Comments
Link

The game of obfuscating especially JavaScript code has been going on for a while. The attackers are coming up with simple and ingenious ways to evade "string"-based detection. One of our sensors caught this clever technique for evading string-based detection of ActiveX CLSIDs. With hundreds of ActiveX vulnerabilities out there, it is very common to see a massive exploitation of them.

Here is a cool trick we saw in action:

<script>

start();

function z_sa(o,p,v){ o.setAttribute(p,v); }

function start(){

var z = document.createElement('object'); z_sa(z,'id','z');

z_sa(z,'classid',"cjlWsTiWdI:HBWDH9T6jCT5T5H6T-T6I5IAj3j-"

"W1W1IDH0I-W9H8W3HAT-I0T0WCH0W4jFICW2T9TEI3T6T".replace(/[WHjIT]/g, ''));

Let's look at:

"cjlWsTiWdI:HBWDH9T6jCT5T5H6T-T6I5IAj3j-"

"W1W1IDH0I-W9H8W3HAT-I0T0WCH0W4jFICW2T9TEI3T6T".replace(/[WHjIT]/g, '')

The JavaScript replace function replaces any instances of letter "W", "H", "j", "I", "T" with emptiness!

After replacement, the string reduces to: clsid:BD96C556-65A3-11D0-983A-00C04FC29E36

This CLSID is for RDS.Dataspace ActiveX control, and the exploit targets the vulnerability explained in the Microsoft Security Bulletin MS06-014.

Whoever is serving this exploit, can also create a layer that throws in random letters in the "replace" function to serve a new obfuscated CLSID string every time!

Credits: "Bad Juju" is a phrase I most often hear from the cowboy in the DV team - Wayne Blackard

Tags:

Published On: 2008-08-14 09:44:51

Comments post a comment

No comments.

Trackback

ThreatLinQ: Javascript Bad Juju

Comments post a comment

Published Advisories

Upcoming Advisories

Blog Entries