Internet Security Systems - AlertCon(TM)

HTML Tag used to Obfuscate Exploit

Posted by Robert Freeman on December 11, 2006 at 12:32 PM EST.

Today I observed an exploit for MS06-057 (WebViewFolderIcon setSlice) using an HTML tag to obfuscate a variable name. The tag used, <XMP>, is documented as something to be ignored and that any other tags that fall inside of an XMP block will be similarly ignored. It is strange that this is allowed, but more investigation needs to occur to test against other web browsers to see how they handle this--obviously without trying this particular exploit. One explanation for this obfuscation technique is that the exploit writer(s) wanted to obfuscate a particular use of the variable name so as to foil a product signature. Another possibility is that there is a product that is foiled when it sees the XMP tag and stops processing the rest of the script. Whether or not this becomes a popular obfuscation technique will be known with time.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.