Tuesday, July 7, 2009

Zero-day directshow exploits that don't work with jsunpack, an explanation why

Hey guys,
My friend recently was attempting to decode some JavaScript and he sent me the URL to look at. This case reveals that attackers are gaining sophistication because they have a model for blocking researchers from analyzing URLs.

This is the request. If you download the the non-cached contents of that URL you get three iframes (instead of just one):

The new iframes contain the directshow 0-day exploit, which is currently unpatched:

hxxp://guama.9966.org/images/images/chanm.htm [analysis]
hxxp://www.7iai.cn/index.htm [analysis]

More information on the vulnerability here.

This is a case for using jsunpack-n, which you can run from your local IP address to decode traffic. It also highlights the importance of not trusting online tools and performing additional verification. In this case, if you had downloaded the contents and submitted them in HTML form (instead of using the jsunpack cached copy) you would have revealed the 0-day exploits.