Black Hat / DEFCON

Published: 2007-08-06. Last Updated: 2007-08-06 22:24:45 UTC
by John Bambenek (Version: 1)
0 comment(s)

There were a handful of new vulnerabilities and tricks announced at the latest cons.  For those who attended, what do you think of them?  What do you think the latest big thing will be?  (resonses to be in a later diary)

For those who didn't make it, remember if you try to masquerade as a normal attendee at DEFCON to play "undercover reporter" to tell the story of how things really are and bypass the media rules they set up, you're likely to torque off quite a few people.  Just ask Michelle Madigan.

--
John Bambenek, bambenek {at} gmail /dot/ com

 

 

Keywords:
0 comment(s)

Arguments.callee.toString() demystified

Published: 2007-08-06. Last Updated: 2007-08-06 07:35:24 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Couple of days ago I wrote a diary about dynamic JavaScript obfuscation (http://isc.sans.org/diary.html?storyid=3219). The deobfuscation function in this case used the well known arguments.callee.toString() trick in order to prevent modification of the code.

During analysis I confirmed something that I saw previously as well (http://isc.sans.org/diary.html?storyid=1519) – Internet Explorer and Mozilla Firefox have different implementations of this method. The reader who initially submitted the link to the exploit web page, Daniel, did some initial investigation on the implementation of this function.

Yesterday another reader, Ant, sent us his analysis of how Internet Explorer and Mozilla handle this function. Ant did a great job and found out almost exactly what’s going on.

Basically, Internet Explorer always preserves the original text, no matter what’s inside. Mozilla Firefox (the Spidermonkey script engine), on the other side, does some simple optimizations before calling the arguments.callee.toString() method.

Here are Ant’s comments:

The following text is removed before calling the method:

// comment1
/* comment2 */

The following operators are applied before calling the method:

arithmetic (+, -, *, /, %)
bitwise NOT (~)
bitwise shift (<<, >>, >>>)

So, in other words, if you have a variable var test = 2+3; the test I put in the diary would show VARTEST23 in Internet Explorer and VARTEST5 in Firefox.

This, obviously, can cause problems when analyzing such scripts so analysts have to be careful about environments they are working in, as the bad guys can use this to create JavaScript code that will work only in certain browsers (not that we didn’t know that already…). Great job Ant!

--

Bojan

Keywords:
0 comment(s)

Comments


Diary Archives