Posts

New Drive By Download exploits Latest Java Vulnerabilities (June 7, 2013)

/in /by

The Dell Sonicwall Threats Research team has found multiple drive-by-download attempts that leverage the underlying Java vulnerabilities and push corresponding malicious Java Applets. These Applets on successful exploitation download a malicious executable that dupes the user into believing that it is an AntiVirus. Specifically, the malware uses a couple of latest Java Vulnerabilities CVE-2013-0422, CVE-2013-2423 and exploits either one of them to get onto the user’s system. Oracle has already patched these vulnerabilities which are described below.

  • CVE-2013-0422 : By constructing a malformed Applet that uses getMBeanInstantiator Method of JmxMBeanServer class, an attacker can achieve arbitrary code execution. The MBeanInstantiator allows the attacker to instantiate restricted classes which eventually converts the applet into a trusted one.
  • CVE-2013-2423 : An attacker can create a malformed Applet using MethodHandles Method and type confusion to switch off Java’s security mechanism. Once a MethodHandle is obtained using findStaticSetter method, a static final field is allowed to be overwritten thereby causing type confusion.

Following are the sequence of events that lead to a drive-by-download :

User visits an infected webpage containing a malicious obfuscated JavaScript

The script tries to determine the vulnerable Java version.

Malicious applet exploiting CVE-2013-0422 is downloaded as per the first conditional check. Following are some excerpts from decompiled java class files that show the vulnerable Method, getMBeanInstantiator provided by Class, JmxMBeanServer.

Above, “ctrpq” function de-obfuscates the string to getMBeanInstantiator which is the vulnerable Method.

Same, “ctrpq” function gets the Class, com.sun.jmx.mbeanserver.JmxMBeanServer which provides the vulnerable Method.

Malicious applet exploiting CVE-2013-2423 is downloaded as per the second conditional check. Following are some of the decompiled Java instructions that employ vulnerable Method, MethodHandles which again is obfuscated.

We can see “eklaqkjz” function gets the string java.lang.invoke.MethodHandles.

A malicious exe is downloaded and executed after the exploit runs successfully.

The threat team has added following signatures to stop these attacks,

  • IPS: 9925 “Malformed Java Class File 2” covers CVE-2013-0422
  • IPS: 9926 “Malformed Java Class File 3” covers CVE-2013-2423
  • GAV: Kryptik.BCHO

Oracle Java Zero-days Found in 2013 (Apr 26, 2013)

/in /by

Java is a set of several computer software products and specifications from Sun Microsystems (which has since merged with Oracle Corporation), that together provide a system for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones on the low end, to enterprise servers and supercomputers on the high end.

In year 2013, multiple vulnerabilities have been found in Oracle Java products and some of them have been used for zero-days attacks. The zero-days found to date in year 2013 are listed below:

  • CVE-2013-0422 on Jan 10th, 2013

    • This vulnerability covers both the JMX/MBean and Reflection API issues. It has already been integrated into the existing Blackhole Exploit Kit and Nuclear Pack.

  • CVE-2013-1493 on Feb 28th, 2013

    • An out-of-bounds read or memory corruption will be triggered by exploiting this vulnerability.

  • CVE-2013-2423 on April 23rd, 2013

    • This vulnerability will cause Java security sandbox bypass.

Oracle has been working on updates of these security issues and released multiple updates from Java 1.7 Update 9, 10 to Java 1.7 Update 21, to resolve these security vulnerabilities.

Dell SonicWALL threat team has researched all the vulnerabilities and released signatures and advisory addressing the issues:

  • CVE-2013-0422

    • GAV: 34662 Exploit.CVE-2013-0422 (Exploit)
    GAV: 34661 Blacole.gen_26 (Exploit)
    GAV: CoolEK.Java.1 (Exploit)

We have also released an advisory for CVE-2013-0422 zero-day attack: New Java 0-day drive-by exploit (Jan 10, 2013).

  • CVE-2013-1493

    • GAV: 35877 McRat.B (Trojan)
    GAV: CVE-2013-1493 (Exploit)
    GAV: CVE-2013-1493_2 (Exploit)
    GAV: CVE-2013-1493_3 (Exploit)

  • CVE-2013-2423

    • IPS: 9835 “Oracle JRE HotSpot Remote Code Execution 3”
    GAV: 16134 CVE-2013-2423 (Exploit)

Updated on May 23rd by adding coverage of CVE-2013-1493.

New Java 0-day drive-by exploit (Jan 10, 2013)

/in /by

The Dell Sonicwall Threats research team received reports of a new 0-day exploit affecting Java 1.7 Update 9, 10 and possibly earlier versions of Java. It has been reported that this new exploit has already been integrated into the existing Blackhole Exploit Kit that is currently in use by cyber criminals. At the time of writing, this vulnerability is currently unpatched.

Infection cycle:

The infection occurs when visiting a malicious webpage that may look similar to the one below:

The webpage contains a malicious Blackhole Exploit script [Detected as GAV: Blacole.gen_26 (Exploit)]:

The script downloads additional jar files with class files containing GAV: Exploit.CVE-2013-0422 (Exploit)

From our analysis and sources we discovered 3 jar files that contain the Java exploit:

  • Counsel.jar [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]
  • Edit.jar [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]
  • UTTER-OFFEND.JAR [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]

The class file ewjvaiwebvhtuai124a.class containing the exploit contains more raw class file data which typically starts with CAFEBABE hexcode:

The class file contains instructions to download and execute a malicious executable: calc.exe:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2013-0422 (Exploit)
  • GAV: Blacole.gen_26 (Exploit)
  • GAV: CoolEK.Java.1 (Exploit)