JavaScript is a scripting language widely used for client-side web development. It is so popular that most of the web pages on the Internet have JavaScript codes. The JavaScript provides a lot of functionalities and flexibilities to the users. However, it has also provided the convenience for the attackers to inject JavaScript code, exploit and control the target servers.

JavaScript Injection has multiple implementations, including JavaScript cookie modification, JavaScript HTML Form modification and some Cross Site Scripting. For example, the simple injection of the following JavaScript code will eliminate some authorization checks for the malicious user.

javascript:void(document.cookie=”authorization=true”);

Besides the common methods of the JavaScript Injection mentioned above, there is one special JavaScript Injection method which is used only for the shell code injection, we call it JavaScript Code Injection. They are used with the other vulnerabilities as an assistant. But they are more dangerous because the code injected is no longer to be restricted as JavaScript or any scripts, they can be any assembly codes to be running in the system.

One latest example for JavaScript Code Injection is Microsoft IE 0-Day vulnerability found on Dec 9, 2008. The details are here. Some exploits in the wild are using the JavaScript to inject shell codes, then exploiting the vulnerability to trigger the injected codes to be executed. The injected code is like the following:

var shellcode = unescape(“%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f %u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca %uc201%uf4eb%u543b%u0424%ue575%u5f8b

After carefully checking a lot of injected shell codes and related vulnerabilities for the patterns, SonicWALL UTM team has developed seven signatures for JavaScript Code Injection attempts. They are listed as bellow:

• 3127 Javascript Code Injection Attempt (Mac)
• 4665 Javascript Code Injection Attempt (Win/Linux) 2
• 4701 Javascript Code Injection Attempt (Win/Linux) 3
• 4744 Javascript Code Injection Attempt (Win/Linux) 4
• 4760 Unicode Javascript Code Injection Attempt 1
• 4761 Unicode Javascript Code Injection Attempt 2
• 5051 Javascript Code Injection Attempt (Win/Linux) 5

The signatures listed above have not only detected the existing vulnerabilities, but also proactively prevented a lot of attacks addressing zero-day vulnerabilities, including the Microsoft IE 0-Day Vulnerability found on Dec 9, 2008.

The following figure shows the hits for those signatures within a month.

The VLC Media Player is an open source, multiplatform multimedia player. The player is capable of processing multiple audio and video formats such as MPEG, MP3, and Wave as well as streaming media. Among the supported file formats is the TiVo TY file format. The TiVo TY file format specification is proprietary and as such, not available publicly. This file format is known to consist of a generic header and media specific chunks which contain data. The header of TY files can be represented as follows:

 Offset Size Value/Description ------ --   ----------- 0x0000 4    0xF5467ABD 0x0004 4    0x00000002 0x0008 4    0x00020000 0x000C 4    ? 0x0010 4    ? 0x0014 4    bitmask size [...]

A stack buffer overflow vulnerability has been found in the VLC Media Player. The vulnerability occurs when processing TY media files. The vulnerable code does not properly validate the value at offset 0x0014 in the file header. This value is read from the file, incremented by 8 and used as a counter in a memory copy operation without any bounds checks. The destination to which file data is copied is a 32 byte stack buffer. Thus, a value larger than 32 will cause the copy operation to overrun the stack buffer. This will lead to critical data being overwritten and may consequently change the flow of execution.

This vulnerability, when exploited by enticing a user to open a malicious TV file, may result in process flow diversion. Exploits targeting this vulnerability are publicly available. SonicWALL has developed an IPS signature which will detect and block generic attack attempts. The following signature addresses this issue:

• 1265 – VideoLAN VLC Media Player TY Processing BO Attempt

The multi-platform Mozilla Firefox browser is capable of interpreting and rendering many types of content published on the Internet. Some of the widely used formats are HTML, XML,and XUL.

XUL (XML User Interface Language) is an XML (Extensible Markup Language) user interface markup language. The XUL standard draws on other existing standards like DOM, XML, and CSS, and is similar in structure to HTML.

XUL has many predefined element types such as label, command, tree, etc. The tree element holds a set of rows of elements. An example of the use of the tree element follows:

Most XUL elements are at least partially implemented using XBL (XML Binding Language). XBL is a language used to describe bindings that can be attached to elements in other documents.

A vulnerability exists in Mozilla Firefox in the way the XBL Event Handler handles XUL documents with a series of specially crafted tree children. The flaw exists in constructing a tree frame. If the value of the rows attribute of a tree element is negative, it will mistakenly trigger an unrelated event which will remove the treechildren frame node from the DOM tree. Subsequently, the deleted frame is referenced again by the calling function which results in a NULL pointer reference. Consequently, the browser process will be terminated.
It is reported that memory corruption may occur as a result of exploitation which may lead to process flow diversion.

SonicWALL has released an IPS signature that will detect and block a specific exploit known to have been circulated in the wild. The following signature addresses this issue:

• 5321 – Mozilla Firefox XUL Frame Tree Memory Corruption PoC

Opera is a web browser similar to Microsoft Internet Explorer and Mozilla Firefox. It is capable of displaying web pages and executing web applications. It can also interpret and render many types of Internet content, including various versions of HTML, XML, CSS (Cascade Style Sheet), JavaScript, various graphic formats and so on. Opera is made available for Windows, Macintosh, Unix and Linux based platforms.

Uniform Resource Identifier scheme (URI) is a very common naming structure that can be parsed by Opera. An example of an URI is http://www.sonicwall.com. These URIs can be embedded into any HTML web page to link to the other web pages.

There is a buffer overflow vulnerability in Opera Web browser. The vulnerability occurs when the browser tries to parse a very long URI starts with file://. The string may overwrite a fixed sized heap-based buffer and corrupt the memory, or even lead the execution of the injected code.

SonicWALL UTM team has developed a signature to block any attack addressing this issue, which is listed as bellow：

• 3641 Opera Browser File URI Handling BO Attempt

There are also some existing signatures that can detect most of the suspicious shell codes in a web page, which are listed as bellow. They will largely eliminate the possibility of the attacks that try to inject and execute shell code by exploiting this vulnerability.

• 3124 Javascript Code Injection Attempt (Win/Linux)

• 3127 Javascript Code Injection Attempt (Mac)

• 4096 Mozilla Firefox Wrapped JavaScript Code Execution

• 4665 Javascript Code Injection Attempt (Win/Linux) 2

• 4701 Javascript Code Injection Attempt (Win/Linux) 3

• 4744 Javascript Code Injection Attempt (Win/Linux) 4

• 4760 Unicode Javascript Code Injection Attempt 1

• 4761 Unicode Javascript Code Injection Attempt 2

• 5051 Javascript Code Injection Attempt (Win/Linux) 5

There will be another article summarizes these JavaScript Code Injection signatures soon.

SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.

The e-mail looks like following:

Attachment: ticket.zip (contains ticket.doc .exe)

Subject:

• Your flight ticket
• Your ticket from Delta Airlines
• Your ticket from Alaska Airlines
• Your ticket from United Airlines
• Your airplane ticket

Email Body:
————————
Dear Holder

Thank you for using our new service “Buy flight ticket Online” on our website. Your account has been created:

Your login: your-email-address
Your password: random-string

Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Airline Name (E.g. United, Alaska etc)
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

The Trojan when executed performs following host level activity:

• Creates a dirctory as C:Program FilesMicrosoft Common
• Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
• Deletes the original copy of the file
• Creates multiple .sys files in SYSTEM32DRIVERS directory
• Creates multiple .tmp files which later gets deleted

It creates the following Registry key for itself:

• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: “C:Program FilesMicrosoft Commonwuauclt.exe”

It also tries connect and download files from the following URLs:

• furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe – detected as GAV: Wigon.HE (Trojan)]
• kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]

The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].