Monday, May 7, 2007

Quick & Dirty JavaScript Sandbox

It seems like more and more browser attacks are using obfuscated JavaScript to make analysis harder. Some things are as simple as UTF encoding, others are far more inventive and confusing. Just like packed executables before, there are legit reasons for wanting to obscure JavaScript, like making it harder for people to steal your code.

So when your IPS alerts on suspicious JavaScript (which is almost never blocked in a default configuration), you can:

  • A) Investigate, get a sample of the offending page and potentially spend hours trying to work back through it by hand.
  • B) Investigate, browse the page with your browser to see what happens, and potentially get pwned.
  • C) Ignore it, and hope the local AV got it.
What I have historically done, and continue to do in some cases, is option B from inside a VMWare machine.

Today, however, I ran into a higher-than-usual volume of alerts, all of which were based on the presence of an unescape() call. In anticipation of having to do this again, and the VM being a poor solution to begin with, I built a Java sandbox, starting with a JavaScript interpreter.

Here's the recipe:

1. Cygwin (optional, but you know I love it, and it makes certain things easier)
2. Current Sun JRE for Win32
3. Rhino JavaScript engine

Create an unprivileged local user who's not even a member of 'Everybody'. You're never going to log in as this user anyway. Now unpack the JRE and Rhino to a directory where that user can view them. If you have Cygwin, build a home directory for your user, and then create a bash shell shortcut with that directory in the "Start In" line. Now use RunAs to launch your shell as the unprivileged user, and start Rhino:

Now you can dump JavaScript to the shell and watch it execute with relatively low risk of pwnage. Rhino also has a GUI debugger that's ideal for stepping through more advanced JavaScript trickery.

No comments: