I've seen mails sent to a personal mailbox with two forms of this
obfuscation. Browser security settings should apply though and the scripts
should not execute. However, if script security zone can be bypassed (for
which we've seen recent vulnerabilities) then you could do anything you want
in script.
1) Encoded javascript functions - Javascript can create a function
dynamically from a string of code (can be a complex procedure creating
vulnerable ActiveX objects and the like)
Seen these in HTML mails with the form...
function decode(encrypted_data){ <SOME CODE TO DECRYPT DATA>; return
unescape(real_data);}
and elsewhere in document...
result=(Function("x",decode("<ENCODED STRING>)))(0)
2) Same as detailed below, where the encoded data is decrypted and written
into the document. Just as dangerous.
Regards,
Iain Ogston
-----Original Message-----
From: Andre Mariën [mailto:Andre.Marienat_private]
Sent: Monday, April 23, 2001 8:39 AM
To: VULN-DEVat_private
Subject: Re: strange script in HTML format mail.
The reason for doing such things is evasion.
You start seeing that in many places:
just use a dumb encryption technique to
bypass any pattern driven detection system,
be it content blocker or attack sniffing.
The evasion works regardless of the smarts to
detect unwanted content.
KR,
-- André
Nicolas Villatte wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I received a blank e-mail with a javascript inserted in the HTML,
> using Outlook 2000.
> I wonder what this code represents and how to decode and understand
> it.
>
This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 16:54:43 PDT