Analysis on Java Web Start Argument Injection Exploit

The recent discovery of Java Web Start Argument Injection vulnerability (CVE-2010-0886 and CVE-2010-0887) has opened a new opportunity for the bad guy to utilize it in drive-by download attack. Here is a short write up on the example (in the wild) found early today, which exploiting this vulnerability. The exploit was found on http://buckomre.com/ and […]

Referencing yourself with arguments.callee()

Obfuscation using arguments.callee() in java scripts is widely seen in  browser exploitation and malicious PDF attacks. This kind of obfuscation could be a bit tricky to handle for security analyst. The arguments.callee() call is used normally to prevent security analyst from modifying the malicious function. The variable that holds the arguments.callee will be validated in […]

Yara Rule For CVE-2010-0805

The Internet Explorer Tabular Data Control ActiveX Memory Corruption (CVE-2010-0805) exploit was recently ported to Metasploit, so we decided to release the detection rule for Yara. Yes it can also be used with JSunpack! rule MSIETabularActivex { meta: ref = “CVE-2010-0805” impact = 7 hide = true strings: $cve20100805_1 = “333C7BC4-460F-11D0-BC04-0080C7055A83” nocase fullword $cve20100805_2 = […]

pKaji: The PHP Analyzer

pKaji is a free service provided by MyCERT that allows one to analyze  PHP codes.  It facilitates detection of network activities and other potentially malicious activities within the code by using the ‘hooking’ technique. Basically, it uses the APD (Advance PHP Debugger) extension to hook the original PHP built-in function. Using pKaji To use pKaji, […]

Bashing The Wildcard

This is quick note about wildcard usage for the  Linux command line particularly on  how to select/include some files among the others. Let say you have a directory  that contains the following files: $ls mh apache-log.tar.gz.00 apache-log.tar.gz.01 apache-log.tar.gz.02 apache-log.tar.gz.03 apache-log.tar.gz.04 apache-log.tar.gz.05 apache-log.tar.gz.06 apache-log.tar.gz.07 apache-log.tar.gz.08 apache-log.tar.gz.09 apache-log.tar.gz.10 apache-log.tar.gz.11 apache-log.tar.gz.12 apache-log.tar.gz.13 To copy the first 10 files,  […]

/Info does give an info :)

Common PDF dictionary used inside malicious PDF are /Author, /Producer, /Title, and /Subject which use reference from this.info.author, this.info.producer, this.info.title, and this.info.subject respectively. The PDF dictionary mentioned above are located inside the /Info referenced object. This can be identified from the reference variable above (e.g: this.info.title) used inside JavaScript code. For instance; this /* means […]