[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] 2010726 FP
From: Jim McKibben <jmckibben () riskanalytics ! com>
Date: 2016-08-30 19:40:06
Message-ID: CAAux9rbFfTWG-mS6mn5WREo-SqvYARN=U4vdS2s1humGEE+4+Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
2010726
FP via contentproxy.phoenix.edu (204.17.30.158):
t.createElement("<embed
classid='CLSID:CA8A9780-280D-11CF-A24D-444553540000'>");
objEl.setAttribute("type", "application/pdf");
objEl.setAttribute("src", this.url);
objEl.setAttribute("href", this.url);
objEl.setAttribute("class", this.className);
} else {
//Special handling for our special friend IE6/7
objEl = document.createElement("<object
classid='CLSID:CA8A9780-280D-11CF-A24D-444553540000'>");
objEl.setAttribute("type", "application/pdf");
objEl.setAttribute("data", this.url);
objEl.setAttribute("width", this.width);
objEl.setAttribute("height", this.height);
objEl.setAttribute("class", this.className);
} else {
objEl = document.createElement("object");
objEl.setAttribute("type", "application/pdf");
objEl.setAttribute("data", this.url);
objEl.setAttribute("width", this.width);
objEl.setAttribute("height", this.height);
objEl.setAttribute("class", this.className);
if(this.id){ objEl.setAttribute("id", this.id); }
//Remove child nodes if necessary
if(targetNode.hasChildNodes){
while(targetNode.childNodes.length > 0){
targetNode.removeChild(targetNode.firstChild);
targetNode.appendChild(objEl);
return objEl;
var PDFObject = pipwerks.pdfObject;
After looking up the POC of the exploit, it would appear that "src" needs
to be placed somewhere unique, not just found.
--
<https://riskanalytics.com/>
*Jim McKibben*Security Analyst GSEC GWAPT
Office / 913-685-6588
Mobile / 573-424-4848
jmckibben@riskanalytics.com
[image: RiskAnalytics] <https://riskanalytics.com/> [image: Twitter]
<https://twitter.com/riskanalytics> [image: LinkedIn]
<https://www.linkedin.com/company/riskanalytics-llc> [image: Facebook]
<https://www.facebook.com/riskanalytics?fref=ts>
CONFIDENTIAL:
The information in this email (and any attachments) is confidential. If
you are not the intended recipient, you must not read, use or disseminate
the information. Please reply to the sender and take the steps necessary
to delete the message completely from your computer system. Although this
email and any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it is
virus free and no responsibility is accepted by RiskAnalytics, LLC for any
loss or damage arising in any way from its use.
[Attachment #5 (text/html)]
<div dir="ltr">2010726<div><br></div><div>FP via <a \
href="http://contentproxy.phoenix.edu">contentproxy.phoenix.edu</a> \
(204.17.30.158):</div><div><br></div><div><div>t.createElement("<embed \
classid='CLSID:CA8A9780-280D-11CF-A24D-444553540000'>");</div><div><span \
class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("type", \
"application/pdf");</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("src", \
this.url);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("href", \
this.url);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("class", \
this.className);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>} else {</div><div><span \
class="gmail-Apple-tab-span" style="white-space:pre"> </span>//Special handling for \
our special friend IE6/7</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl = document.createElement("<object \
classid='CLSID:CA8A9780-280D-11CF-A24D-444553540000'>");</div><div><span \
class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("type", \
"application/pdf");</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("data", \
this.url);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("width", \
this.width);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("height", \
this.height);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("class", \
this.className);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>} else {</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl = \
document.createElement("object");</div><div><span \
class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("type", \
"application/pdf");</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("data", \
this.url);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("width", \
this.width);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("height", \
this.height);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>objEl.setAttribute("class", \
this.className);</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>if(<a href="http://this.id">this.id</a>){ \
objEl.setAttribute("id", <a href="http://this.id">this.id</a>); \
}</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>//Remove child nodes if necessary</div><div><span \
class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>if(targetNode.hasChildNodes){</div><div><span \
class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>while(targetNode.childNodes.length > \
0){</div><div><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>targetNode.removeChild(targetNode.firstChild);</div><div><span \
class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>targetNode.appendChild(objEl);</div><div><span \
class="gmail-Apple-tab-span" style="white-space:pre"> </span>return \
objEl;</div><div>var PDFObject = pipwerks.pdfObject;</div><div><br></div><div>After \
looking up the POC of the exploit, it would appear that "src" needs to be \
placed somewhere unique, not just found.</div><div><br></div>-- <br><div \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div><table border="0" cellpadding="0" cellspacing="0" \
style="font-size:12.8px;border-collapse:collapse;border:medium none"><tbody><tr><td \
valign="top" width="113" style="width:113.4pt;border-style:none solid none \
none;border-right-width:1pt;border-right-color:rgb(247,150,70);padding:0in 5.4pt"><p \
align="center" style="text-align:center"><br><a href="https://riskanalytics.com/" \
style="color:rgb(17,85,204);font-size:12.8px" target="_blank"><img \
src="http://goo.gl/8ENUhC"></a><br></p></td><td valign="top" width="329" \
style="width:329.4pt;border:medium none;padding:0in 5.4pt"><p><b><span \
style="font-family:arial;color:rgb(255,120,0)">Jim McKibben<br></span></b><span \
style="font-size:8pt;font-family:arial;color:rgb(127,127,127)">Security Analyst GSEC \
GWAPT<br></span><span \
style="font-size:8pt;font-family:arial;color:rgb(255,120,0)">Office /</span><span \
style="font-size:8pt;font-family:arial"> <span style="color:rgb(127,127,127)"><a \
href="tel:913-685-6588" value="+19136856571" style="color:rgb(17,85,204)" \
target="_blank">913-685-6588</a><br></span></span><span \
style="font-family:arial;font-size:8pt;color:rgb(255,120,0)">Mobile /</span><span \
style="font-family:arial;font-size:8pt"> </span><span \
style="font-family:arial;font-size:8pt"><font color="#7f7f7f"><a \
href="tel:573-424-4848" value="+19132195292" style="color:rgb(17,85,204)" \
target="_blank">573-424-4848</a><br></font></span><a \
href="mailto:jmckibben@riskanalytics.com" \
style="color:rgb(17,85,204);font-family:arial;font-size:8pt" \
target="_blank">jmckibben@riskanalytics.com</a></p><p><a \
href="https://riskanalytics.com/" \
style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" \
target="_blank"><img src="https://riskanalytics.com/email_icons/RA_home.png" \
alt="RiskAnalytics"></a><span \
style="color:rgb(247,150,70);font-family:arial;font-size:10.6667px"> </span><a \
href="https://twitter.com/riskanalytics" \
style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" \
target="_blank"><img src="https://riskanalytics.com/email_icons/twitter.png" \
alt="Twitter"></a><span \
style="color:rgb(247,150,70);font-family:arial;font-size:10.6667px"> </span><a \
href="https://www.linkedin.com/company/riskanalytics-llc" \
style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" \
target="_blank"><img src="https://riskanalytics.com/email_icons/linkedin.png" \
alt="LinkedIn"></a><span \
style="color:rgb(247,150,70);font-family:arial;font-size:10.6667px"> </span><a \
href="https://www.facebook.com/riskanalytics?fref=ts" \
style="color:rgb(17,85,204);font-family:arial;font-size:10.6667px" \
target="_blank"><img src="https://riskanalytics.com/email_icons/fb.png" \
alt="Facebook"></a><br></p></td></tr></tbody></table></div><div><div \
style="font-size:12.8px"><br></div><div dir="ltr" style="font-size:12.8px"><font \
color="#cccccc" size="1">CONFIDENTIAL:<br>The information in this email (and any \
attachments) is confidential. If you are not the intended recipient, you must not \
read, use or disseminate the information. Please reply to the sender and take the \
steps necessary to delete the message completely from your computer system. \
Although this email and any attachments are believed to be free of any virus or other \
defect that might affect any computer system into which it is received and opened, it \
is the responsibility of the recipient to ensure that it is virus free and no \
responsibility is accepted by RiskAnalytics, LLC for any loss or damage arising in \
any way from its use.</font></div></div></div></div></div></div></div></div></div></div>
</div></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic