HTTP: Javascript fromCharCode Obfuscation Technique

This signature detects scripts obfuscated (made unclear) with JavaScript. This is a technique commonly used by malicious Web sites to hide the malicious nature of the Web pages being downloaded by a user. A successful attack allows the Web page creator to take control of the victim's system.

Extended Description

Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466 on Linux, Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, Adobe AIR SDK before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, and Adobe AIR SDK & Compiler before 18.0.0.144 on Windows and before 18.0.0.143 on OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

References

CVE: CVE-2013-3893

URL: https://bugzilla.mozilla.org/show_bug.cgi?id=1120261 https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636 https://helpx.adobe.com/security/products/flash-player/apsb15-11.html http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/ http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html https://helpx.adobe.com/security/products/flash-player/apsa15-01.html http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/ http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/ https://helpx.adobe.com/security/products/flash-player/apsb15-06.html https://helpx.adobe.com/security/products/flash-player/apsb15-14.html http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/ http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html http://bobao.360.cn/learning/detail/357.html http://technet.microsoft.com/en-us/security/advisory/2887505 http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/ https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/ http://50.56.33.56/blog/?p=314 https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py

Short Name
HTTP:STC:SCRIPT:FROMCC-OBFUS
Severity
Major
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2013-3893 CVE-2014-8636 CVE-2015-0816 CVE-2015-3105 Javascript Obfuscation Technique fromCharCode
Release Date
05/15/2013
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3761
False Positive
Rarely
CVSS Score

7.5

9.3

10.0

5.0

Found a potential security threat?