Threaded Mode | Linear Mode

lnminente · Dec. 20, 2008, 07:31 PM

When the framework (aka base.cfg) will be downloadable then we could add the test to be sure we are inside a script Smile!

$TST(Inside_Script=*) by me or $TST(bScript=*) by z12 (name for that variable still for decide)

DarthTrader · Dec. 20, 2008, 09:24 PM

Could someone please check this probably infected site:

Code:

http://finder.sk/

None of our variations seem to match it. Sidki's "JS Kill: Specific Escaped Code" handles it just fine and I would have expected KyeU's filter to match it also.

Thanks,
DarthTrader

***Kye-U*** · Dec. 20, 2008, 10:34 PM

Updated the filter again; made it able to match a combination of ascii characters and hex/decimal/octal code, such as %20function%3cname%23... Wink

DarthTrader · Dec. 20, 2008, 11:02 PM

Thanks, KeyU, that seems to have done the trick! Here is your PoC link which seems to have disappeared from the first page. Smile!

http://prxbx.com/test/IEXMLPoC.htm

DarthTrader

***Kye-U*** · Dec. 20, 2008, 11:05 PM

I accidentally paste over the entire first post.
I found a false positive with the newest version, so I will be posting another update soon!

EDIT: Updated!

DarthTrader · Dec. 20, 2008, 11:59 PM

Still getting FP on this page: Sad

http://www.dslreports.com/forum/security

DarthTrader

***z12*** · Dec. 21, 2008, 12:50 AM

Kye-U, since [0-7]+{1,3) was added, the leading [0-7] is no longer needed.

This is all that is needed

Code:

(\\([0-7]+{1,3}&&[#000:377]))

Sorry about the misunderstanding. Sad

DarthTrader, the FP's on bbr are related to title attributes, not the octal matching code above.
I remember a while back bbr started to escape titles due to rendering issues.
IIRC, it was related to html sometimes being inside the title attribute.

z12

DarthTrader · Dec. 21, 2008, 01:25 AM

Thanks, z12. Here is another suspicious page we can use for testing:

Code:

http://areafen.ru/

***Kye-U*** · Dec. 21, 2008, 03:28 AM

Thanks for the additional testbed! I'm working on having a filter general enough to match both (and the IE PoC) while having minimal false positives.

EDIT: Updated. I decided to implement lnminente's "open script/closed script" variable, and also decided to not kill the rest of the page, but remove as much obfuscated code as possible (limited to 32767 bytes) and allow the page to still load.

If you're already using your own "open script/closed script" filter, feel free to modify this filter.

DarthTrader · Dec. 21, 2008, 12:10 PM

(Dec. 21, 2008 03:28 AM)Kye-U Wrote: Thanks for the additional testbed! I'm working on having a filter general enough to match both (and the IE PoC) while having minimal false positives.

EDIT: Updated. I decided to implement lnminente's "open script/closed script" variable, and also decided to not kill the rest of the page, but remove as much obfuscated code as possible (limited to 32767 bytes) and allow the page to still load.

If you're already using your own "open script/closed script" filter, feel free to modify this filter.

Thanks, KyeU. Your new filter seems to be working fine, although the coding is a bit over my head now. Smile!

Here's what I came up with last night:

Code:

[Patterns]

Name = "<script>: Remove Obfuscated Code [20081220b dt]"

Active = TRUE

URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"

Bounds = "$NEST(<script,</script*>)"

Limit = 32767

Match = "*(\\([0-7]+{1,3}&&[#000:377])"

        "|(%|\\x)([a-f0-9])+{2}"

        "|(%|\\)u([a-f0-9])+{4}"

        ")+{5,*}*"

Replace = "$ALERT(Script with obfuscated code surgically removed from:\r\n\r\n\u\r\n\r\n)"

lnminente · Dec. 21, 2008, 01:07 PM

FP in http://support.microsoft.com/?kbid=890830

Each time we try to fix a exploit it's very difficult, thinking in executing the browser as unpriviledged user or inside sandboxie and don't worry too much about security fixes...

***Kye-U*** · Dec. 21, 2008, 08:32 PM

Updated the filter again =]

I took out the code that matches ascii text since the filter now has the ability to remove "obfuscation functions".
False positives should be cut down drastically now (hopefully).

DarthTrader · Dec. 22, 2008, 12:50 AM

More FPs in http://www.itwire.com/
but I don't know how they can be avoided!

***Kye-U*** · Dec. 22, 2008, 03:39 AM

As long as it doesn't break the functionality of a site.
I'm thinking these aren't FPs; it's evidence that the filter does indeed remove obfuscated code, regardless of the intentions of the code.

It might be safe to remove the alerts (e.g. remove \2 from the Replacement Text), and see how it goes.

Siamesecat · Dec. 22, 2008, 06:56 AM

(Dec. 21, 2008 12:10 PM)DarthTrader Wrote: Here's what I came up with last night:

Code:

[Patterns] Name = "<script>: Remove Obfuscated Code [20081220b dt]" Active = TRUE URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))" Bounds = "$NEST(<script,</script*>)" Limit = 32767 Match = "*(\$[0-7]+{1,3}&&[#000:377])" "|(%|\\x)([a-f0-9])+{2}" "|(%|\$u([a-f0-9])+{4}" ")+{5,*}*" Replace = "$ALERT(Script with obfuscated code surgically removed from:\r\n\r\n\u\r\n\r\n)"

There are a few things I do not understand about the match. Why is the range of the first item matched from 0 to 377? What character has a code of 377?
In the second line, why are there 2 backslashes before the x? I know that \x is a command prefix, but why the extra backslash?
In the third line, why is the u not inside the first set of parentheses?
Why are you trying to match at least 5 of the expressions and no less?